The changes, which were announced July 21, affect a group of Visa's so-called Level 4 merchants that process between 1 million and 6 million credit card transactions annually. They are being shifted to the Level 2 category as part of a bid by Visa to tighten security requirements for a broader set of merchants. Attracting Attention

Under the PCI program, Level 2 merchants must submit to quarterly network vulnerability scans and fill out a 75-question self-assessment form each year. Similar measures are recommended but not required for Level 4 merchants.

As a result, merchants in that category have rarely paid attention to the recommendations, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services. "Some small and midsize businesses have never taken PCI seriously, and they should," Taylor said. "So this is a good thing."

"When it's just a recommendation, people give it less credence," agreed Robin Hogan, a product manager at Consul Risk Management Inc., a security auditing company in Herndon, Va. "This makes sure that people are doing what they're supposed to do."

Also as part of Visa's reclassification, about 1,000 merchants that solely do business online and process fewer than 1 million transactions annually will move from Level 2 to Level 3 status; both have similar requirements for compliance validation.