Level 3 PCI Compliance Increases Slightly, Even As Its Population Grows

The latest PCI compliance stats—out this week—show trivial changes from the prior report, with Level 2 and Level 3 retailers slightly increasing compliance. Level 2 went from 91 percent at the end of December 2011 to 92 percent as of March 31, 2012, and Level 3 also increased by 1 percent, from 58 percent to 59 percent. The 407 largest chains, the Level 1s (processing more than 6 million Visa transactions annually), stayed exactly the same, at 98 percent.

With changes as small as 1 percent, it's hard to determine what, if anything, caused the change. The number of Level 2s (1 million to 6 million Visa transactions annually) dropped slightly (from 1,066 to 1,060), so it's possible a couple of the chains that left might have had compliance issues. When the last report came out, we expressed concern about the very low compliance of Level 3s, coupled with the fact that Visa has yet to report how Level 4s are doing—beyond "moderate."

It actually added a little more ("Level 4 compliance is moderate among standalone terminal merchants, but lower among merchants using integrated payment applications"), but without actual numbers the comparisons don't mean much. Level 4s are those retailers processing fewer than 20,000 Visa E-Commerce transactions annually, along with retailers processing as many as 1 million Visa transactions of any type annually.

On the plus side, that slight increase in Level 3 compliance was made while also significantly increasing (about 2.5 percent) the number of Level 3 merchants, from 3,149 to 3,229. So the percentage of compliant Level 3s is still far too low. But when that percentage can be increased (even slightly) while adding 80 new retail chains, it's pretty impressive. That stat might be even more impressive if we assume that a lot of those Level 3s were upgrading from Level 4. It's often the most difficult to achieve compliance when you're dealing with more stringent requirements for the first time. (Technically, it's certainly possible that some of the new Level 3s had downgraded from Level 2. Given that Level 2 retailers dropped by six and Level 3s increased by 80, that couldn't account for much of it.)