Although the numbers do show a sharp increase, they also reflect the fact that 35 percent—more than one out of every three—large retailers today are still not PCI compliant, despite the passing of the Sept. 30 deadline and the start of the promised $25,000/month fines for non-compliance.
On a potentially even more scary note, Visa reported that PCI compliance among the more numerous Level 2 retailers—who process between one million and six million Visa transactions a year—is only at 43 percent, as of Sept. 30, 2007.
On the optimistic side of those Level 2 numbers, the Level 2 compliance was barely 15 percent in December 2006 and 33 percent in July, so this does show a healthy increase. Also, the deadline for Level 2 retailers doesn't kick in until New Year's Eve of this year so it's possible those numbers could sharply increase again by January.
Then again, most Level 2 retailers will have their hands full from late October through late December, so it's not certain how much of an increase will materialize.
Visa issued a statement that that it wants to see the compliance—and not the penalty revenue—go up. "We'd much rather grow compliance than levy fines," said said Michael E. Smith, senior vice president of Enterprise Risk and Compliance for the U.S. market, Visa Inc. "We're making steady progress in accelerating merchant compliance with PCI standards to protect cardholder information."
A promising note was Visa saying that 99 percent of Level 1 and Level 2 retailers "confirmed they are not storing prohibited account data such as magnetic stripe--also known as track data--CVV2 (the security code on the back of the card) and PIN data." That's up from the 96 percent that Visa reported in July. Those sets of prohibited data are seen as especially attractive to data thieves.