For those who might say that PCI can be handled by the huge chains, but the midsize retailers dont have the staff and resources to be compliant, that argument is undercut by the figures from the Level 3 retailers, which process anywhere from 20,000 to one million e-commerce transactions a year. The Level 3 retailers reported an impressive 51 percent actual PCI compliance (almost twice the percentage of the Level 2s and 46 percent better than Level 1s). The Level 3s have an additional 16 percent filing ROC documents, giving them a total of 67 percent either compliant or promising to get compliant. Put another way, one out of three of the smaller e-commerce retailers arent even trying, at least on paper.In other PCI compliance numbers released from Visa, processors with a direct connection to Visa were reported as 87 percent compliant, up from 79 percent a year ago. Compliance among agents was reported at 62 percent, up from 40 percent a year ago. Perez said that momentum was on Visas side. "Our observation is that there is significant momentum toward validating full PCI DSS (Payment Card Industry Data Security Standard) compliance. We recognize that validating compliance isnt an overnight process. No merchant wants to be in the news for having caused the latest data breach and that it is in the best interests of the merchants to comply," Perez said. "We applaud those entities that are already making the necessary investments in security. But current compliance levels are simply not good enough, and thats why we are moving forward with new approaches to convince merchants to accelerate their efforts to comply with these important standards," Perez said. "Last December, Visa announced its PCI Compliance Acceleration program. Visa is planning to pay out more than $20 million in incentives to complying merchants this year. As part of the acceleration program, Visas best interchange rates will only be available to merchantsthrough their acquiring financial institutionsif they validate PCI compliance by September 30, 2007. For the largest merchants, this annual savings could be as much as $10 million to $20 million." In addition, Visa indicated that a lot more retailers are saying that they are no longer retaining the CVV (card verification value) numbers, which are the nonembossed numbers to verify the card. Visa reported that some 93 percent of all Level 1 and Level 2 retailers "have certified that they are not storing that data." Perez said, "The eradication of that sensitive data from systems doesnt equate to full PCI DSS compliance, but it represents an important step." Theres no way any program as huge as this one is ever going to get 100 percent compliance, so 93 percent is probably about as perfect as could be realistically hoped for. Still, one has to wonder about the 7 percent of Level 1 and Level 2 retailers who wouldnt even say that they have stopped storing those forbidden numbers. When Level 1 and Level 2 are combined, even 7 percent translates to an awful lot of stores. Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan_Schuman@ziffdavis.com. To read earlier retail technology opinion columns from Evan Schuman, please click here. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.
Visa didnt release figures for its Level 4 group, which either processes fewer than 20,000 annual e-commerce transactions or fewer than one million in-store transactions.