The changes, which were announced July 21, affect a group of Visa's so-called Level 4 merchants that process between 1 million and 6 million credit card transactions annually. They are being shifted to the Level 2 category as part of a bid by Visa to tighten security requirements for a broader set of merchants. Attracting Attention
Under the PCI program, Level 2 merchants must submit to quarterly network vulnerability scans and fill out a 75-question self-assessment form each year. Similar measures are recommended but not required for Level 4 merchants.
As a result, merchants in that category have rarely paid attention to the recommendations, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services. "Some small and midsize businesses have never taken PCI seriously, and they should," Taylor said. "So this is a good thing."
"When it's just a recommendation, people give it less credence," agreed Robin Hogan, a product manager at Consul Risk Management Inc., a security auditing company in Herndon, Va. "This makes sure that people are doing what they're supposed to do."
Also as part of Visa's reclassification, about 1,000 merchants that solely do business online and process fewer than 1 million transactions annually will move from Level 2 to Level 3 status; both have similar requirements for compliance validation.
In a statement, Visa said it decided that the revised placement of merchants "would be more straightforward." Level 2 now will include all entities processing between 1 million and 6 million transactions per year, the company said, while Level 3 will be for e-commerce merchants that process 20,000 to 1 million transactions. Level 4 will consist of smaller e-commerce merchants and brick-and-mortar businesses that process fewer than 1 million transactions annually.
Chris Farrow, director of the Center for Policy and Compliance at Colorado Springs-based security vendor Configuresoft Inc., said that shifting from Level 2 to Level 3 isn't a major concern for merchants because their compliance requirements are nearly identical. But businesses moving from Level 4 to Level 2 face a "huge change," Farrow said. "They are the guys who are going to have to scramble."
The merchants being moved to Level 2 have until Sept. 30, 2007, to show compliance with the stiffer requirements. Merchants that claim to be PCI-compliant can be hit with hefty fines by Visa if they experience security breaches because of a lack of proper controls.