(July 7, 2006) Of 232 large U.S. merchants identified by Visa USA in 2004 and 2005, some 23% now comply with the Payment Card Industry data-security standard (PCI), but 73% are projected to be in compliance by the end of the year “based on progress reports,” says Michael Dahn, president of Volubis Inc., a San Francisco company that has contracted with Visa to help train PCI assessors and educate merchants on the standard.

Although the compliance statistics seem to indicate merchants are climbing on the PCI bandwagon in the wake of a long series of well-publicized data-security breaches, Dahn cautions that the numbers refer only to those merchants identified by Visa in 2004 and last year. “What about the ones identified in ’06, how long will it take them to comply?” he asks. At the same time, he says, a number of factors continue to slow down compliance rates, from technical and logistical difficulties to cost issues. A large chain merchant, for example, might have to change out point-of-sale software at each of hundreds of stores. “The compliance process is difficult, and merchants are looking for a reason to comply, looking to their acquirers for lower interchange, for example,” Dahn notes.

Dahn, who says he recently conducted an educational session on PCI for 150 large retailers, says a lack of understanding of how the standard applies to their networks is also causing merchants to drag their feet. “For large organizations, they are facing a really complex system,” he says. Many aren’t aware, for example, of the standard’s allowance for so-called compensating controls, which permit merchants to satisfy certain rules using less costly measures. One merchant, for example, met a requirement for file-integrity monitoring, which could have triggered huge software costs, by using “an open-source product that did not require them to incur a per-license fee,” making it cheaper to install on the company’s multiple servers, Dahn says.

Still, Dahn is cautiously optimistic about PCI compliance. “You’re seeing [the payment industry] move very slowly toward compliance,” he says. “Rolling out a compliance program is like turning the Titanic. It’s a long process that takes a while.”

Introduced in January 2005 and backed by MasterCard Inc., American Express Co., Discover Financial Services Inc., and other card companies as well as Visa, PCI sets out rules for the handling and storage of card data by merchants and processors. Among these, for example, are requirements for data encryption and anti-virus protection. Merchants are prohibited from storing any data other than account number, name, and expiration date.