Largest Retail PCI Compliance Now At 77 Percent

Written by Evan Schuman
January 22nd, 2008

Visa confirmed Tuesday that PCI compliance for the nation’s largest retailers (Level 1) hit 77 percent for the end of last year and that mid-sized merchants (Level 2s) also sharply increased in compliance, hitting 62 percent.

When Visa last reported Level 1 PCI compliance figures in late October 2007, that figure was 65 percent. The number has been steadily and rapidly increasing, with the December 2006 Level 1 PCI compliance, for example, at 36 percent.

The new figures also show a sharp improvement for mid-sized (Level 2) retailers, which sharply increased from October’s 43 percent. Level 2 retailers process between one million and six million Visa transactions a year.

Visa also reported that the percentage of retailers in both groups who had promised that they were not retaining prohibited data hit 99 percent.

The figures were first revealed in a speech that Jennifer Fischer, a Visa PCI executive, gave to a Los Angeles PCI seminar audience last week. But the slides that Fischer used suggest that Visa helped those numbers look stronger by removing from the list some 38 level 1 retailers that weren’t going to make their PCI deadlines and extending their deadlines to Sept. 30, 2008.

There are only 364 Level 1 retailers, which are merchants that process more than 6 million Visa transactions a year. Visa did the same thing for the 1,011 Level 2 retailers, only there it excluded 302 merchants, who were given until Dec. 31, 2008. Were it not for those exclusions, the compliance figures would have both been much lower and would have given a more accurate sense for how many of the nation’s largest retailers are truly compliance with data security requirements.

For the nation’s 2,596 Level 3 merchants—those whose E-Commerce transactions number from 20,000 to 1 million—the compliance level was only 54 percent.

The group that represents the largest percentage of all Visa transactions are Level 1s, who are responsible for exactly half of all Visa transactions. But the second-largest group are the nation’s six million Level 4s, which process fewer than one-million transactions a year and are responsible for almost one-third (32 percent) of all Visa transactions, the Visa documents said.

Unlike the other groups, the PCI compliance for Level 4s was not specified, but merely described as "low."

Steve Rowen, a security analyst with Retail Systems Research, said that these compliance stats should always be examined cynically. Even were it not for the eliminated retailers, his company’s own research certainly didn’t support the rosy picture painted by Visa.

"We find it difficult to believe that in a room of ten Level 1 retailers, when asked who is compliant, nearly 8 would stand up," he said. "But it’s not surprising to see these types of numbers put forth because, historically, these (Visa) statistics have been a bit inflated. For example, at the close of 2006, Visa stated that 67 percent of Level 1 retailers were compliant. We found that number to be 28 percent. Again, this year, their number of Level 1 retailers–cited by Visa as 77 percent—is in stark contrast to the 48 percent we unearthed in our most recent customer data security benchmark study."

Rowen also questioned the decision of Visa to selectively change the deadlines for certain retailers while requiring others to abide by the announced dates. That said, Rowen added, the move did show a degree of flexibility that made for a less hostile retailer-to-card brand environment.

The select deadline relaxations "took the teeth out of, well, it took some of the bite out of the dog, for sure. Ultimately, I think it was a bad decision, but at least there’s now less animosity," Rowen said. For some of the retailers who were given the extensions, it was a no-win compliance situation. Had the deadlines not been relaxed, those retailers would have likely made some quick purchases to avoid the fines and loss of favored credit card transaction rates. But the new purchases would likely not have been deployed properly, he said. In theory, he opined, giving them more time might make it more likely that they will make the proper security purchases and integrate those systems more wisely.

Fischer’s slides also painted a very insecure image of credit card data. The number of data "compromise events" in the U.S. "more than doubled" from 2006 to 2007. A different slide gave some meat to that claim, showing about 25 reported data breaches in 2003, increasing to about 125 in 2004 and about 250 in 2005.

That number of reported data breaches dropped in 2006 to about 220 but then sharply rose last year. The slide reported some 348 incidents for 2007, but then noted that it only included incidents reported "through August 2007," suggesting that the 2007 total could be sharply higher.

As with all crime reporting, it’s not clear whether the numbers reveal an increase in actual data breaches or merely an increase in the percentage of such incidents that are being reported or a combination of the two.

An ongoing security debate has been whether online or physical stores enjoy a higher security risk. For the last few years, the conventional wisdom has been that brick-and-mortars are still responsible for the vast majority of breaches, but online is where fraudulent and stolen cards are most likely to be used.

The new Visa figures challenge those assumptions, with "U.S. compromise events reported to Visa" showing an exactly even split between physical and Web stores in 2007, according to Fischer’s slides.


One Comment | Read Largest Retail PCI Compliance Now At 77 Percent

  1. Steve Suther Says:

    Visa aside, it would be interesting to hear from the other major credit card issuers as to their breakdown of security breaches from traditional brick-and-mortars versus e-commerce websites. Given that their merchant bases are largely the same, shouldn’t their incident management statistics be so to? Either way, it’s good to hear that retailers are improving their compliance to the PCI data security standard, as losses from security breaches and the need to publicly disclose them seem to be on the rise. As more PCI compliance is achieved, let’s hope we see companies’ unified threat management programs get easier to manage.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.