IMGCAP(1)]
As several deadlines approach for merchants to prove they comply with the Payment Card Industry Data Security Standard, Stanley Skoglund, senior vice president of policy compliance at Visa Europe, tells CardLine Global he expects the percentage of compliant merchants to increase. Globally, Visa Inc. said earlier this week that as of Sept. 30, acquirers of Level 1 merchants, which accept 6 million or more Visa transactions per year, reported that 87% of their merchant customers had validated their PCI compliance, up from 81% that did as of Aug. 31. "We are in a good place in terms of large retailers," Skoglund says. "We expect compliance rates to go up significantly." Earlier this week, Visa Inc. issued revised PCI-compliance validation deadlines but said Visa Europe, because it is an independent entity, sets its own deadlines. Like Visa Inc., Visa Europe wants to see 100% merchant compliance, but because Visa Europe's domain comprises 31 markets, its approach differs. Visa Europe is working individually with the largest, Level 1 merchants to set individual deadlines with this group of merchants. An earlier deadline set for 2006 proved unreachable, Skoglund says. "In hindsight, it was unrealistic due to the sheer scale of the effort," he says. In return for this individual treatment, the merchants had to ensure no sensitive cardholder data are stored in their systems and they use a firewall to defend the system against hackers. Level 2 merchants, which see between 1 million and 6 million annual Visa transactions, have until 31 Dec. to validate their PCI compliance. "It is our hope and aspiration that as many merchants as possible will be available to validate their compliance," Skoglund says. Level 3 merchants, which are e-commerce retailers that handle from 20,000 and 1 million annual online Visa transactions, face a 30 Sept. 2009 deadline to prove they use a PCI Council-registered and approved service provider, which may be a payment gateway, payment-application company or similar entity. Level 4 merchants, those with less than 1 million annual Visa transactions, do not have to submit proof of validation, but that does remove the obligation to comply with the PCI standard, Skoglund says. Visa Europe is relying on acquiring banks and vendors to help these smaller merchants, he says. Regardless of the merchant's size, an emerging challenge to improve the compliance rate is the strain on merchant budgets, Skoglund says. "The challenge in this economic climate is the commitment and budget allocation," Skoglund says. "Any kind of [information-technology] investment will be put under scrutiny and may change plans." Retailers understand the risk, and Visa Europe knows merchants are not the only organizations involved, he says. "It's a joint effort across the payments industry," Skoglund says. "It's a problem for everyone in the industry, and everyone needs to pull their weight."
