Visa Reports 65 Percent of Level 1 Merchants Have Validated Compliance with the Payment Card Industry Data Security Standard

SAN FRANCISCO, October 24, 2007

Visa Inc. announced today that 65 percent of the largest U.S. merchants[1] have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS), up from 36 percent in December 2006.  Among medium-sized merchants[2], compliance grew from 15 percent in December 2006 to 43 percent as of September 30, 2007.   The merchants that comprise these categories account for approximately two-thirds of Visa’s U.S. transaction volume.

“We’re making steady progress in accelerating merchant compliance with PCI standards to protect cardholder information,” said Michael E. Smith, senior vice president of Enterprise Risk and Compliance for the U.S. market, Visa Inc.  “This demonstrates that many of the largest participants in the system share responsibility for protecting it.” 

Visa set a September 30, 2007 compliance deadline for the largest merchants in the United States.  The deadline was announced by Visa in December 2006 as part of the company’s efforts to encourage greater U.S. merchant compliance through financial incentives and penalties known as the PCI Compliance Acceleration Program (PCI CAP).  Today’s announcement demonstrates that PCI CAP is helping to drive compliance to improve cardholder security. 

Additionally, 99 percent of Level 1 and 2 merchants confirmed they are not storing prohibited account data such as magnetic stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data.  Storing prohibited account data violates Visa rules and increases a business’ risk of becoming a target for hackers.   

Effective October 1, 2007 Visa began levying fines of $25,000 a month to U.S. acquirers for each of their Level 1 merchants that has not validated PCI DSS compliance by the deadline. 

“We’d much rather grow compliance than levy fines,” said Smith.  “Merchants who are working to secure their payment environments today are helping to ensure that they won’t become data breach victims tomorrow,” he concluded.

Visa has also been actively encouraging smaller merchants to become compliant with the PCI DSS.  In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and develop an educational program to raise their awareness and understanding of the PCI DSS.  Since Visa announced the requirement, 100 percent of active acquirers have submitted plans to Visa.

Merchants can visit Visa’s online education center at www.visa.com/cisp to learn more securing customers’ payment card data.  The site offers a series of webinars and security alerts that will help a merchant better understand the PCI DSS and how to achieve compliance with it. 

The PCI DSS is an international set of security requirements for any entity that touches cardholder data. The standards are set by an international body known as the Payment Card Industry Security Standard Council that seeks to provide a forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the Data Security Standard.  For more information about the Council, go to www.pcisecuritystandards.org

About Visa
Visa Inc. operates the world’s largest retail electronic payments network and is one of the most recognized global financial services brands. Visa facilitates global commerce through the transfer of value and information among financial institutions, merchants, consumers, businesses and government entities.  We offer a range of branded payment product platforms, which our financial institution clients use to develop and offer credit, charge, deferred debit, prepaid and cash access programs to cardholders. Visa’s card platforms provide consumers, businesses, merchants and government entities with a secure, convenient and reliable way to pay and be paid in 170 countries and territories.   For more information, visit www.visa.com.

[1] Level 1 merchants process six million or more Visa transactions annually
[2] Level 2 merchants process one to six million Visa transactions annually. The deadline for Level 2 compliance is December 31, 2007.

CONTACT
Jay Hopkins
For Visa Inc.
703.683.5004 ext. 107