Visa Inc.’s most recent statistics of merchant compliance with the PCI Data Security Standard shows that 100% of the largest U.S. merchants—those processing more than 1 million annual Visa transactions—have validated their point-of-sale systems as not storing prohibited data.
Visa counts approximately 1,252 merchants in this group. Merchants also have to validate their compliance with the PCI DSS itself. The prohibited data validation is an additional step for many merchants.
The previous Visa PCI compliance report said that99% of level 1 and 2 merchants had such validation as of June 30.
Level 1 merchants, those with more than 6 million annual Visa transactions, handle about 50% of Visa’s transactions. Level 2 merchants, processing between 1 million and 6 million annual transactions, account for 13% of Visa’s transactions.
Visa has little data on level 4 merchants, those with fewer than 1 million annual Visa transactions. Rather than submit validation documents to Visa, level 4 merchants follow compliance protocols set by their acquirers, Visa says.
Visa, however, suggests that of the approximately 5 million level 4 U.S. merchants compliance with the PCI DSS is “moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications.” Level 4 merchants account for 32% of Visa’s annual transactions.
Visa also says that among its VisaNet processors—numbering 77 in the United States—99% validated their compliance with the PCI DSS and they have a “high” rating for not storing prohibited data.
