The principal driver toward PCI DSS compliance, Visa attributed the progress to a multi-layered strategy, including financial incentives for compliance, education as well as fines for non-adherence.
The number of large corporations in adherence jumped from 12 percent in March 2006 to 77 percent by the end of last year, while medium-sized merchants improved by nearly 50 percent in the year beginning December 2006.
"Visa is pleased with the progress of merchant PCI DSS compliance, though there is still more to accomplish among payment-system participants," Michael Smith, head of Visa's payment system risk group, said in a prepared statement.
Visa set compliance deadlines of Sept. 30, 2007 for the largest merchants (those processing more than six million credit card transactions a year) and Dec. 31, 2007 for middle-sized companies (those processing one to six million transactions annually). Visa announced the deadlines in December 2006.
Visa recently levied monthly fines of $25,000 to U.S. merchant banks, known as acquirers, for each of their large merchants not in compliance. It is levying a $5,000 fine for each acquirer's mid-sized retailer not yet in adherence with the standard.
Visa has also attempted, through its PCI Compliance Acceleration Program, to purge large merchant credit systems of prohibited account data, including the information on a credit card's magnetic strip, the CVV2 security code on the back of the card and PIN.
More than 99 percent of large- and middle-sized merchants have said they no longer store prohibited account data, which increases the retailer's risk of becoming a target for hackers. Large- and medium-sized merchants account for about two-thirds of Visa's U.S. transaction volume.
The improved compliance rate is "not a surprise,” according to James DeLuccia, managing director of consulting firm Intellection Strategies. “It shows the merchants' commitment to become compliant is definitely on the upswing. It's been proven that merchants who comply with PCI DSS have a lower rate of fraud and lowered losses to fraud.”
PCI DSS compliance also means a lower credit card processing cost structure and lower pre-transaction processing fees, DeLuccia added.
However, Prat Moghe, founder and chief technology officer at Tizor Systems, a data-auditing vendor, told SCMagazineUS.com that while the percentages look encouraging, many merchants have holes in their data security structures.
“The reality is that while Visa says that majority of level-one [large] merchants are compliant, most of these merchants have not even accounted for all the places where their cardholder data is, let alone encrypt it or monitor it,” he said. “There are many loopholes under which a provider can get away with exceptions and still be PCI compliant. It's a long road to ‘real' PCI compliance.”