?Protecting the environment is critical to ensuring the future growth of electronic payments,? said Mike E. Smith, Senior Vice President, Enterprise Risk and Compliance, Visa U.S.A. ?Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace.?
The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year. Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year.
While none of the validation requirements themselves have changed, merchants moving into a new validation level will be responsible for complying with that category?s validation responsibilities. For example, merchants moving from Level 4 to Level 2 must now have quarterly network security scans performed by a qualified independent scan vendor.
The revised criteria impact a relatively small number of merchants. Less than 1,000 Level 4 merchants are expected to move into the Level 2 category, while an equal number of former level 2 merchants processing fewer than 1 million e-commerce transactions per year will move to level 3.
Within the next two months, acquirers will identify any merchant changing levels. These merchants are required to validate PCI compliance with their acquirer by Sept. 30, 2007, generally 12 months from the date of identification.
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and any entity that stores, transmits or processes cardholder data. Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.
A summary of the changes are listed in the chart below: