The Latest PCI Compliance Stats Disappointing For Level 3s

Written by Walt Conway and Evan Schuman
April 14th, 2010

The latest PCI compliance stats—released by Visa this month—are a mixed bag, with Level 1s plateauing at about 15 major chains still non-compliant. But at the small and midsize merchant level, the numbers are so unimpressive that Visa has given up specifying the numbers. Not a good sign.

We now have three years of data to examine—2007 through 2009—so, to the extent that Visa has used the same categories during that time, we can add a bit of context to this information.

Small merchant compliance is a big deal because they account for roughly one-third of all Visa card transactions. But about the best Visa can report for this segment right now is that its rate of compliance is “moderate.”

Compliance for Level 3 merchants—primarily E-tailers with between 20,000 and 1 million Visa transactions annually—is stagnant at a very low level. Visa reported that this group of roughly 2,500 merchants was 54 percent compliant at the end of 2007. Fair enough. There are more Level 3 merchants; they are not always big enough to show up on acquirers’ radar; and Visa’s Compliance Acceleration Program (CAP) focused on their larger L1 and L2 brethren. Sadly, the data for 2008 showed almost no movement by L3 merchants, and now Visa has stopped showing their numbers altogether. It says only that compliance in this segment is “moderate.”

(Related story: New PCI Details: Changes For Network Segmentation, One-Way PAN Hashing, End-To-End Encryption)

We have no idea what “moderate” means. Is it more than or less than 50 percent or 70 percent or any percent? What we do know is that Visa did not use words like “high” or even “really good,” which it could have. We’re wondering if this new language (which first appeared, we believe, in the September 2009 Visa report) is a tacit admission that there hasn’t been much progress. Maybe it’s just too hard to track. In the absence of any kind of numbers since 2008, we have to rate L3 compliance as an industry Fail.

The PCI compliance situation for the smaller merchant universe—the millions of Level 4 merchants—is even murkier. Visa didn’t even attempt to track compliance for these merchants who, by the way, account for roughly one-third of all Visa transactions annually.

There is no data for 2007 or 2008 and, as of 2009, Visa says only that compliance in this segment is—wait for it—”moderate.” Except this time we get a footnote stating “Level 4 compliance is moderate among standalone terminal merchants, but lower among merchants using integrated payment applications.” So now we have “moderate” and “lower than moderate.” Perhaps “lower than moderate” is somewhere below “moderate” and slightly above “let’s not go there.” We can only grade this result as another Fail.

As for the major retailers, Visa classifies merchants having more than 6 million Visa transactions a year as Level 1. These retailers account for half of all Visa transactions annually. At the end of 2007, only 77 percent of L1 merchants were PCI compliant. Two years later, the rate shot up to 96 percent while the number of merchants actually increased slightly (from 326 to 360).

We’d love to know which are the 15 or so L1 merchants that are not compliant.


4 Comments | Read The Latest PCI Compliance Stats Disappointing For Level 3s

  1. cestmoi Says:

    Why would companies be jumping to get PCI compliance if it is not mandated by law? Especially when they can hold off as long as possible and then get compliance without wasting each year’s audit fee since 2007 (per article’s start date)… so companies who got on board back to 2004 got screwed by paying yearly fees since then.

  2. Walt Conway Says:

    @cestmoi, Thanks for your comment, but I have to disagree with such a cynical view of PCI and the benefits of compliance. Companies should want to be compliant to protect their customers and their brand. If you are going to take payment cards then you have an obligation to be secure. Being PCI compliant and – more importantly – being secure is important to your business and your customers. Rather than being a waste, PCI compliance is a smart investment.

    I guess you could avoid compliance and try to fly under your acquirer’s radar, or you could lie on your SAQ. But you do not really benefit by such action. You increase your risk of an expensive data breach which is more expensive than being compliant and, hopefully, secure. In other words, if you think compliance is expensive, noncompliance can cost more.

  3. Cindy Valladares Says:

    PCI can unlock IT budgets, so it’s important to determine the cost of compliance. However, I’m with you, Walt, that the cost of non compliance is way higher than that of compliance. Surveys show the average cost of a data breach being $6.6 million. With this info, it’s very easy to argue that compliance is not expensive.

    One of the reasons why a breach is so expensive is because breaches go undiscovered and uncontained for weeks or months. Imagine leaving the door to your home wide open, and not finding out what robbers stole for months! It could get very expensive. Close that breach to detection gap and you can control the damages to your organization much quicker.

  4. nick Says:

    PCI compliance is a money making thing for scan companies and Visa/MC is in bed with these companies. Getting scanned and submitting a report to the banks will not stop a hacker. If you still get hacked even though you have every safety element possible on your site, the banks will still fine the merchant. Period. Where are the banks saying that if you submit PCI scan and self assessment to then quarterly, then you are off the hook if you get hacked? They will still find a reason to fine the merchant. Why are merchants going to pay for scumbags crimes?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.