Companies providing payment gateways, loyalty programs and authorization and related services for Visa-branded transactions have improved their compliance with the Payment Card Industry Data Security Standard, Visa Inc. said.
Of Visa's 1,182 registered U.S. service providers, which the card network calls "downstream agents," 82% had validated their compliance with the standard as of Dec. 31, Visa announced last week. That represents an increase from 78% six months earlier.
"We can't really read into the change in agent population," a Visa representative said. "It could be consolidation. It could be companies going out of business. We don't have a way to know. We just require our clients to register their agents."
Meanwhile, other entities that connect to Visa's system in the United States showed little change. Among the 377 registered Level 1 merchants — those with more than 6 million annual Visa transactions — using Visa's services, 96% validated their compliance, unchanged from June. This merchant group accounts for approximately 50% of Visa's transactions.
Compliance among Visa's 894 registered Level 2 merchants — those with between 1 million and 6 million transactions per year — improved slightly, to 96%, from 95% in June. Level 2 merchants account for approximately 13% of Visa's transactions.
Visa continues to list compliance as "moderate" among the 2,591 registered Level 3 merchants that use its processing services. This group, which accounts for less than 5% of Visa's transactions, consists of e-commerce merchants that handle 20,000 to 1 million transactions online a year.
Visa similarly lists compliance as "moderate" among Level 4 merchants, which handle fewer than 1 million Visa transactions annually. Because these merchants, which account for 32% of Visa's transactions, must validate their compliance with their acquirers and not directly with Visa, the card network said its ability to measure their compliance is difficult.
That also makes it more difficult to assess how many have validated that their payments systems do not store prohibited data.
"Although all U.S. merchants are required to use a … compliant payment application, there is no current tracking mechanism for the 5 million-plus Level 4 merchants," the Visa representative said.
All Level 1 and Level 2 merchants do not store prohibited data, Visa's data shows. At 99%, PCI compliance among the 77 VisaNet processors was unchanged from June, Visa said.
