Dr. Branden Williams and the Merchants Acquirer Committee (MAC) have issued a new report on PCI compliance and the impact of breaches on merchants and MAC members. I had the pleasure of getting a preview of the survey results from Dr. Williams a few weeks before its publication. Based on some of the online chatter I have seen, the study is being both applauded and chastised for its results.
First, who is the MAC?
“The MAC community includes acquirers/merchant banks, processors, independent sales organizations (ISOs), and others. MAC membership exceeds 500 firms.”
What was the response rate for the study?
“Approximately 20% of MAC members participated in the survey (although not all survey responses could be used in the analysis due to incomplete responses).”
While 20% might seem an awful low response rate for a survey, for those of us that conduct surveys, 20% is actually quite good.
One set of facts that was missing in the survey that I felt was important was how many merchants do the 100+ survey respondents cover and what is their breakdown by merchant level? Branden very kindly ran a query and sent me back the following.
Level 1 Merchants: 73
Level 2 Merchants: 153
Level 3 Merchants: 3,832
Level 4 Merchants: 1,140,623
Total: 1,144,681
Based on this information, I would say that it reasonably represents the breakdown of merchant levels out in the real world.
The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants. Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments. However, most troubling is that Level 4 merchants are only 39% compliant.
Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011. Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant. Level 2 merchants were reported to be at 91% compliance. Level 3 merchants were reported at 57% compliance. As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.
So how do we square the difference in compliance percentages between the MAC and Visa numbers? We do not because the numbers are like comparing apples to oranges.
The purpose of the study was to examine breaches and their impact on merchants. As such, the study’s numbers indicate not only PCI compliance but also the number of organizations breached that were deemed PCI compliant, hence the much lower PCI compliance rates.
Visa’s numbers are based on filings of PCI Attestation Of Compliance (AOC) forms with processors and acquiring banks who then report those statistics up to Visa. Visa, or any card brand for that matter, has never shared the complete equation of the number of merchants that were breached but filed an AOC indicating they were PCI compliant. As a result, the figures posted by Visa are not representative of the study’s results and vice versa.
I think this study provides a much better look into PCI compliance than we have had from the card brands. It shows that merchants have a significant amount of work to do maintaining PCI compliance. I would highly recommend you download a copy of the report and share it with your management.
PCI Guru 
Thanks again for the article! The goal of the study was to fuel discussion, which it feels like we have. I am open to any suggestions for future research as well, or happy to answer any additional questions about the work!
Take into account the percentage of merchants that say they are compliant, or think they are compliant, talking mostly about merchant 2’s that fill out a dream sheet, I’m sorry I meant a SAQ!
Remember, if a merchant is Level 2 and accepts MasterCard, they cannot do an SAQ, they must do a ROC.
you tell them that, i see many merchants twist language, get their own people possibly ISA certified, but where the ISA’s aren’t truly qualified or independent at all, do a half ass SAQ etc, add that with still many banks do a half ass job of enforcement, you end up with still . . . . . a dream sheet!
That’s not correct. Take a look at MasterCard’s site on merchants: http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html
They ARE required to either have an ISA or QSA perform the work.
Thanks Branden for the correction, they can do an SAQ as long as they have an ISA on staff. Otherwise, they must hire a QSA and do a ROC. I always mix that up.