This is page 2 of:
The Latest PCI Compliance Stats Disappointing For Level 3s
We’d love to know which are the 15 or so L1 merchants that are not compliant (4 percent of 360, for those of you who are not former math teachers), and the bad guys would like to know this information, too—that is if they don’t already.
For analysis purposes, the lack of specifics makes meaningful conclusions impossible. It’s accepted fact—especially with Visa—that there’s a huge difference between a retailer being truly compliant and being certified as compliant.
What’s the difference? The certified chain hasn’t been breached yet. Yes, the compliance certification is only good until it’s actually needed.
Quick quiz: How many PCI-certified retailers in the last few years did not quickly lose their compliance shortly after a breach? They had to. How else could Visa keep saying that no PCI-compliant merchant has ever been breached if it didn’t quickly cancel the certification after a breach?
Still, a rate of 96 percent PCI compliance is pretty good, so for L1 retailers we give the industry a Pass.
The story with other large merchants is similarly positive. These are the Level 2 merchants with between 1 million and 6 million Visa transactions annually. Here, PCI compliance increased even faster—rising from a dismal 62 percent at the end of 2007 to a whopping 94 percent by the end of 2009. Once again, 94 percent is an “A” in anybody’s book: hence, our Pass assessment. We have to credit Visa’s CAP in 2008 with stimulating compliance. This program offered a series of carrots and sticks aimed particularly at L1 and L2 merchants to encourage them to validate their PCI compliance. The results speak for themselves: L1 merchant compliance increased to 91 percent and L2 was at 87 percent by the end of 2008, each higher than the 2007 figures of 77 percent and 62 percent, respectively.
In the prohibited data realm, the numbers are somewhat better, but the conclusions are ambiguous. At the end of 2007, Visa reported that 99 percent of Level 1 and Level 2 merchants told Visa they did not store prohibited data. At the end of 2008, Visa reported the identical 99 percent for the same groups. At the end of 2009, the percentages for both Level 1 and Level 2 were bumped up to 100 percent.
First, everyone is going to raise their eyebrows at any report claiming 100 percent of anything. Second, Visa has introduced a subtle wording change. In the 2007 and 2008 reports (with 99 percent), it reported the retailers “confirmed that they do not store prohibited data.” In 2009, Visa said “validated not storing prohibited data.” Validated by whom? And how? In some cases, the retailer reported it directly; other times, confirmation came from an assessor.
If asked the question, “Are you still retaining stuff that you’re not allowed to retain?,” who’s going to reply, “Yep, we sure are.” (It’s like walking into an IRS audit and being asked, “Is there any significant source of revenue you’re not reporting?” and replying, “OK. You got me. Yep. May I go now?”)
But that scenario still assumes the person answering the compliance question even knows the answer.
-Marc
April 15th, 2010 at 11:29 am
Why would companies be jumping to get PCI compliance if it is not mandated by law? Especially when they can hold off as long as possible and then get compliance without wasting each year’s audit fee since 2007 (per article’s start date)… so companies who got on board back to 2004 got screwed by paying yearly fees since then.
April 16th, 2010 at 3:04 pm
@cestmoi, Thanks for your comment, but I have to disagree with such a cynical view of PCI and the benefits of compliance. Companies should want to be compliant to protect their customers and their brand. If you are going to take payment cards then you have an obligation to be secure. Being PCI compliant and – more importantly – being secure is important to your business and your customers. Rather than being a waste, PCI compliance is a smart investment.
I guess you could avoid compliance and try to fly under your acquirer’s radar, or you could lie on your SAQ. But you do not really benefit by such action. You increase your risk of an expensive data breach which is more expensive than being compliant and, hopefully, secure. In other words, if you think compliance is expensive, noncompliance can cost more.
April 20th, 2010 at 6:06 pm
PCI can unlock IT budgets, so it’s important to determine the cost of compliance. However, I’m with you, Walt, that the cost of non compliance is way higher than that of compliance. Surveys show the average cost of a data breach being $6.6 million. With this info, it’s very easy to argue that compliance is not expensive.
One of the reasons why a breach is so expensive is because breaches go undiscovered and uncontained for weeks or months. Imagine leaving the door to your home wide open, and not finding out what robbers stole for months! It could get very expensive. Close that breach to detection gap and you can control the damages to your organization much quicker.
May 28th, 2010 at 4:21 pm
PCI compliance is a money making thing for scan companies and Visa/MC is in bed with these companies. Getting scanned and submitting a report to the banks will not stop a hacker. If you still get hacked even though you have every safety element possible on your site, the banks will still fine the merchant. Period. Where are the banks saying that if you submit PCI scan and self assessment to then quarterly, then you are off the hook if you get hacked? They will still find a reason to fine the merchant. Why are merchants going to pay for scumbags crimes?