Dr. Branden Williams and the Merchants Acquirer Committee (MAC) have issued a new report on PCI compliance and the impact of breaches on merchants and MAC members. I had the pleasure of getting a preview of the survey results from Dr. Williams a few weeks before its publication. Based on some of the online chatter I have seen, the study is being both applauded and chastised for its results.
First, who is the MAC?
“The MAC community includes acquirers/merchant banks, processors, independent sales organizations (ISOs), and others. MAC membership exceeds 500 firms.”
What was the response rate for the study?
“Approximately 20% of MAC members participated in the survey (although not all survey responses could be used in the analysis due to incomplete responses).”
While 20% might seem an awful low response rate for a survey, for those of us that conduct surveys, 20% is actually quite good.
One set of facts that was missing in the survey that I felt was important was how many merchants do the 100+ survey respondents cover and what is their breakdown by merchant level? Branden very kindly ran a query and sent me back the following.
Level 1 Merchants: 73
Level 2 Merchants: 153
Level 3 Merchants: 3,832
Level 4 Merchants: 1,140,623
Based on this information, I would say that it reasonably represents the breakdown of merchant levels out in the real world.
The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants. Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments. However, most troubling is that Level 4 merchants are only 39% compliant.
Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011. Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant. Level 2 merchants were reported to be at 91% compliance. Level 3 merchants were reported at 57% compliance. As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.
So how do we square the difference in compliance percentages between the MAC and Visa numbers? We do not because the numbers are like comparing apples to oranges.
The purpose of the study was to examine breaches and their impact on merchants. As such, the study’s numbers indicate not only PCI compliance but also the number of organizations breached that were deemed PCI compliant, hence the much lower PCI compliance rates.
Visa’s numbers are based on filings of PCI Attestation Of Compliance (AOC) forms with processors and acquiring banks who then report those statistics up to Visa. Visa, or any card brand for that matter, has never shared the complete equation of the number of merchants that were breached but filed an AOC indicating they were PCI compliant. As a result, the figures posted by Visa are not representative of the study’s results and vice versa.
I think this study provides a much better look into PCI compliance than we have had from the card brands. It shows that merchants have a significant amount of work to do maintaining PCI compliance. I would highly recommend you download a copy of the report and share it with your management.