The core change is including all transactions when determining what level a retailer should be. Before, the criteria was limited to online purchases. "The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year," a Visa statement said. "Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year."
Mark Rasch, a former federal prosecutor who today serves as VP for Solutionary, said that July 21's actions may not have an immediate impact on retailers, but it will certainly have a long-term impact as Visa uses this as the first step before cracking down with strict enforcement.
"I would say that this is more evolutionary than revolutionary," Rasch said. "What they're doing is they're tweaking the standards, trying to redefine who the classes of different merchants are and what the obligations of each of those different classes are going to be."
Rasch questions whether categorizing merchants solely by the number of transactions is the best approach.
"I don't know that that's necessarily the best measure of how sophisticated a merchant you are and how much security you're going to need," Rasch said. "One of the things you may want to look at is the dollar value of the transactions or the risks of the transactions themselves. If you do a lot of small dollar value transactions, you may be more or less risky than a person who does a fewer number of high dollar transactions."
Retail technology analysts who discussed the new Visa PCI rules in a Web audiocast late on July 21st agreed that the changes will almost certainly impact a lot more than thousand or so merchants that Visa said it will impact, as the changes will likely all retailers to be more strict about credit card authentication issues.