The number of Merchants who are compliant to the Payment Card Industry Data Security Standard (PCI DSS) vary from continent to continent, country to country but the figures released by VISA for the US make interesting reading.
The table below shows the results for the US up to the 30th June 2011 as per the VISA.com website.
|Cardholder Information Security Programme (CISP) Category (Visa Transactions per year)||Estimated Population Size||Estimated % of
|Validated Not storing Prohibited Data|
|Level 1 Merchant (>6M)||377||50%||97%||100%|
|Level 2 Merchant (1-6M)||881||13%||96%||100%|
|Level 3 Merchant (e-commerce only 20,000-1M)||3,024||<5%||60%||N/A|
|Level 4 Merchant (<1M)||~5,000,000||32%||Moderate *||TBD|
|VisaNet Processor (Direct Connection)||62||100%||94%||High|
*Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications
Since the PCI DSS standard was released and enforced the Level 1 Merchants has been the main focus of the Card Issuing companies and of course, the QSAs because, as the table above shows, they represent the largest percentage of transactions for a single group and are a small enough number to easily manage. This focus is why Visa can report a near 100% validation rate for Level 1 Merchants.
The largest risk group by number of business are the Level 4 Merchants with over 5,000,000 in the US alone.
Level 4 Merchants have not yet achieved a % on the Visa chart. This is probably because they do not need to have their Self Assessment Questionnaire (SAQ) validated by and external party e.g. a QSA, except in rare circumstances. Reliance on the Merchants ability to understand the requirements of PCI DSS and to be able to put in place the processes, policies and protections required to protect Credit Card Data requires a lot of “faith” by Visa.
The majority of credit card breaches happen in Level 4 Merchants, e.g. restaurants and hotels, which is why Visa is pushing EMV on a world-wide basis.
All in all it looks like the majority of Merchants are PCI DSS compliant, which means the programme is doing some good…