You could draw quite a few different conclusions from the retail payment security compliance figures released by Visa on May 9, ranging from retailers are taking credit card security more seriously to many of those retailers have all but given up trying. Thats the beauty of statistical analysis.
For example, the figures show that, among the largest retailers (processing more than six million transactions a year), the percentage that Visa has certified as PCI-compliant has almost doubled, from 18 percent a year ago to 35 percent today.
Visa itself puts an even more favorable spin on the figures. “Among the top merchants, which account for over half of Visas transaction volume, the majority are either fully compliant or working toward eliminating any deficiencies,” said Eduardo Perez, vice president of Payment System Risk for Visa USA, in a statement.
Thats true, according to the figures, with that “majority” coming in at an impressive 86 percent. To be fair, though, thats mixing two very different kinds of criteria. To get the majority referenced, Perez needs to add the 35 percent of large retailers that a Visa-approved auditor has certified as compliant with an additional 51 percent who have merely filed a document to Visa promising that theyre trying to get compliant.
That document—technically called a Report on Compliance, or ROC—is simply the retailer saying, in effect: “Fear not. Im trying to comply.”
Indeed, the more intriguing figure is that some 14 percent of the nations largest retailers apparently are both noncompliant and not even willing to promise Visa that theyre trying. Heck, even the much-maligned TJX people filed a ROC pledging that they were trying to be better. Unfortunately, Visa wouldnt release the large retailers who make up that 14 percent.
To be fair, that 14 percent may have given up or they may simply have neglected to file the form. But with retailers of that size, it seems unlikely that PCI compliance filing with Visa would slip their minds.
That group of largest retailers falls into PCIs Level 1 merchant category. Beyond retailers processing more than six million transactions, that category also includes retailers of any size if that retailer has had some kind of credit/debit card data compromise. Thats not so small a club anymore, so the percentage of Level 1 merchants who might not necessarily be that huge is growing.
When Visa started discussing compliance with Level 2 and Level 3 retailers, the numbers changed radically. Level 2 merchants—those who process between one million and six million transactions a year—came up as 26 percent PCI-compliant. Thats slightly lower than the 35 percent compliance of their Level 1 counterparts, but Visa didnt release the Level 2 (or the Level 3) compliance figures for a year ago so we cant do that comparison.
But Level 2 merchants sharply diverged from their big brothers in the nebulous “we filed a form promising that were still trying” category. Only 22 percent of Level 2 merchants have filed ROCs, which means that the majority (52 percent) are neither compliant nor promising to try. Thats a lot of midsize retailers—processing millions of annual purchases—who dont seem to be taking credit card security that seriously.
For those who might say that PCI can be handled by the huge chains, but the midsize retailers dont have the staff and resources to be compliant, that argument is undercut by the figures from the Level 3 retailers, which process anywhere from 20,000 to one million e-commerce transactions a year.
The Level 3 retailers reported an impressive 51 percent actual PCI compliance (almost twice the percentage of the Level 2s and 46 percent better than Level 1s). The Level 3s have an additional 16 percent filing ROC documents, giving them a total of 67 percent either compliant or promising to get compliant. Put another way, one out of three of the smaller e-commerce retailers arent even trying, at least on paper.
Visa didnt release figures for its Level 4 group, which either processes fewer than 20,000 annual e-commerce transactions or fewer than one million in-store transactions.
In other PCI compliance numbers released from Visa, processors with a direct connection to Visa were reported as 87 percent compliant, up from 79 percent a year ago. Compliance among agents was reported at 62 percent, up from 40 percent a year ago.
Perez said that momentum was on Visas side. “Our observation is that there is significant momentum toward validating full PCI DSS (Payment Card Industry Data Security Standard) compliance. We recognize that validating compliance isnt an overnight process. No merchant wants to be in the news for having caused the latest data breach and that it is in the best interests of the merchants to comply,” Perez said.
“We applaud those entities that are already making the necessary investments in security. But current compliance levels are simply not good enough, and thats why we are moving forward with new approaches to convince merchants to accelerate their efforts to comply with these important standards,” Perez said. “Last December, Visa announced its PCI Compliance Acceleration program. Visa is planning to pay out more than $20 million in incentives to complying merchants this year. As part of the acceleration program, Visas best interchange rates will only be available to merchants—through their acquiring financial institutions—if they validate PCI compliance by September 30, 2007. For the largest merchants, this annual savings could be as much as $10 million to $20 million.”
In addition, Visa indicated that a lot more retailers are saying that they are no longer retaining the CVV (card verification value) numbers, which are the nonembossed numbers to verify the card. Visa reported that some 93 percent of all Level 1 and Level 2 retailers “have certified that they are not storing that data.” Perez said, “The eradication of that sensitive data from systems doesnt equate to full PCI DSS compliance, but it represents an important step.”
Theres no way any program as huge as this one is ever going to get 100 percent compliance, so 93 percent is probably about as perfect as could be realistically hoped for. Still, one has to wonder about the 7 percent of Level 1 and Level 2 retailers who wouldnt even say that they have stopped storing those forbidden numbers. When Level 1 and Level 2 are combined, even 7 percent translates to an awful lot of stores.
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected].
To read earlier retail technology opinion columns from Evan Schuman, please click here.