ISOs and Level 4 PCI Compliance
Level 4 merchants account for over 99% of Visa merchants, but they only bring in about 32% of the network’s volume, annually accounting for up to one million submitted Visa card transactions. And experts indicate that these merchants may only have a PCI compliance level of around 10%, so bringing them up to the appropriate standard is likely to be no easy task. It’s particularly a concern for the small merchants who use internet-connected processing systems, rather than dial-up terminals.
Merchant Warehouse started their Level 4 compliance efforts approximately a year ago with by targeting some informational material at the riskiest of their 80,000 merchants. Henry Helgeson, president of Merchant Warehouse, noted that he knew that the time for compliance was coming and wanted to work at getting his customers on board.
Nearly all ISO and acquirer PCI programs for Level 4 merchants aim to educate via email reminders, newsletters and statement inserts. Some processors also employ methods such as fines or fees for non-compliance vendors. Helgeson’s company e-mailed target merchants a link to a ControlScan site where they could log in and take a PCI self-assessment questionnaire. The company offered to waive the $59 annual fee for ControlScan’s scans after merchants called to confirm they had set up the compliance process with ControlScan, and 40% of their targeted merchants took them up on the offer.
TriSource Solutions LLC, got serious about Level 4 compliance after a few of their retailers suffered data breaches resulting in over half a million dollars worth of fines. A couple of the merchants even went out of business.
Visa issued a report on September 30 reports which reported that 97% of Level 1 merchants are PCI compliant, with fully 99% of those merchants not storing data prohibited by PCI standards. Level 1 merchants account for 50% of Visa transactions. Close to 94% of Level 2 merchants, are PCI compliant, and again, 99% don’t store data which is prohibited. Figures for the Level 3 merchants’ storage of prohibited data was not unavailable.
