Large Retail PCI Compliance Improving, But 14 Percent Seem To Have Given Up

Written by Evan Schuman
May 10th, 2007

When Visa released the latest stats on how many retailers are complying with PCI security rules, many large retailers don’t even seem to be trying anymore.

The latest batch of retail payment security compliance figures?released by Visa on Wednesday?supports quite a few different conclusions, ranging from retailers are taking credit card security more seriously to many of those retailers have all but given up trying. That’s the beauty of statistical analysis.

For example, the figures show that, among the largest retailers (processing more than six million transactions a year), the percentage that Visa has certified as PCI compliant has almost doubled, from 18 percent a year ago to 35 percent today.

Visa itself puts an even more favorable spin on the figures, with a statement from Visa attributed to Eduardo Perez, vice president, Payment System Risk, Visa USA, saying, “Among the top merchants, which account for over half of Visa?s transaction volume, the majority are either fully compliant or working toward eliminating any deficiencies.”

That’s true, according to the figures, with that “majority” coming in at an impressive 86 percent. To be fair, though, that’s mixing two very different kinds of criteria. To get the majority referenced, Perez needs to add the 35 percent of large retailers that a Visa-approved auditor has certified as compliant with an additional 51 percent who have merely filed a document to Visa promising that they’re trying to get compliant.

That document?technically called a Report on Compliance (ROC)?is simply the retailer saying, in effect, “Fear not. I’m trying to comply.”

Indeed, the more intriguing figure is that some 14 percent of the nation’s largest retailers apparently are both non-compliant and not even willing to promise Visa that they’re trying. Heck, even the much-maligned TJX people filed a ROC pledging that they were trying to be better. Try as we could, Visa wouldn’t release the large retailers who make up that 14 percent.

To be fair, that 14 percent may have given up or they may simply have neglected to file the form. But with retailers of that size, it seems unlikely that PCI compliance filing with Visa would slip their minds.

That group of largest retailers fall into PCI’s Level 1 merchant category. Beyond retailers processing more than six million transactions, that category also include retailers of any size if that retailer has had some kind of credit/debit card data compromise. That’s not so small a club anymore so the percentage of Level 1 merchants who might not necessarily be that huge is growing.

When Visa started discussing compliance with Level 2 and Level 3 retailers, the numbers changed radically. Level 2 merchants?those who process between one million and six million transactions a year?came up as 26 percent PCI compliant. That’s slightly lower than the 35 percent compliance of their Level 1 counterparts, but Visa didn’t release the Level 2 (nor the Level 3) compliance figures for a year ago so we can’t do that comparison.

But Level 2 merchants sharply diverged from their big brothers in the nebulous “we filed a form promising that we’re still trying” category. Only 22 percent of Level 2 merchants have filed ROCs, which means that the majority (52 percent) are neither compliant nor promising to try. That’s a lot of mid-sized retailers?processing millions of annual purchases?who don’t seem to be taking credit card security that seriously.

For those who might say that PCI can be handled by the huge chains, but the mid-size compliance drop is because those retailers don’t have the staff and resources to be compliant, that argument is undercut by the figures from the Level 3 retailers, which process anywhere from 20,000 to one million E-Commerce transactions a year.

The Level 3 retailers reported an impressive 51 percent actual PCI compliance (almost twice the percentage of the Level 2s and 46 percent better than Level 1s). The Level 3s have an additional 16 percent filing ROC documents, giving them a total of 67 percent either compliant and promising to get compliant. Put another way, one out of three of the smaller E-Commerce retailers aren’t even trying, at least on paper.

Visa didn’t release figures for its Level 4 group, which either processes fewer than 20,000 annual E-Commerce transactions or fewer than one million in-store transactions.

In other PCI compliance numbers released from Visa, processors with a direct connection to Visa were reported as 87 percent compliant, up from 79 percent a year ago. Compliance among agents was reported at 62 percent, up from 40 percent a year ago.

In the statement Visa attributed to Perez, the VP was quoted as saying that momentum was on their side. “Our observation is that there is significant momentum toward validating full PCI DSS (Payment Card Industry Data Security Standard) compliance. We recognize that validating compliance isn?t an overnight process. No merchant wants to be in the news for having caused the latest data breach and that it is in the best interests of the merchants to comply,” Perez said.

“We applaud those entities that are already making the necessary investments in security. But current compliance levels are simply not good enough, and that?s why we are moving forward with new approaches to convince merchants to accelerate their efforts to comply with these important standards,” Perez said. “Last December, Visa announced its PCI Compliance Acceleration program. Visa is planning to pay out more than $20 million in incentives to complying merchants this year. As part of the acceleration program, Visa’s best interchange rates will only be available to merchants — through their acquiring financial institutions — if they validate PCI compliance by September 30, 2007. For the largest merchants, this annual savings could be as much as $10 million to $20 million.”

Another figure that Visa released is that a lot more retailers are saying that they are no longer retaining the card verification value (CVV) numbers, which are the non-embossed numbers to verify the card. Visa reported that some 93 percent of all Level 1 and Level 2 retailers “have certified that they are not storing that data.” Said Perez: “The eradication of that sensitive data from systems doesn?t equate to full PCI DSS compliance, but it represents an important step.”

There’s no way any program as huge as this one is ever going to get 100 percent compliance, so 93 percent is probably about as perfect as could be realistically hoped for. Still, one has to wonder about the seven percent of Level 1 and Level 2 retailers who wouldn’t even say that they have stopped storing those forbidden numbers. When Level 1 and Level 2 are combined, even seven percent translates to an awful lot of stores.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.