E-retailers appear to be holding their ground when it comes to validating the compliance with payment data security measures.

Visa Inc. says 60% of e-retailers that process between 20,000 and 1 million annual online Visa transactions have met the requirements of the Payment Card Industry Security Standards Council. The council’s standards are designed to ensure that retailers do not store sensitive cardholder data on their payment systems.

Visa says there are 3,024 of these e-retailers as of June 30. In its March 31 PCI status update, Visa said 61% of 2,570 e-retailers validated their PCI compliance.

The compliance rate is 96% for the 881 retailers with between 1 million and 6 million annual online and in-store Visa transactions. The compliance rate for the 377 retailers with more than 6 million total Visa transactions is 97%. Both percentages are unchanged from the March figures. Visa does not separate online and in-store transactions for larger retailers.

A lack of money and the perceived hassle of trying to understand PCI rules may explain why smaller e-retailers trail the validation rates of their larger brethren, says Julie Fergerson, vice president of emerging technologies at Ethoca Ltd., a payment security firm that tracks payment fraud.

She says smaller online retailers sometimes hire local programmers to develop their sites, and those developers may not be aware that PCI rules bar retailers from storing unencrypted payment card data. A hacker could sneak into the e-retailer’s payment system and steal credit and debit card numbers, creating havoc for the merchant and its customers.

Some smaller e-retailers may choose to pay a penalty fee assessed by their payment processor rather than taking the time to learn about and comply with PCI requirements, Fergerson says.