PR- Visa Reports PCI Compliance Grew in 2007

Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants1 and nearly two-thirds of medium-sized merchants2 have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS).  Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.

The strong progress is attributed to the efforts of multiple stakeholders, including acquirers, merchants and Visa.  Visa’s multi-tiered strategy of financial incentives, education and non-compliance fines has had a direct impact on increasing compliance among the largest U.S. merchants from about 12 percent in March 2006 to 77 percent by December 31, 2007.  Among medium-sized merchants, compliance grew from 15 percent in December 2006 to 62 percent as of December 31, 2007.  

"Visa is working to mitigate the risk of data compromises by securing cardholder information,” said Michael E. Smith, head of payment system risk, Visa Inc  “In 2007, more U.S. merchants made good on their commitment to protect cardholder information than any other year.  Visa is pleased with the progress of merchant PCI DSS compliance though there is still more to accomplish with among payment system participants,” he said.

Visa set compliance deadlines of September 30, 2007 for the largest merchants and December 31, 2007 for middle-sized U.S. merchants.  The deadlines were announced by Visa in December 2006 as part of the company’s efforts to encourage greater U.S. merchant compliance through financial incentives and penalties known as the PCI Compliance Acceleration Program (PCI CAP).

Visa recently began levying monthly fines of $25,000 to U.S. merchant banks (or acquirers) for each of their large merchants that did not validate PCI DSS compliance by the deadline.  As of January 2008, Visa is levying monthly fines of $5,000 to U.S. acquirers for non-compliant middle-sized merchants.  “Visa will continue to encourage merchants to meet data security compliance requirements and to provide supporting tools and resources.  PCI DSS compliance is designed to enhance data security, which is in the best interest of merchants, consumers and the financial services industry alike,” noted Smith. 

Visa’s PCI CAP initiative also focused on eliminating prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data from the largest merchants’ systems.  Storing prohibited account data increases a business’ risk of becoming a target for hackers.  More than 99 percent of large and middle-sized merchants have affirmed they do not retain prohibited account data.

Additionally, Visa has been actively encouraging smaller merchants to become compliant with the PCI DSS and reduce their account data storage.  In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and develop an educational program to raise awareness and understanding of the PCI DSS.  Since Visa announced the requirement, 100 percent of active U.S. acquirers have submitted plans to Visa and are in the process of implementing their security programs.  

Merchants can visit Visa’s online education center at www.visa.com/cisp to learn more about securing customers’ payment card data.  The site offers a series of webinars and security alerts that will help a merchant better understand the PCI DSS and how to achieve compliance. 

The PCI DSS is an international set of security requirements for any entity that stores, processes or transmits cardholder data.  The standards are set by an international body known as the Payment Card Industry Security Standard Council that seeks to provide a forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the Data Security Standard.  For more information about the Council, go to www.pcisecuritystandards.org.