Several sources have told Retail Week that retailers are coming under pressure to show that they are making good progress towards compliance. Those that have done the least towards compliance are being particularly targeted.
It is believed that UK acquiring banks have received fines from the payment schemes, although it is not yet clear whether these would be passed on to individual merchants.
A Visa Europe spokesman denied it was contacting retailers directly to push them to comply with the standard. “Merchants that are not compliant need to be moving rapidly towards that goal. Visa Europe sets a broad compliance framework to support our acquiring banks, but Visa does not directly acquire merchants and therefore each bank develops its own communication strategy. This would be a matter between the acquirers and merchants,” he said.
American Express said it has not taken any punitive action against merchants because of PCIDSS non-compliance. Mastercard would not comment on the matter.
Visa USA is fining acquiring banks US$25,000 (£12,689) a month for each of their large merchants that have not validated PCIDSS compliance, and US$5,000 (£2,538) for each non-compliant medium-sized merchant.
By the end of 2007, more than 75 per cent of the largest US merchants and nearly two thirds of medium-sized merchants had achieved compliance. By comparison, experts believe that about only 10 per cent of UK retailers covered by the standard are compliant already.
Robin Adams, security consulting director at transaction processing specialist The Logic Group said retailers are being given deadlines for compliance by their acquiring banks. He said: “They are asking for gap analyses to be complete and remediation plans to be in place with reasonable timelines.”