Credit cards
Image via Wikipedia

The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.

The table below shows the results for the US up to the 30th June 2011 as per the website.

Cardholder Information Security Programme (CISP) Category (Visa Transactions per year) Estimated Population Size Estimated % of
Visa Transactions
Compliance Validated
Validated Not  storing Prohibited Data
Level 1   Merchant (>6M) 377 50% 97% 100%
Level 2 Merchant (1-6M) 881 13% 96% 100%
Level 3 Merchant (e-commerce only 20,000-1M) 3,024 <5% 60% N/A
Level 4 Merchant (<1M) ~5,000,000 32% Moderate * TBD
VisaNet Processor (Direct Connection) 62 100% 94% High
Agent (Downstream) 1,262 N/A 83% High

*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications

Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.

The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.

Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.

The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.

All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…