Those affected are Visa "Level 4" merchants, meaning those that process fewer than 6 million credit card transactions a year. They will now be included in the "Level 2" category as part of a bid by Visa to tighten security requirements for a broader set of merchants.

Visa officials announced the change late Friday. "Protecting the [credit card processing] environment is critical to ensuring the future growth of electronic payments," Mike Smith, Visa's senior vice president of enterprise risk and compliance, said in a statement. "Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace."

The company stressed that it had not changed the validation requirements themselves, but was only moving some merchants into a new validation level.

Level 2 merchants are required to submit to quarterly network-vulnerability scans and must also fill out a 75-item self-assessment questionnaire. Merchants moved into this category have until Sept. 30, 2007, to demonstrate compliance with the stiffer requirements. Merchants who claim they are PCI-compliant can be hit with hefty fines if they suffer a subsequent security breach resulting from the lack of proper controls.

Similar PCI measures are recommended for Level 4 merchants, but they are not required. As a result, merchants in that category have rarely paid attention to the stronger standards, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services.