This past Monday, VISA released updates of merchant compliance with various aspects of the PCI Data Security Standard.
According to Evan Schuman's report on HackReport.net, VISA has stated that 96% of Level 1 and Level 2 merchants have written to VISA declaring that “they are not storing sensitive account data” including credit card security codes and PINs.
Yet, based on VISA's own statements that there are 1,057 retailers in that group (327 Level 1 U.S. retailers and 730 Level 2 retailers), that four percent suggests that about 42 major retail chains aren't able to declare they’ve stopped retaining that data.
And, this is based on merchants self-disclosing their status. As Mark Rasch, a legal security consultant with FTI Consulting and the former head of the U.S. Justice Department's high-tech crimes unit said, “How do they know they’re not? If you were to ask me ‘Are your doors locked?’, I’d say ‘Of course they are.’ That is, until I find one that isn’t. This is the equivalent of going out to the top 100 companies and asking, ‘Are you violating any securities laws?’”
VISA's figures also indicate that 40 percent of Level 1 retailers were compliant, up from the 35 percent. Level 2 retailers showed a 33 percent compliance rate—up from 26 percent in May—and the smaller Level 3 retailers showed 52 percent compliance, just slightly up from the 51 percent that Visa reported for that group in May. Visa didn’t release any figures for its Level 4 retailers.
While these show improvement, the majority of retailers overall are still not compliant. Given the more detailed nature of the PCI-DSS requirements compared to other compliance regulations like Sarbanes-Oxley or HIPAA, it's disappointing to see so many merchants still unable to validate their systems are compliant.
And this is just for retailers processing VISA cards. As Gartner analyst Avivah Litan pointed out, Visa is the only credit card player that releases any security compliance figures. “You can’t get anything out of Amex, Discover or MasterCard,” she said. Certainly, there are very few merchants that wouldn't be accepting VISA, but it still could mean some retailers' compliance status is still unknown.
Improvement is good, but merchants still need to do a better job protecting cardholder information. These statistics still mean your information and mine is more vulnerable to fraud than we'd like to believe.
Contributed by Mark Tordoff
The amazing thing is that the PCI Security Council (as of today Sep 18) has not released a SAQ - self-assessment questionnaire for PCI DSS 1.1. They have an old version (1.0) on the Web site.
If you do the numbers of how many merchants at each level are compliant (I only have July stats from VISA and as you pointed out - M/C, Diners and AMEX don't share their compliance stats) - you will find that about 70% of all VISA transactions are performed by non-compliant merchants.
The little guys (Level 4) relative to their size would suffer the most since they are a soft target for hackers and a soft target for trusted insiders as well.
What needs to be done is to provide merchants with a practical tool to self-assess risk and start mitigating their threats - and be compliant - on the way. After all - this isn't compliance for compliance sake - the card associations need the payment processing supply chain and cardholder confidence to be strong.
See this cool article - at http://www.software.co.il
that talks about practical ways of doing this
Sounds good to me
Danny
Posted by: Danny Moran | September 19, 2007 at 04:15 AM