Evan Schuman's StorefrontBacktalk

When Visa on Monday released its latest PCI compliance statistics, it showed small but steady progress, with slight increases in most areas. But it also showed that there is still a small handful of major retailers who are still retaining prohibited credit card information.

Visa stressed in its statement that the vast majority (96 percent) of Level 1 and Level 2 merchants?a category including virtually all of the nation’s largest retailers?have written to Visa that “they are not storing sensitive account data” including credit card security codes and PINs.

But given that Visa has said that there are 1,057 retailers in that group (327 Level 1 U.S. retailers and 730 Level 2 retailers), that four percent suggests that about 42 major retail chains aren’t even claiming that they’ve stopped retaining that data. Visa estimates that the 96 percent relates roughly equally to both groups, suggesting about 13 retailers in the Level 1 group (with the very largest retailers) and about 29 in the Level 2 group.

Gartner security analyst Avivah Litan expressed particular concern about the Level 1 retailers who are still retaining the prohibited data. “Even if it’s just 13, that’s way too many,” Litan said, adding that if 13 are saying that they still retain the prohibited data, the actual number of retailers who are doing so is likely much higher.

Of all of the PCI security areas (including encryption, wireless detection methods, not retaining old transaction data, etc.), Litan argues that Visa considers retention of prohibited data to be the most serious. “That?s the data the banks really care about,” Litan said. “If the crook steals the data from the (magnetic) stripe, they can make a perfect card.”

Litan said that when she met with Visa officials in October 2006, they reported that only three retailers were then saying they were still storing the data, which is less than one-third the number apparently reporting that today.

?We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially,? said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA, in the Visa statement. ?By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure.?

Why are some major retailers still holding onto this information, which likely is of little to no marketing or analytical value to them? “In the merchants’ defense, it’s very costly to change their systems,” Litan said. “For a Level 1 retailer with 500?and sometimes 10,000?store locations, it’s not that simple to change POS systems.”

Eduardo Perez, VP, payment systems risk, VISA USA, agreed that cost can be a key factor. “It can reqire notable resources to change or upgrade payment applications,” Perez said. “It can pose some notable challenges.”

But he saw the usage of some non-compliant payment applications as a much bigger culprit, which is why Visa has distributed names of those ISVs to key retailers. Visa has refused to identify those ISVs because they fear that doing so might help cyber thieves zero in on those customers.

“It’s the payment application that is causing the merchant to store track data,” Perez said.

There’s also the distinct possibility the numbers might be far worse. The Visa statement suggested that the percents referenced came from retailer declarations to Visa, as opposed to audit results. If that’s the case, the question isn’t actually getting at whether the retailer stores the prohibited as much as whether the person filling out the form believes the data is being retained.

The complicated enterprise networks today allows many copies of these numbers to be scattered in various departments: store operations, marketing, IT, accounting, etc.. This raises the question of whether copies of the prohibited data aren’t floating around somewhere, well beyond the knowledge of the IT manager filling out the form.

“How do they know they?re not? If you were to ask me ‘Are your doors locked?’, I’d say ‘Of course they are.’ That is, until I find one that isn’t,” said Mark Rasch, a legal security consultant with FTI Consulting and the former head of the U.S. Justice Department’s high-tech crimes unit. “This is the equivalent of going out to the top 100 companies and asking, ‘Are you violating any securities laws?'”

This is on top of a series of concerns that some retailers have expressed with the PCI program, including inconsistent enforcement and conflicts of interest.

Visa also released on Monday the latest compliance numbers for its Payment Card Industry Data Security Standard (PCI DSS), which showed slow but steady improvements in all areas. These results are based on audited results.

Level 1 includes any merchant processing more than 6 million Visa transactions per year, regardless of volume or acceptance channel. Level 2 includes any merchant that processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Level 3 are retailers that process 20,000 to 1 million Visa e-commerce transactions per year and Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year as well as all other merchants processing as many as 1 million Visa transactions per year.

The figures for July showed that 40 percent of Level 1 retailers were compliant, that’s up from the 35 percent compliance rate for that group that Visa reported in May 2007. In May 2006, the compliance rate for that group was 18 percent.

The new July 2007 figures for Level 1 retailers showed that an additional 50 percent have pledged to repair security holes, a process known as filing a Report On Compliance (ROC). Back in May, Visa reported that 51 percent had been involved in the ROC stage, a slight one percent increase that is more than made up for by the increase in actually compliant Level 1 retailers. That July figure leaves 10 percent that are neither compliant nor pledging to be compliant, a sharp drop from the 14 percent Visa reported in May.

With the somewhat smaller Level 2 retailers, the July figures showed a 33 percent compliance rate?up from 26 percent in May?and the smaller Level 3 retailers showed 52 percent compliance, just slightly up from the 51 percent that Visa reported for that group in May.

Visa didn’t release any figures for its Level 4 retailers, but Visa’s Perez said, “We know that compliance is low.” Visa is expecting to have more specific numbers for that group soon.

Level 4 may represent the smallest retailers in the country, but it has strength in numbers, representing more than 6 million retailers, Perez said. Although those retailers represent only about a third of all of the Visa transactions, they account for some 80 percent of all data breaches. Still, despite all of those data breaches, fewer than five percent of all compromised cards came from Level 4 merchants, Perez said.

Rasch saw the increase in PCI compliance for Levels 1, 2 and 3 as a hopeful sign that “the standards are getting more mature and companies are getting more sensitive to it. The question is whether this will translate to an actual dip in retail fraud.”

Gartner’s Litan pointed out that Visa is the only credit card player that releases any security compliance figures. “You can’t get anything out of Amex, Discover or MasterCard,” she said.

Visa’s Perez used the numbers to make a pitch for contactless payment cards, which rotate CVV numbers as part of their security protocol. “With contactless, the CVV number on the next transaction would be different,” he said. “Contactless is one way to render the data useless.”