Have Retailers Given Up on PCI Compliance?

Opinion: Many large retailers don't even seem to be trying to comply with PCI security rules anymore.

Download the authoritative guide: Big Data: Mining Data for Revenue

You could draw quite a few different conclusions from the retail payment security compliance figures released by Visa on May 9, ranging from retailers are taking credit card security more seriously to many of those retailers have all but given up trying. Thats the beauty of statistical analysis.

For example, the figures show that, among the largest retailers (processing more than six million transactions a year), the percentage that Visa has certified as PCI-compliant has almost doubled, from 18 percent a year ago to 35 percent today.

Visa itself puts an even more favorable spin on the figures. "Among the top merchants, which account for over half of Visas transaction volume, the majority are either fully compliant or working toward eliminating any deficiencies," said Eduardo Perez, vice president of Payment System Risk for Visa USA, in a statement.

Thats true, according to the figures, with that "majority" coming in at an impressive 86 percent. To be fair, though, thats mixing two very different kinds of criteria. To get the majority referenced, Perez needs to add the 35 percent of large retailers that a Visa-approved auditor has certified as compliant with an additional 51 percent who have merely filed a document to Visa promising that theyre trying to get compliant.

That document—technically called a Report on Compliance, or ROC—is simply the retailer saying, in effect: "Fear not. Im trying to comply."

Indeed, the more intriguing figure is that some 14 percent of the nations largest retailers apparently are both noncompliant and not even willing to promise Visa that theyre trying. Heck, even the much-maligned TJX people filed a ROC pledging that they were trying to be better. Unfortunately, Visa wouldnt release the large retailers who make up that 14 percent.

To be fair, that 14 percent may have given up or they may simply have neglected to file the form. But with retailers of that size, it seems unlikely that PCI compliance filing with Visa would slip their minds.

That group of largest retailers falls into PCIs Level 1 merchant category. Beyond retailers processing more than six million transactions, that category also includes retailers of any size if that retailer has had some kind of credit/debit card data compromise. Thats not so small a club anymore, so the percentage of Level 1 merchants who might not necessarily be that huge is growing.

When Visa started discussing compliance with Level 2 and Level 3 retailers, the numbers changed radically. Level 2 merchants—those who process between one million and six million transactions a year—came up as 26 percent PCI-compliant. Thats slightly lower than the 35 percent compliance of their Level 1 counterparts, but Visa didnt release the Level 2 (or the Level 3) compliance figures for a year ago so we cant do that comparison.

But Level 2 merchants sharply diverged from their big brothers in the nebulous "we filed a form promising that were still trying" category. Only 22 percent of Level 2 merchants have filed ROCs, which means that the majority (52 percent) are neither compliant nor promising to try. Thats a lot of midsize retailers—processing millions of annual purchases—who dont seem to be taking credit card security that seriously.

Next Page: Momentum is on Visas side.