Largest Retail PCI Compliance Now At 77 Percent

Visa confirmed Tuesday that PCI compliance for the nation's largest retailers (Level 1) hit 77 percent for the end of last year and that mid-sized merchants (Level 2s) also sharply increased in compliance, hitting 62 percent.

When Visa last reported Level 1 PCI compliance figures in late October 2007, that figure was 65 percent. The number has been steadily and rapidly increasing, with the December 2006 Level 1 PCI compliance, for example, at 36 percent.

The new figures also show a sharp improvement for mid-sized (Level 2) retailers, which sharply increased from October's 43 percent. Level 2 retailers process between one million and six million Visa transactions a year.

Visa also reported that the percentage of retailers in both groups who had promised that they were not retaining prohibited data hit 99 percent.

The figures were first revealed in a speech that Jennifer Fischer, a Visa PCI executive, gave to a Los Angeles PCI seminar audience last week. But the slides that Fischer used suggest that Visa helped those numbers look stronger by removing from the list some 38 level 1 retailers that weren't going to make their PCI deadlines and extending their deadlines to Sept. 30, 2008.

There are only 364 Level 1 retailers, which are merchants that process more than 6 million Visa transactions a year. Visa did the same thing for the 1,011 Level 2 retailers, only there it excluded 302 merchants, who were given until Dec. 31, 2008. Were it not for those exclusions, the compliance figures would have both been much lower and would have given a more accurate sense for how many of the nation's largest retailers are truly compliance with data security requirements.

For the nation's 2,596 Level 3 merchants—those whose E-Commerce transactions number from 20,000 to 1 million—the compliance level was only 54 percent.

The group that represents the largest percentage of all Visa transactions are Level 1s, who are responsible for exactly half of all Visa transactions. But the second-largest group are the nation's six million Level 4s, which process fewer than one-million transactions a year and are responsible for almost one-third (32 percent) of all Visa transactions, the Visa documents said.

Unlike the other groups, the PCI compliance for Level 4s was not specified, but merely described as "low."

Steve Rowen, a security analyst with Retail Systems Research, said that these compliance stats should always be examined cynically. Even were it not for the eliminated retailers, his company's own research certainly didn't support the rosy picture painted by Visa.

"We find it difficult to believe that in a room of ten Level 1 retailers, when asked who is compliant, nearly 8 would stand up," he said. "But it's not surprising to see these types of numbers put forth because, historically, these (Visa) statistics have been a bit inflated. For example, at the close of 2006, Visa stated that 67 percent of Level 1 retailers were compliant. We found that number to be 28 percent. Again, this year, their number of Level 1 retailers--cited by Visa as 77 percent—is in stark contrast to the 48 percent we unearthed in our most recent customer data security benchmark study."

Rowen also questioned the decision of Visa to selectively change the deadlines for certain retailers while requiring others to abide by the announced dates. That said, Rowen added, the move did show a degree of flexibility that made for a less hostile retailer-to-card brand environment.

The select deadline relaxations "took the teeth out of, well, it took some of the bite out of the dog, for sure. Ultimately, I think it was a bad decision, but at least there's now less animosity," Rowen said. For some of the retailers who were given the extensions, it was a no-win compliance situation. Had the deadlines not been relaxed, those retailers would have likely made some quick purchases to avoid the fines and loss of favored credit card transaction rates. But the new purchases would likely not have been deployed properly, he said. In theory, he opined, giving them more time might make it more likely that they will make the proper security purchases and integrate those systems more wisely.

Fischer's slides also painted a very insecure image of credit card data. The number of data "compromise events" in the U.S. "more than doubled" from 2006 to 2007. A different slide gave some meat to that claim, showing about 25 reported data breaches in 2003, increasing to about 125 in 2004 and about 250 in 2005.

That number of reported data breaches dropped in 2006 to about 220 but then sharply rose last year. The slide reported some 348 incidents for 2007, but then noted that it only included incidents reported "through August 2007," suggesting that the 2007 total could be sharply higher.

As with all crime reporting, it's not clear whether the numbers reveal an increase in actual data breaches or merely an increase in the percentage of such incidents that are being reported or a combination of the two.

An ongoing security debate has been whether online or physical stores enjoy a higher security risk. For the last few years, the conventional wisdom has been that brick-and-mortars are still responsible for the vast majority of breaches, but online is where fraudulent and stolen cards are most likely to be used.

The new Visa figures challenge those assumptions, with "U.S. compromise events reported to Visa" showing an exactly even split between physical and Web stores in 2007, according to Fischer's slides.