Source: Visa
Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants¹ and nearly two-thirds of medium-sized merchants² have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume.
The strong progress is attributed to the efforts of multiple stakeholders, including acquirers, merchants and Visa. Visa's multi-tiered strategy of financial incentives, education and non-compliance fines has had a direct impact on increasing compliance among the largest U.S. merchants from about 12 percent in March 2006 to 77 percent by December 31, 2007. Among medium-sized merchants, compliance grew from 15 percent in December 2006 to 62 percent as of December 31, 2007.
"Visa is working to mitigate the risk of data compromises by securing cardholder information," said Michael E. Smith, head of payment system risk, Visa "In 2007, more U.S. merchants made good on their commitment to protect cardholder information than any other year. Visa is pleased with the progress of merchant PCI DSS compliance though there is still more to accomplish with among payment system participants," he said.
Visa set compliance deadlines of September 30, 2007 for the largest merchants and December 31, 2007 for middle-sized U.S. merchants. The deadlines were announced by Visa in December 2006 as part of the company's efforts to encourage greater U.S. merchant compliance through financial incentives and penalties known as the PCI Compliance Acceleration Program (PCI CAP).
Visa recently began levying monthly fines of $25,000 to U.S. merchant banks (or acquirers) for each of their large merchants that did not validate PCI DSS compliance by the deadline. As of January 2008, Visa is levying monthly fines of $5,000 to U.S. acquirers for non-compliant middle-sized merchants. "Visa will continue to encourage merchants to meet data security compliance requirements and to provide supporting tools and resources. PCI DSS compliance is designed to enhance data security, which is in the best interest of merchants, consumers and the financial services industry alike," noted Smith.
V
Visa's PCI CAP initiative also focused on eliminating prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data from the largest merchants' systems. Storing prohibited account data increases a business' risk of becoming a target for hackers. More than 99 percent of large and middle-sized merchants have affirmed they do not retain prohibited account data.
Additionally, Visa has been actively encouraging smaller merchants to become compliant with the PCI DSS and reduce their account data storage. In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and develop an educational program to raise awareness and understanding of the PCI DSS. Since Visa announced the requirement, 100 percent of active U.S. acquirers have submitted plans to Visa and are in the process of implementing their security programs.
' Level 1 merchants process six million or more Visa transactions annually.
² Level 2 merchants process one to six million Visa transactions annually.