n July, Visa U.S.A. changed the criteria used to determine merchant levels for the Payment Card Industry (PCI) Data Security Standard. A Visa press release indicated the move is designed to decrease the risk of data compromises by shifting higher-volume merchants across all payment channels into a more rigorous compliance validation category.

The salient points

Here's what's new, as set forth in Visa's release:

• The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year.
• Level 2 now includes all acceptance channels and applies to all merchants processing 1 million to 6 million Visa transactions per year.
• None of the PCI validation requirements were changed.
• Merchants moving into a new validation level will be responsible for complying with that category's validation requirements. For example, merchants moving from Level 4 to Level 2 must now have quarterly network security scans performed by a qualified independent scan vendor.
• Visa indicated the revised criteria affect fewer than 1,000 Level 4 merchants who are being moved into the Level 2 category. Another 1,000 former Level 2 merchants who process fewer than 1 million e-commerce transactions per year will move to Level 3.
• Within the next two months, acquirers should identify any merchant changing levels. These merchants are required to validate PCI compliance with their acquirers by Sept. 30, 2007 - generally 12 months from the date of identification.

PCI compliance is required of all merchants and any entity that stores, transmits or processes cardholder data. Validation of compliance is part of that process, with validation requirements varying for merchants, based on factors such as transaction volume.

Acquirers are responsible for ensuring that all of their merchants comply with the PCI requirements. Acquirers are also responsible for determining the compliance validation levels of their merchants.

New merchant level definitions

Visa modified its merchant level definitions to conform to the new PCI criteria. All merchants still fall into one of four levels, based on Visa transaction volume over a 12-month period.

Transaction volume is based on the aggregate number of Visa transactions (including credit, debit and prepaid) from a merchant using a valid business name (DBA). If a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level.

If the merchant corporation does not aggregate data, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, members will continue to consider each DBA's individual transaction volume to determine the validation level.

Here are Visa's new merchant level definitions:

· Level 1 includes any merchant, regardless of acceptance channel, processing over 6 million Visa transactions per year; any merchant who has suffered a hack or an attack that resulted in an account data compromise; any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system; and any merchant identified by any other payment card brand as Level 1. · Level 2 includes any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year. (This new definition expands the number of Level 2 merchants to include former Level 4 merchants.) · Level 3 includes any merchant processing 20,000 to 1 million Visa e-commerce transactions per year. (This new definition expands Level 3 to include former Level 2 merchants who process fewer than 1 million e-commerce transactions per year.) · Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million Visa transactions per year. (This new definition reduces the number of Level 4 merchants.)

Visa's PCI compliance validation requirements for each merchant level remain the same. Compliance validation is required for Level 1, Level 2, and Level 3 merchants. It may also be required for Level 4 merchants. Here's a recap:

· Level 1: An annual on-site PCI data security assessment must be done by a qualified data security company or by an internal audit if it is signed by an officer of the merchant company. A quarterly network scan must by performed by a qualified independent scan vendor.

· Level 2: An annual PCI self-assessment questionnaire must be completed by the merchant. A quarterly network scan must by performed by a qualified independent scan vendor.

· Level 3: An annual PCI self-assessment questionnaire must be completed by the merchant. A quarterly network scan must by performed by a qualified independent scan vendor.

· Level 4: PCI requires that all merchants perform external network scanning to achieve compliance. Level 4 validation requirements and dates are determined by the merchant's acquirer; acquirers may require submission of scan reports and/or questionnaires.

Acquirers must obtain the required compliance validation from their merchants. Documentation must be available to Visa upon request.

In addition, Visa offers safe harbor protection from Visa fines in the event a merchant or service provider experiences a data compromise. To attain safe harbor status:

• Members, merchants and service providers must maintain full compliance at all times. This includes adhering to all requirements at the time of a breach or compromise, as demonstrated during a forensic investigation.
• A member must demonstrate that, before the compromise, its merchant already met the compliance validation requirements, demonstrating full compliance.

  Look at your merchant portfolios now to determine steps to be taken and deadlines. Work with your merchants to expedite this. You and your customers don't want to become the latest media roadkill and be fined for not complying with the PCI standards.

Full details about the latest PCI requirements are at www.usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html

David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, e-mail dhpress@ibc411.com or visit www.ibc411.com