Visa U.S.A. is shifting higher-volume merchants across all channels into a more rigorous compliance validation category for the Payment Card Industry Data Security Standard, the association announced today.
Under the PCI standard, developed jointly by Visa and MasterCard, retailers must validate that they are in compliance with strict measures to protect customers’ confidential data. Retailers with higher annual volumes are subject to more rigorous validation requirements. For example, Level 4 merchants-those with the lowest transaction volume-must perform annual self assessments while Level 1 merchants-those with the highest transaction volume-must perform annual onsite audits and quarterly scans.
“Protecting the environment is critical to ensuring the future growth of electronic payments,” said Mike E. Smith, senior vice president, enterprise risk and compliance. “Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace.”
The most significant change in the validation categories involves the Level 2 merchant category, which previously applied to merchants processing between 150,000 and 6 million e-commerce transactions per year. That level now has been broadened to include any merchant processing between 1 million and 6 million transactions annually, regardless of the channel.
Visa estimates that less than 1,000 Level 4 merchants will move into the Level 2 category, while an equal number of Level 2 merchants will move to Level 3.
While none of the validation requirements has changed, merchants moving into a new validation level will be responsible for complying with that category’s validation requirements, Visa said.
Information on the changes is available at www.visa.com/cisp.
PCI compliance is required of all merchants and other entities that store, transmit or process cardholder data. Retailers that fail to comply are subject to fines.