Merchants Getting the Hint with Visa's Aggressive PCI Push

By Maria Bruno-Britz, Bank Systems & Technology

After getting hammered by consumers and legislators alike over last year's data breaches and the apparent cavalier attitude some merchants took toward securing card data, merchants are starting to get the hint. According to Visa (San Francisco) 96 percent of large businesses that accept Visa for payment are not storing sensitive account data, such as PINs and security codes.This progress is being credited to Visa's PCI Compliance Acceleration Program (PCI CAP) launched in December 2006 to promote data security. As of July, the card company reports that 40 percent of the very largest merchants validated compliance with the PCI security standard and 52 percent of midsize merchants have done so. The others are in the process of ramping up their PCI compliance efforts, according to Visa. Figures are reported to Visa by its acquiring financial institutions.

Now, the focus shifts to smaller merchants. The report states that although a small percentage of exposed accounts come from the smaller outfits (5 percent), over 80 percent of all identified compromises since January 1, 2005 occurred at small businesses. As part of this effort, Visa is asking its acquiring FIs to beef up their existing data security initiatives to help address problems of risk among small merchant clients.

I've heard people in the industry say that the small merchants are the weakest link in the card data security chain. Many of them tend to be so-called mom and pop outfits who haven't the time or the resources to fully address data security issues. Although the big box stores will always be tempting targets for hackers, the little guys are facing just as much risk as well. This is a great opportunity for the banks to step in and provide this kind of data security assessment as perhaps a value added service to these clients. Consumers will certainly be thankful!