Following a series of database breaches at U.S. retailers in 2006, Visa U.S.A. last month stepped up the pressure on merchant banks to bring the largest U.S. retailers into compliance with the Payment Card Industry Data Security Standard, which requires retailers to protect credit card account data.
Prior to this latest effort, Visa had levied $4.6 million in 2006 fines, up 35% from $3.4 million in 2005, with only 15% of “Level 2” merchants-those doing 1-6 million Visa transactions a year-complying with the security standard. Compliance is at 36% for Level 1 merchants, or those doing more than 6 million transactions.
“We have had a number of cardholder data compromises with large merchants and small merchants and what we want to do is to ensure that our merchants that present the greatest exposure to us are properly secured,” Eduardo Perez, vice president of payment system risk, Visa USA, says.
The standard, developed by Visa and other major credit card companies, requires retailers to protect credit card account data. It specifically requires merchants to limit their use of magnetic stripe and other information to validate transactions, but to avoid storing that information in a database where it could be stolen.
Under the new penalties, Visa will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 merchant that is not compliant with the standard by Sept. 30, and Dec. 31, respectively. In addition, acquirers face monthly fines of up to $10,000 if they fail to confirm by March 31 that their Level 1 and 2 merchants are not storing magnetic stripe data.
As part of the new program-the PCI Compliance Acceleration Program-merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.
Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, Perez says.