Large Retail PCI Compliance Improving, But 14 Percent Seem To Have Given Up

When Visa released the latest stats on how many retailers are complying with PCI security rules, many large retailers don't even seem to be trying anymore.

The latest batch of retail payment security compliance figures?released by Visa on Wednesday?supports quite a few different conclusions, ranging from retailers are taking credit card security more seriously to many of those retailers have all but given up trying. That's the beauty of statistical analysis.

For example, the figures show that, among the largest retailers (processing more than six million transactions a year), the percentage that Visa has certified as PCI compliant has almost doubled, from 18 percent a year ago to 35 percent today.

Visa itself puts an even more favorable spin on the figures, with a statement from Visa attributed to Eduardo Perez, vice president, Payment System Risk, Visa USA, saying, "Among the top merchants, which account for over half of Visa?s transaction volume, the majority are either fully compliant or working toward eliminating any deficiencies."

That's true, according to the figures, with that "majority" coming in at an impressive 86 percent. To be fair, though, that's mixing two very different kinds of criteria. To get the majority referenced, Perez needs to add the 35 percent of large retailers that a Visa-approved auditor has certified as compliant with an additional 51 percent who have merely filed a document to Visa promising that they're trying to get compliant.

That document?technically called a Report on Compliance (ROC)?is simply the retailer saying, in effect, "Fear not. I'm trying to comply."

Indeed, the more intriguing figure is that some 14 percent of the nation's largest retailers apparently are both non-compliant and not even willing to promise Visa that they're trying. Heck, even the much-maligned TJX people filed a ROC pledging that they were trying to be better. Try as we could, Visa wouldn't release the large retailers who make up that 14 percent.

To be fair, that 14 percent may have given up or they may simply have neglected to file the form. But with retailers of that size, it seems unlikely that PCI compliance filing with Visa would slip their minds.

That group of largest retailers fall into PCI's Level 1 merchant category. Beyond retailers processing more than six million transactions, that category also include retailers of any size if that retailer has had some kind of credit/debit card data compromise. That's not so small a club anymore so the percentage of Level 1 merchants who might not necessarily be that huge is growing.

When Visa started discussing compliance with Level 2 and Level 3 retailers, the numbers changed radically. Level 2 merchants?those who process between one million and six million transactions a year?came up as 26 percent PCI compliant. That's slightly lower than the 35 percent compliance of their Level 1 counterparts, but Visa didn't release the Level 2 (nor the Level 3) compliance figures for a year ago so we can't do that comparison.

But Level 2 merchants sharply diverged from their big brothers in the nebulous "we filed a form promising that we're still trying" category. Only 22 percent of Level 2 merchants have filed ROCs, which means that the majority (52 percent) are neither compliant nor promising to try. That's a lot of mid-sized retailers?processing millions of annual purchases?who don't seem to be taking credit card security that seriously.

For those who might say that PCI can be handled by the huge chains, but the mid-size compliance drop is because those retailers don't have the staff and resources to be compliant, that argument is undercut by the figures from the Level 3 retailers, which process anywhere from 20,000 to one million E-Commerce transactions a year.

The Level 3 retailers reported an impressive 51 percent actual PCI compliance (almost twice the percentage of the Level 2s and 46 percent better than Level 1s). The Level 3s have an additional 16 percent filing ROC documents, giving them a total of 67 percent either compliant and promising to get compliant. Put another way, one out of three of the smaller E-Commerce retailers aren't even trying, at least on paper.

Visa didn't release figures for its Level 4 group, which either processes fewer than 20,000 annual E-Commerce transactions or fewer than one million in-store transactions.

In other PCI compliance numbers released from Visa, processors with a direct connection to Visa were reported as 87 percent compliant, up from 79 percent a year ago. Compliance among agents was reported at 62 percent, up from 40 percent a year ago.

In the statement Visa attributed to Perez, the VP was quoted as saying that momentum was on their side. "Our observation is that there is significant momentum toward validating full PCI DSS (Payment Card Industry Data Security Standard) compliance. We recognize that validating compliance isn?t an overnight process. No merchant wants to be in the news for having caused the latest data breach and that it is in the best interests of the merchants to comply," Perez said.

"We applaud those entities that are already making the necessary investments in security. But current compliance levels are simply not good enough, and that?s why we are moving forward with new approaches to convince merchants to accelerate their efforts to comply with these important standards," Perez said. "Last December, Visa announced its PCI Compliance Acceleration program. Visa is planning to pay out more than $20 million in incentives to complying merchants this year. As part of the acceleration program, Visa's best interchange rates will only be available to merchants -- through their acquiring financial institutions -- if they validate PCI compliance by September 30, 2007. For the largest merchants, this annual savings could be as much as $10 million to $20 million."

Another figure that Visa released is that a lot more retailers are saying that they are no longer retaining the card verification value (CVV) numbers, which are the non-embossed numbers to verify the card. Visa reported that some 93 percent of all Level 1 and Level 2 retailers "have certified that they are not storing that data." Said Perez: "The eradication of that sensitive data from systems doesn?t equate to full PCI DSS compliance, but it represents an important step."

There's no way any program as huge as this one is ever going to get 100 percent compliance, so 93 percent is probably about as perfect as could be realistically hoped for. Still, one has to wonder about the seven percent of Level 1 and Level 2 retailers who wouldn't even say that they have stopped storing those forbidden numbers. When Level 1 and Level 2 are combined, even seven percent translates to an awful lot of stores.