The Latest PCI Compliance Stats Disappointing For Level 3sWritten by Walt Conway and Evan Schuman
The latest PCI compliance stats—released by Visa this month—are a mixed bag, with Level 1s plateauing at about 15 major chains still non-compliant. But at the small and midsize merchant level, the numbers are so unimpressive that Visa has given up specifying the numbers. Not a good sign.
We now have three years of data to examine—2007 through 2009—so, to the extent that Visa has used the same categories during that time, we can add a bit of context to this information.
Small merchant compliance is a big deal because they account for roughly one-third of all Visa card transactions. But about the best Visa can report for this segment right now is that its rate of compliance is “moderate.”
Compliance for Level 3 merchants—primarily E-tailers with between 20,000 and 1 million Visa transactions annually—is stagnant at a very low level. Visa reported that this group of roughly 2,500 merchants was 54 percent compliant at the end of 2007. Fair enough. There are more Level 3 merchants; they are not always big enough to show up on acquirers’ radar; and Visa’s Compliance Acceleration Program (CAP) focused on their larger L1 and L2 brethren. Sadly, the data for 2008 showed almost no movement by L3 merchants, and now Visa has stopped showing their numbers altogether. It says only that compliance in this segment is “moderate.”
We have no idea what “moderate” means. Is it more than or less than 50 percent or 70 percent or any percent? What we do know is that Visa did not use words like “high” or even “really good,” which it could have. We’re wondering if this new language (which first appeared, we believe, in the September 2009 Visa report) is a tacit admission that there hasn’t been much progress. Maybe it’s just too hard to track. In the absence of any kind of numbers since 2008, we have to rate L3 compliance as an industry Fail.
The PCI compliance situation for the smaller merchant universe—the millions of Level 4 merchants—is even murkier. Visa didn’t even attempt to track compliance for these merchants who, by the way, account for roughly one-third of all Visa transactions annually.
There is no data for 2007 or 2008 and, as of 2009, Visa says only that compliance in this segment is—wait for it—”moderate.” Except this time we get a footnote stating “Level 4 compliance is moderate among standalone terminal merchants, but lower among merchants using integrated payment applications.” So now we have “moderate” and “lower than moderate.” Perhaps “lower than moderate” is somewhere below “moderate” and slightly above “let’s not go there.” We can only grade this result as another Fail.
As for the major retailers, Visa classifies merchants having more than 6 million Visa transactions a year as Level 1. These retailers account for half of all Visa transactions annually. At the end of 2007, only 77 percent of L1 merchants were PCI compliant. Two years later, the rate shot up to 96 percent while the number of merchants actually increased slightly (from 326 to 360).
We’d love to know which are the 15 or so L1 merchants that are not compliant.