As part of the compliance validation process, merchants will need to show that they have purged all magnetic stripe data, Card Verification Value (CVV2) data and PIN data from their point-of-sale (POS) and other systems, Fischer said. The storage of such data is considered extremely risky and is a major violation of PCI rules. Even so, a large number of merchants continue to do so, often because their POS system software stores it by default.

"One of our key messages is you don't need that data," Fischer said. "We expect merchants to work with their software vendors to update the software or patch it or do something to make sure their systems are purged" of the data, she said.

The new Visa program is a step in the right direction, said Avivah Litan, an analyst with Gartner Inc. in Stamford, Conn. But to really push PCI compliance, similar actions need to be taken by MasterCard and American Express, she said.

Visa's decision to link its so-called "tiered interchange" rates to PCI compliance, though, is perhaps far more significant for larger merchants than any one-time monetary reward, Litan said. Interchange rates are the commissions that merchants pay for each credit card transaction. Merchants in different tiers have different rates, with the largest ones paying less than their smaller counterparts.

The prospect of losing this benefit for failing to comply with PCI could be the biggest driver of all, Litan said.