Press Releases

Visa Marks Progress in Securing Merchant Systems

Large Merchants Make Greatest Strides; Focus Also Turns to Small Businesses

SAN FRANCISCO, July 30, 2007

Visa USA today announced that 96 percent of the largest businesses[1] that accept Visa cards for payment have confirmed they are not storing sensitive account data.  Storing prohibited account data including security codes and PINs violates Visa rules and increases a business' risk by making it a target for hackers. 

"We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA.  "By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure."  Smith also noted that ensuring that prohibited data is not retained is an important step toward achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Purging sensitive data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data from merchant payment systems and growing compliance with the PCI DSS were the stated goals of Visa's PCI Compliance Acceleration Program (PCI CAP) launched in December 2006.  Through PCI CAP, Visa became the first payment brand to use a unique combination of incentives as well as fines to promote data security.

PCI DSS compliance progress among the largest merchants
Compliance with the PCI DSS is reported to Visa by acquiring financial institutions.  As of July 2007, 40 percent of Level 1[2] merchants validated compliance with the industry security standard.  Another 50 percent have submitted their initial validation and are actively working to address remaining security deficiencies.  The remaining 10 percent are working on their initial assessment.  Level 1 merchants identified by Visa from 2004 through 2006 must validate compliance by September 30, 2007.  Those Level 1 merchants identified in 2007 must validate compliance by September 30, 2008.  

Among Level 2[3] merchants, 33 percent have validated their compliance while another 42 percent have submitted their initial validation reports and are working to eliminate security deficiencies.  The remaining 25 percent are beginning the validation process.  Level 2 merchants identified in 2006, the first year under the new definition, must validate compliance by December 31, 2007.  Level 2 merchants identified in 2007 must validate compliance by December 31, 2008.

Progress among mid-level e-commerce merchants
Level 3[4] merchant compliance validations stand at 52 percent.  Another 22 percent have submitted their initial validation reports and are working to eliminate security deficiencies.  The remaining 24 percent have not yet validated compliance.

Success with processors and agents
Visa has also focused considerable efforts on driving compliance among VisaNet Processors and agents, which play an integral role in the security of the payment system.  Noteworthy, 88 percent of VisaNet Processors and 65 percent of third party agents have validated compliance with the PCI DSS and the remaining population is actively working to do so.  A key driver for this population has been Visa's List of Compliant Service Providers published on the Visa website, which provides member banks and merchants with and extensive list of compliant providers to handle transaction data on their behalf.

Increasing Data Security Focus on Small Businesses
Visa recently announced a program designed to strengthen security among Level 4[5] merchants. While less than 5 percent of potentially exposed accounts are stolen from small businesses, more than 80 percent of all identified compromises since January 1, 2005 occurred at small businesses. 

Visa's program calls for acquiring financial institutions to strengthen their existing data security efforts to identify and address risks among their small merchant customers, including identifying whether merchants are storing sensitive account data and are complying with the industry-wide PCI DSS. 

"As large merchants tighten their data security practices, we are working with our acquirers to get ahead of fraud migration to small businesses," said Smith. Visa is producing educational materials and webinars on data security for small businesses.  For example, Visa and the National Federation of Independent Business (NFIB) have partnered to educate small businesses on data security threats and how to successfully avoid them.  A jointly produce booklet will be available on August 1, 2007 at www.NFIB.org.

"Although some progress has been made among large merchants, it's clear that fraud will migrate to the weakest link, "says Avivah Litan, vice president and distinguished analyst, Gartner Inc. "Any efforts by the industry to reinforce the system's armor, especially among small businesses, is a good approach."  

Over the next several months, Visa will remain focused on growing compliance among Level 1, 2 and 3 merchants while extending its security efforts toward small businesses, according to Smith.  "While we continue to make progress toward PCI compliance, we know we need to continue to work with processors, acquirers and merchants to strengthen efforts," Smith said.  As a result of our work with these stakeholders, it's fair to say that merchants recognize that reducing card fraud and reaching compliance is in their best interests and those of our mutual customers," he concluded.

About Visa USA
Visa USA is a leading payments brand and the nation's largest payments system, enabling banks to provide their consumer and business customers with a wide variety of payment alternatives tailored to meet their evolving needs. Visa USA is committed to increasing the choice, convenience, acceptance and security of Visa payments for all stakeholders - financial institutions, cardholders and merchants.  As of March 31, 2007, in the United States, more than 521 million Visa-branded cards have been issued by more than 13,000 financial institution customers.

Visa products generated $1.8 trillion in total volume in the United States during the four quarters ended March 31, 2007.  Visa enjoys unsurpassed acceptance around the globe.  For more information, visit www.visa.com/media


[1] Known as Level 1 and Level 2 merchants, each processes more than one million Visa transactions a year and combined account for approximately two-thirds of Visa's U.S. transaction volume.

[2] Level 1 includes any merchant processing over 6 million Visa transactions per year, regardless of volume or acceptance channel.

[3] Level 2 includes any merchant which processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel.  This definition was effective in July 2006.

[4] Visa defines Level 3 as the merchants processing 20,000 to 1 million Visa e-commerce transactions per year.

[5] Level 4 includes any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year.

 

 



CONTACT
Jay Hopkins
For Visa USA
703.683.5004 ext. 107
jhopkins@crcpublicrelations.com


Portions © Copyright 2001-2007 Visa USA Inc.

Go back to Press Releases