(January 22, 2008) Merchants accounting for two-thirds of Visa Inc.’s U.S. transaction volume have validated compliance with the Payment Card Industry data-security standard, or PCI, Visa reported on Tuesday. This latest report from Visa comes in the wake of a Dec. 31 deadline for so-called Level 2 merchants—mid-sized merchants that submit 1 million to 6 million Visa transactions annually—to become PCI-compliant. PCI is the card networks’ controversial joint set of rules for protecting cardholder and transaction data.

Visa says 62% of 709 identified Level 2 merchants have validated PCI compliance, up from 15% as of Dec. 31, 2006. Another 30% have submitted initial validation or are in remediation—correcting problems identified after the first validation report. The remaining 8% have initial validation in progress. Visa estimates Level 2 merchants account for 13% of its volume.

Merchant acquirers now face monthly fines of $5,000 from Visa for non-compliant Level 2 merchants. Visa did not report how much in fines, if any, it has levied, and a spokesperson says Visa would not have further comment.

Meanwhile, the biggest, so-called Level 1, merchants—those generating 6 million or more Visa transactions annually—continue to move closer to full PCI compliance. Visa says 77% of the 326 U.S. Level 1 merchants have validated compliance and 23% have submitted initial validation or are in remediation. Level 1 merchants account for 50% of Visa volume. Visa had set a Sept. 30, 2007 compliance deadline for these big merchants, at which time 65% had achieved full compliance (Digital Transactions News, Oct. 25, 2007). Acquirers face monthly fines of $25,000 for non-compliant Level 1 merchants.

Internet retailers and small brick-and-mortar merchants have a longer road to full PCI compliance. The 2,596 so-called Level 3 e-commerce-only merchants, those submitting 20,000 to 1 million Visa transactions a year, had a 54% full validation rate as of Dec. 31, with another 20% having submitted an initial validation or were in remediation. Twenty-five percent had initial validation in progress and 1% had pending commitments to start the compliance process. Level 3 merchants account for less than 5% of Visa volume.

The smallest merchants, dubbed Level 4, don’t have specific PCI deadlines yet, though Visa last May ordered its merchant acquirers to submit plans on how they would bring those merchants into compliance. Visa says all of its acquirers have done so.

In a statement, Michael E. Smith, Visa’s head of payment-system risk, attributed the growing PCI compliance rates to efforts by merchant acquirers, merchants themselves, and Visa, the latter of which is using interchange incentives, fines, and merchant education to drive compliance. “In 2007, more U.S. merchants made good on their commitment to protect cardholder information than any other year,” Smith said. “Visa is pleased with the progress of merchant PCI DSS compliance though there is still more to accomplish among payment-system participants.”

Merchants that as a result of Visa charge-volume growth moved into the Level 1 or Level 2 categories in 2007 have until Sept. 30 and Dec. 31, respectively, to validate PCI compliance.

Meanwhile, Visa today reiterated that 99% of large and medium-sized merchant have affirmed that they do not store prohibited cardholder data such as information from a card’s magnetic stripe, the card’s so-called CVV2 three-digit security code, and PIN data. Hackers obtained improperly stored card data from retailer TJX Cos. Inc. in a massive computer breach disclosed a year ago, a breach that exposed more than 90 million cards to unauthorized eyes and gave retailers and the payment networks a huge public-relations black eye.

Technology analyst Avivah Litan of Stamford, Conn.-based Gartner Inc. says Visa’s latest numbers don’t surprise her. “Visa has been proactively driving PCI compliance into the retailer market through the tried-and-true, carrot-and-stick approach—offering price incentives to those who comply and fines to those who don’t,” she said in an e-mail message to Digital Transactions News.

But beyond the raw numbers, PCI and its enforcement continue to draw questions and fire from merchant groups and industry observers. The five major payment card networks—Visa, MasterCard Worldwide, American Express Co., Discover Financial Services Inc., and JCB International Credit Card Co. Ltd.—created the PCI Security Standards Council in 2006 to update the standards, certify PCI assessment vendors, and promote PCI awareness. The networks, however, remain responsible for enforcement.

Though Visa is the largest payment network, Litan finds it surprising that Visa seems to be the only organization that publicly talks about PCI attainment levels. “Visa has actually been the thought leader behind PCI compliance and it’s time for the PCI Security Council and the other card brands to catch up with them,” she said in the e-mail. A PCI Council spokesperson declined comment.

Some trade groups such as the National Retail Federation, technology vendors, and others assert that PCI compliance is costly and in some cases overkill (Digital Transactions News, Oct. 4, 2007).