Those affected are Visa "Level 4" merchants, meaning those that process fewer than 6 million credit card transactions a year. They will now be included in the "Level 2" category as part of a bid by Visa to tighten security requirements for a broader set of merchants.
Visa officials announced the change late Friday. "Protecting the [credit card processing] environment is critical to ensuring the future growth of electronic payments," Mike Smith, Visa's senior vice president of enterprise risk and compliance, said in a statement. "Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace."
The company stressed that it had not changed the validation requirements themselves, but was only moving some merchants into a new validation level.
Level 2 merchants are required to submit to quarterly network-vulnerability scans and must also fill out a 75-item self-assessment questionnaire. Merchants moved into this category have until Sept. 30, 2007, to demonstrate compliance with the stiffer requirements. Merchants who claim they are PCI-compliant can be hit with hefty fines if they suffer a subsequent security breach resulting from the lack of proper controls.
Similar PCI measures are recommended for Level 4 merchants, but they are not required. As a result, merchants in that category have rarely paid attention to the stronger standards, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services.
"Some small and midsize businesses have never taken PCI seriously, and they should," Taylor said. "So this is a good thing."
"When it's just a recommendation, people give it less credence," said Robin Hogan, product manager at Consul Risk Management Inc., a Herndon, Va.-based security auditing company. "This makes sure that people are doing what they are supposed to do."
As part of Visa's reclassification, about 1,000 e-commerce merchants who process fewer than 1 million transactions a year will move from Level 2 to Level 3 status. Visa offered no explanation for that change.
"Visa talks about how it is moving merchants into a more rigorous compliance category. But if you look at the recategorization, a whole bunch of e-commerce merchants are also actually moving down" to a less-stringent category, Taylor said. The decision to give companies until Sept. 30, 2007, to comply is also puzzling, he said, given that they should have already been compliant with the PCI requirements.
In an e-mail statement, Visa said it felt that "the levels would be more straightforward if the e-commerce distinction was specific to a single level." Going forward, Level 2 will include all entities processing between 1 million and 6 million transactions, while Level 3 comprises solely e-commerce merchants.
Chris Farrow, director of the Center for Policy and Compliance at Colorado Springs-based vendor Configuresoft Inc., said shifting merchants from Level 2 to Level 3 is not a major concern because the requirements across both levels are nearly identical. Those moving from Level 4 to Level 2, though, face a "huge change. They are the guys who are going to have to scramble," Farrow said.
For many, the reclassification will mean having to spend on technology and staffing to be able to comply with PCI, he said.
Visa, along with MasterCard Inc., American Express Co. and Discover Financial Services LLC, is also considering other enhancements to the PCI standard. One set of PCI extensions is aimed at protecting credit card data from emerging Web application security threats. Other new rules will require companies to ensure that any third parties they deal with, such as hosting providers, have proper controls for securing credit card data.
The updates are due out later this year and will be the first major revisions to PCI since it became a broad requirement for all entities handling credit card data a year ago.