PCI compliance for the nation’s largest retailers hit 77 percent for the end of last year, according to Visa.
In addition, the credit card company said Jan. 22 that compliance among midsize merchants, or Level 2s, also sharply increased, growing to 62 percent.
When Visa last reported PCI compliance figures for the largest retailers, or Level 1s, in late October 2007, that figure was 65 percent. The number has been steadily increasing. In December 2006, for example, Level 1 PCI compliance was at 36 percent.
The new figures also show a sharp improvement for midsize retailers, which jumped from October’s 43 percent. Level 2 retailers process between 1 million and 6 million Visa transactions a year.
Visa also reported that the percentage of retailers in both groups that had promised that they were not retaining prohibited data hit 99 percent.
The figures were first revealed in a speech that Jennifer Fischer, a Visa PCI executive, gave to a Los Angeles PCI seminar audience the week of Jan. 14. However, the slides that Fischer used suggest that Visa helped those numbers look stronger by removing from the list some 38 Level 1 retailers that weren’t going to make their PCI deadlines and extending their deadlines to Sept. 30, 2008.
There are only 364 Level 1 retailers, which are merchants that process more than 6 million Visa transactions a year. Visa did the same thing for the 1,011 Level 2 retailers, only there it excluded 302 merchants, that were given until Dec. 31, 2008. Were it not for those exclusions, the compliance figures would have both been much lower and would have given a more accurate sense for how many of the nation’s largest retailers are truly complying with data security requirements.
For the nation’s 2,596 Level 3 merchants — those whose annual e-commerce transactions number from 20,000 to 1 million — the compliance level was only 54 percent.
The group that represents the largest percentage of all Visa transactions are Level 1s, which are responsible for half of all Visa transactions. But the second-largest group is the nation’s 6 million Level 4s, which process fewer than 1 million transactions a year and are responsible for almost a third (32 percent) of all Visa transactions, the Visa documents said.
Unlike the other groups, the PCI compliance for Level 4s was not specified, but merely described in the Visa documents as “low.”
Fischer’s slides also painted an insecure image of credit card data. The number of data “compromise events” in the United States “more than doubled” from 2006 to 2007. A different slide gave some meat to that claim, showing about 25 reported data breaches in 2003, increasing to about 125 in 2004 and about 250 in 2005.
That number of reported data breaches dropped in 2006 to about 220, but then sharply rose last year. The slide reported some 348 incidents for 2007, but then noted that it only included incidents reported through August 2007, suggesting that the 2007 total could be higher.
As with all crime reporting, it’s not clear whether the numbers reveal an increase in actual data breaches or merely an increase in the percentage of such incidents that are being reported, or a combination of the two.
An ongoing security debate has been whether online or physical stores are a higher security risk. For the last few years, the conventional wisdom has been that brick-and-mortars are still responsible for the vast majority of breaches, but online is where fraudulent and stolen cards are most likely to be used.
The new Visa figures challenge those assumptions, with reports showing an even split between physical and Web stores in 2007, according to Fischer’s slides.
Retail Center Editor Evan Schuman can be reached at [email protected]
Check out eWEEK.com’s Retail Center for the latest news, views and analysis on technology’s impact on retail.