Fudging the numbers about their merchants’ compliance with the Payment Card Industry data-security standard (PCI) may be a common practice by merchant acquirers if findings from a new study about payment card data security are to be believed. The study by the Merchant Acquirers’ Committee, an association of more than 500 acquirers, independent sales organizations, risk managers and other acquiring-industry players, found that the rates of PCI compliance by the biggest merchants are far lower than the compliance rates reported by Visa Inc.
PCI is the lengthy set of data-security rules with which all merchants that accept general-purpose credit and debit cards, as well as processors, must comply. The PCI Security Standards Council makes the rules, but card networks oversee enforcement. Visa and MasterCard Inc. delegate to acquirers direct responsibility for ensuring that their merchants meet the standard.
For a number of years now, Visa has been publicly reporting U.S. PCI compliance rates—the only network to do so. For biggest card-accepting entities compliance has been high. Visa’s latest available report, for last June 30, pegs PCI compliance validation by the estimated 450 so-called Level 1 merchants at 97%. A Level 1 retailer generates more than 6 million Visa transactions annually, and collectively such merchants account for 50% of the network’s transactions.
The report says compliance validation for the estimated 972 Level 2 merchants, which generate 13% of Visa transactions, was 88%. A Level 2 merchant processes 1 million to 6 million Visa card transactions annually.
But findings from the MAC study conducted last September and October differ. Based on responses from 25 member acquirers processing for a collective 1.14 million merchants—about 15% of the U.S. total—the study estimates Level 1 merchants’ compliance at 67% and Level 2 merchants’ rate slightly higher at 69%.
Much of the difference between the Visa and MAC numbers can be explained by what acquirers report, or over-report, to Visa about their merchants’ PCI status, according to Dallas-based data-security consultant Branden R. Williams, who oversaw “The Impacts of Data Breaches” study. “We know that there’s a reporting issue,” Williams says. “The acquirer may choose to report a merchant as compliant when it may not be.”
A big reason: networks might fine the acquirer for non-compliance cases, says Williams. But while deliberate over-reporting to avoid fines is a factor, PCI compliance also can be a gray matter for acquirers, according to Williams, a former qualified security assessor (QSA) who did PCI audits of card-accepting merchants. For example, a merchant technically may not meet every one of the 200-plus PCI strictures but still could be running a tight ship from a security perspective and present only a low risk for a breach. Cognizant of that risk, the acquirer might report the merchant as compliant, he says. And at least some of the differences also may be explained by the timing of acquirers’ reporting to Visa as subsets of merchants come up for their annual PCI audits, Williams adds.
A Visa spokesperson says Visa hasn\'t yet seen the survey, and thus does not have a comment.
The MAC study actually exceeded Visa’s estimate about Level 3 merchants’ PCI compliance. A Level 3 merchant is e-commerce-only and generates 20,000 to 1 million Visa transactions a year. Visa last pegged Level 3 compliance at 61% while the MAC study puts it at 67%. These e-commerce merchants generate 5% of Visa’s transactions.
The study also puts a number on PCI compliance by the 5 million-plus Level 4 merchants, the small businesses that generate less than 1 million Visa transactions apiece and collectively account for 32% of Visa volume. Visa has never given a compliance percentage for small merchants, usually dubbing it as “moderate,” but the MAC study reports it at 39%.
MAC originally received responses from 100 acquirers and ISOs but did not use 75 of them because they were incomplete, according to Williams. Many of the questions were technical and may have required expertise the responding person didn’t have, he says. That said, the study came up with a number of other interesting findings in addition to acquirer PCI reporting:
• Despite the highly publicized data breaches at Target Corp., The Home Depot Inc. and other merchants in recent years, the number of such compromises is still small. Only 119 of the 1.14 million merchants in the study group had a breach in the preceding 12 months, although five had been breached more than once.
• Post-breach fines are rare and seemingly small. Only two respondents reported being fined, and the average fine was $18,500 per incident.
• An analysis of merchant counts showed a declining rate of PCI compliance as the size of the merchant group increased. And while small merchants are frequently singled out for their lack of data-security expertise, the MAC study found that no statistically significant differences in the variance of breaches sustained by level 1, 3 and 4 merchants.
• The effect of breaches on consumers is largely unknown, but apparently not disastrous. Sixty-nine percent of respondents said they didn’t know how consumers reacted after a breach while 27% reported no transaction-volume changes. Only 4% reported a decline.
While the applicability of the findings to the general U.S. merchant population may be limited because of the small number of acquirers participating, Williams says the study provides some pointers for the frequently hot debates in the acquiring industry about data breaches. “If nothing else, it creates discussion points,” he says.