Digital Transactions Authoritative, insightful and timely information for payments professionals
The Sept. 30 deadline for large merchants to certify compliance with the Payment Card Industry data-security standard, or PCI, passed quietly over the weekend with an estimated half of so-called Level 1 merchants meeting the card industry's guidelines for protecting card data from fraudsters. And, according to experts contacted by Digital Transactions News, merchants' desire to get the best possible interchange rates is spurring compliance more than fear of fines for non-compliance. A spokesman for Visa USA says September's results won't be known until after merchant acquirers, the entities directly responsible for PCI enforcement, compile reports from their merchants and in turn report to Visa. That could take several weeks. But compliance, which has been an arduous and controversial process for many merchants, clearly is approaching the halfway point?three years after Visa's original 2004 deadline. According to statistics posted recently on Visa's Web site, 44% of 327 so-called Level 1 merchants, those identified from 2004 through 2006 as submitting more than 6 million Visa transactions annually, were PCI compliant as of Aug. 31, up from 40% in July. Another 54% have submitted plans but need to make so-called remediations before getting final validation. Two percent were working on initial validation. Level 1 merchants account for 50% of Visa's transaction volume. Michael Dahn, managing partner of San Francisco-based PCI services firm The Aegenis Group Inc., says that based on what he's heard from industry sources, the card networks are close to “the tipping point for PCI compliance, where they see a higher percentage of compliance than non-compliance.” While passing a milestone, the level of PCI compliance still means some merchants are technical outlaws. Exactly how the card networks will deal with them is unknown. Their acquirers could face monthly fines of $5,000 to $25,000?fines the acquirers likely would pass on to non-compliant merchants. The Visa spokesperson said he couldn't talk about fines at this point, but researcher Avivah Litan, a vice president at Stamford, Conn.-based Gartner Inc. who studies payment security, believes Visa won't levy fines in cases where the merchant at least can show it is not improperly storing card numbers or PIN blocks. Besides facing fines, under what Visa calls its Compliance Acceleration Program, or CAP, acquirers enjoying volume-based tiered interchange rates also can be bumped up one tier for their merchants' PCI non-compliance (Digital Transactions News, Aug. 15). Interchange is a fee on each bank card sale assessed to the acquirer and paid to the card issuer, with acquirers usually passing on all of the cost to the merchant. “That's worth millions and millions to the retailers as opposed to $25,000 [fines],” says Litan. Indeed, anecdotal evidence indicates that fear of losing interchange breaks is having some effect on merchants. Aegenis Group's Dahn says CAP is “driving compliance” at a time when merchants are becoming more familiar with PCI. “You're seeing more and more people who, once they understand it, they say, 'this is a reasonable program,'” he says. Merchants that lose their best interchange rates do have some recourse. A merchant that certifies it tried its best to meet the Sept. 30 deadline but needed more time can qualify for a rebate worth up to three months of the difference between the two tiers if it comes into PCI compliance by Sept. 30, 2008. But incentives and penalties will go only so far in spurring PCI compliance, according to Litan. That's for several reasons, including the costs and difficulties of replacing or upgrading older computer systems originally programmed to store sensitive payment card data, she says. And despite all the publicity about PCI in the payments and retailing industries, not to mention highly publicized data breaches such as the huge one at retailer TJX Cos. Inc., acquirers and networks still may need to do more PCI education. “Based on my conversations with merchants, believe it or not, I don't think they're all aware of these deadlines,” Litan says. The next big PCI deadline is Dec. 31, when Level 2 merchants, those identified from 2004 through 2006 as having submitted 1 million to 6 million Visa transactions annually, are supposed certify PCI compliance. Visa estimates this population of 729 merchants provides 13% of its transactions. Some 38% were PCI-validated as of Aug. 31. Another 44% had submitted initial validation but were in remediation, and 18% had started on initial validation. The nearly 2,500 Level 3 merchants, those that do business only on the Web and generate 20,000 to 1 million annual Visa transactions, have a validated PCI compliance rate of 54%. Twenty percent are in remediation and 24% have started the PCI assessment process. Two percent have pending commitments, Visa reports.
