Nearly Two-Thirds of Largest U.S. Merchants Now PCI Compliant
Visa has announced that 65 percent of the largest U.S. merchants (those processing six million or more Visa transactions annually) have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS), up from 36 percent in December 2006. Among medium-sized merchants (those processing one to six million Visa transactions annually), compliance grew from 15 percent in December 2006 to 43 percent as of September 30, 2007. The merchants that comprise these two categories account for approximately two-thirds of Visa's U.S. transaction volume.
"We're making steady progress in accelerating merchant compliance with PCI standards to protect cardholder information," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance for the U.S. market, Visa Inc. "This demonstrates that many of the largest participants in the system share responsibility for protecting it."
Visa set a September 30, 2007 compliance deadline for the largest merchants in the United States. The deadline was announced by Visa in December 2006 as part of the company's efforts to encourage greater U.S. merchant compliance through financial incentives and penalties known as the PCI Compliance Acceleration Program (PCI CAP). Today's announcement demonstrates that PCI CAP is helping to drive compliance to improve cardholder security.
Additionally, 99 percent of Level 1 and 2 merchants confirmed they are not storing prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data. Storing prohibited account data violates Visa rules and increases a business' risk of becoming a target for hackers.
Effective October 1, 2007 Visa began levying fines of $25,000 a month to U.S. acquirers for each of their Level 1 merchants that has not validated PCI DSS compliance by the deadline.
"We'd much rather grow compliance than levy fines," said Smith. "Merchants who are working to secure their payment environments today are helping to ensure that they won't become data breach victims tomorrow," he concluded.
Visa has also been actively encouraging smaller merchants to become compliant with the PCI DSS. In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and develop an educational program to raise their awareness and understanding of the PCI DSS. Since Visa announced the requirement, 100 percent of active acquirers have submitted plans to Visa.
Merchants can visit Visa's online education center at www.visa.com/cisp to learn more securing customers' payment card data. The site offers a series of webinars and security alerts that will help a merchant better understand the PCI DSS and how to achieve compliance with it.
The PCI DSS is an international set of security requirements for any entity that touches cardholder data. The standards are set by an international body known as the Payment Card Industry Security Standard Council that seeks to provide a forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the Data Security Standard. For more information about the Council, go to www.pcisecuritystandards.org
Add your comment... (note that all comments are reviewed before they're published)