In a statement, Visa said it decided that the revised placement of merchants "would be more straightforward." Level 2 now will include all entities processing between 1 million and 6 million transactions per year, the company said, while Level 3 will be for e-commerce merchants that process 20,000 to 1 million transactions. Level 4 will consist of smaller e-commerce merchants and brick-and-mortar businesses that process fewer than 1 million transactions annually.

Chris Farrow, director of the Center for Policy and Compliance at Colorado Springs-based security vendor Configuresoft Inc., said that shifting from Level 2 to Level 3 isn't a major concern for merchants because their compliance requirements are nearly identical. But businesses moving from Level 4 to Level 2 face a "huge change," Farrow said. "They are the guys who are going to have to scramble."

The merchants being moved to Level 2 have until Sept. 30, 2007, to show compliance with the stiffer requirements. Merchants that claim to be PCI-compliant can be hit with hefty fines by Visa if they experience security breaches because of a lack of proper controls.