New PCI Stats Show First Time Drop In Level 1 Compliance

New PCI DSS compliance stats for the U.S. released by Visa on Monday (May 26) showed—for the first time—a drop in the compliance rate for Level 1 retailers, albeit a tiny one, from 96 percent to 95 percent. But it's significant in that Level 1—the largest chains in the Visa empire—has always shown a steady increase and, at worst, a plateau.

The exact number of retailers in Level 1 was 360 chains in the figures released this week, which is the exact same number that Visa reported last month. Last month's report covered activity through Dec. 31, 2009, and this week's figures are current as of March 31, 2010. Those results suggest that four of last year’s complaint chains no longer are, bringing the number of non-PCI-compliant major chains up to about 18.

The other Levels examined showed identical figures from the prior report, with Level 2 still at 94 percent and Level 3 staying in the vague classification of "moderate."

With the number of chains covered being constant, there is still the possibility—albeit remote—that one or two chains dropped out of the Level 1 category and that the same number moved up from Level 2. The much more likely scenario is that four merchants lost their PCI certification. Are there new breaches that we've yet to learn of? Did those chains have assessments that turned up serious new deficiencies?

It might even be something as innocuous as multiple chains changing assessment firms, with the new firms using a more strict interpretation of the guidelines. New initiatives in mobile could also open some larger chains to suddenly being found non-compliant. Indeed, some chains have already discovered the perils of new platforms.