Most Large Merchants Meeting Data Security Standards: Visa

At the end of 2007, more than three-fourths of the largest U.S. merchants and nearly two-thirds of medium-sized merchants had validated their compliance with the Payment Card Industry Data Security Standard (PCI), according to Visa. Merchants in these two categories account for approximately two-thirds of Visa’s U.S. transaction volume.

This week, Visa began levying monthly fines of $5,000 to U.S. acquirers for non-compliant middle-sized merchants, defined as those that conduct 1 to 6 million annual transactions. The company had earlier started levying fines on the nation’s largest merchants, defined as those that conduct more than 6 million annual transactions.

“Over the last two years PCI has grown to become somewhat of a default standard, and while compliance for merchants has become mandatory, PCI has also become a regularly required standard for service providers as well," said Dimitri Michaud, consumer finance analyst for ARM industry strategic consultant Kaulkin Ginsberg. "The trend towards required PCI compliance is set to continue."

Visa implemented compliance deadlines along with a series of fines for those that don’t meet the standards several years ago to encourage greater U.S. merchant compliance. The deadline for mid-size merchants was September 30, 2007 and December 31, 2007 for the largest merchants.

Each of the card companies has its own rules for compliance deadlines and fines. The PCI Security Standards Council sets the standards, not the penalties for non-compliance.

“Visa will continue to encourage merchants to meet data security compliance requirements and to provide supporting tools and resources. PCI DSS compliance is designed to enhance data security, which is in the best interest of merchants, consumers and the financial services industry alike,” Michael E. Smith, head of payment system risk for Visa Inc., said in a prepared statement.

The PCI concept arose early this decade as the payments industry was hit by a series of data breaches with crooks stealing or attempting to steal card information. The breaches, typically conducted by an organized ring of thieves, were impacting card issuers, merchants, card processors, and merchant acquirers, the middleman between issuers and merchants. In 2005, the national spotlight shone on theft at the information house ChoicePoint, and card processor Card Systems.

MasterCard Worldwide, American Express Co., Discover Financial Services Inc., JCB International Credit Card and Visa, normally fierce competitors in the payments field, sat down together in 2006 and created a governing council for data security, and formulated the PCI standards, designed to provide improved security for card transactions.

This week, Visa began levying monthly fines of $5,000 to U.S. acquirers for non-compliant middle-sized merchants, those that conduct 1 to 6 million annual transactions. The company had earlier started levying fines on the nation’s largest merchants, those that conduct more than 6 million annual transactions.

Many merchants, especially those that conduct fewer than 1 million annual transactions, have worked with the National Retail Federation to oppose the PCI standards. They contend that the rules put too much of the onus and expense on them for security. Of particular concern is the storage of transaction information, including cardholder numbers, which the card companies require in order to allow “chargebacks,” typically for return of merchandise.