Visa: Retailers Doing Better With Credit Card Security, But A Few Holdouts Remain

Written by Evan Schuman
July 30th, 2007

When Visa on Monday released its latest PCI compliance statistics, it showed small but steady progress, with slight increases in most areas. But it also showed that there is still a small handful of major retailers who are still retaining prohibited credit card information.

Visa stressed in its statement that the vast majority (96 percent) of Level 1 and Level 2 merchants?a category including virtually all of the nation’s largest retailers?have written to Visa that “they are not storing sensitive account data” including credit card security codes and PINs.

But given that Visa has said that there are 1,057 retailers in that group (327 Level 1 U.S. retailers and 730 Level 2 retailers), that four percent suggests that about 42 major retail chains aren’t even claiming that they’ve stopped retaining that data. Visa estimates that the 96 percent relates roughly equally to both groups, suggesting about 13 retailers in the Level 1 group (with the very largest retailers) and about 29 in the Level 2 group.

Gartner security analyst Avivah Litan expressed particular concern about the Level 1 retailers who are still retaining the prohibited data. “Even if it’s just 13, that’s way too many,” Litan said, adding that if 13 are saying that they still retain the prohibited data, the actual number of retailers who are doing so is likely much higher.

Of all of the PCI security areas (including encryption, wireless detection methods, not retaining old transaction data, etc.), Litan argues that Visa considers retention of prohibited data to be the most serious. “That?s the data the banks really care about,” Litan said. “If the crook steals the data from the (magnetic) stripe, they can make a perfect card.”

Litan said that when she met with Visa officials in October 2006, they reported that only three retailers were then saying they were still storing the data, which is less than one-third the number apparently reporting that today.

?We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially,? said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA, in the Visa statement. ?By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure.?

Why are some major retailers still holding onto this information, which likely is of little to no marketing or analytical value to them? “In the merchants’ defense, it’s very costly to change their systems,” Litan said. “For a Level 1 retailer with 500?and sometimes 10,000?store locations, it’s not that simple to change POS systems.”

Eduardo Perez, VP, payment systems risk, VISA USA, agreed that cost can be a key factor. “It can reqire notable resources to change or upgrade payment applications,” Perez said. “It can pose some notable challenges.”

But he saw the usage of some non-compliant payment applications as a much bigger culprit, which is why Visa has distributed names of those ISVs to key retailers. Visa has refused to identify those ISVs because they fear that doing so might help cyber thieves zero in on those customers.

“It’s the payment application that is causing the merchant to store track data,” Perez said.

There’s also the distinct possibility the numbers might be far worse. The Visa statement suggested that the percents referenced came from retailer declarations to Visa, as opposed to audit results. If that’s the case, the question isn’t actually getting at whether the retailer stores the prohibited as much as whether the person filling out the form believes the data is being retained.

The complicated enterprise networks today allows many copies of these numbers to be scattered in various departments: store operations, marketing, IT, accounting, etc.. This raises the question of whether copies of the prohibited data aren’t floating around somewhere, well beyond the knowledge of the IT manager filling out the form.

“How do they know they?re not? If you were to ask me ‘Are your doors locked?’, I’d say ‘Of course they are.’ That is, until I find one that isn’t,” said Mark Rasch, a legal security consultant with FTI Consulting and the former head of the U.S. Justice Department’s high-tech crimes unit. “This is the equivalent of going out to the top 100 companies and asking, ‘Are you violating any securities laws?'”

This is on top of a series of concerns that some retailers have expressed with the PCI program, including inconsistent enforcement and conflicts of interest.

Visa also released on Monday the latest compliance numbers for its Payment Card Industry Data Security Standard (PCI DSS), which showed slow but steady improvements in all areas. These results are based on audited results.

Level 1 includes any merchant processing more than 6 million Visa transactions per year, regardless of volume or acceptance channel. Level 2 includes any merchant that processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Level 3 are retailers that process 20,000 to 1 million Visa e-commerce transactions per year and Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year as well as all other merchants processing as many as 1 million Visa transactions per year.

The figures for July showed that 40 percent of Level 1 retailers were compliant, that’s up from the 35 percent compliance rate for that group that Visa reported in May 2007. In May 2006, the compliance rate for that group was 18 percent.

The new July 2007 figures for Level 1 retailers showed that an additional 50 percent have pledged to repair security holes, a process known as filing a Report On Compliance (ROC). Back in May, Visa reported that 51 percent had been involved in the ROC stage, a slight one percent increase that is more than made up for by the increase in actually compliant Level 1 retailers. That July figure leaves 10 percent that are neither compliant nor pledging to be compliant, a sharp drop from the 14 percent Visa reported in May.

With the somewhat smaller Level 2 retailers, the July figures showed a 33 percent compliance rate?up from 26 percent in May?and the smaller Level 3 retailers showed 52 percent compliance, just slightly up from the 51 percent that Visa reported for that group in May.

Visa didn’t release any figures for its Level 4 retailers, but Visa’s Perez said, “We know that compliance is low.” Visa is expecting to have more specific numbers for that group soon.

Level 4 may represent the smallest retailers in the country, but it has strength in numbers, representing more than 6 million retailers, Perez said. Although those retailers represent only about a third of all of the Visa transactions, they account for some 80 percent of all data breaches. Still, despite all of those data breaches, fewer than five percent of all compromised cards came from Level 4 merchants, Perez said.

Rasch saw the increase in PCI compliance for Levels 1, 2 and 3 as a hopeful sign that “the standards are getting more mature and companies are getting more sensitive to it. The question is whether this will translate to an actual dip in retail fraud.”

Gartner’s Litan pointed out that Visa is the only credit card player that releases any security compliance figures. “You can’t get anything out of Amex, Discover or MasterCard,” she said.

Visa’s Perez used the numbers to make a pitch for contactless payment cards, which rotate CVV numbers as part of their security protocol. “With contactless, the CVV number on the next transaction would be different,” he said. “Contactless is one way to render the data useless.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.