Compliance Management

Visa upgrades PCI merchant classifications

The security experts at Visa announced that the company is changing the criteria for merchants required to comply with Payment Card Industry (PCI) Data Security Standard.

The company effectively expanded the VISA qualifications to bring more merchants under higher levels in the PCI security standard. 

There are four merchant validation levels, in which merchants are grouped based on the number of transactions they facilitate each year. Each successive level has more stringent security requirements for its members.

Most notably, the new system will bump more companies up to the second-highest tier — Merchant Level 2 — by classifying them as processing 150,000 to 6 million transactions each year. Visa had previously categorized Level 2 as those who processed 1 million to 6 million annual transactions.

Visa representatives said that the changes were made to decrease the risk of data compromises.

"Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace," said Mike Smith, senior vice president of enterprise risk and compliance.

David Taylor, vice president of data security strategies for Protegrity Corporation, said that while he is surprised that Visa made a solo announcement without any of the other card companies, he sees this move as a precursor to more changes in the PCI data standard and its enforcement. Many in the security world are expecting an update to the standard to be announced by the end of summer, he said.

"Whatever it is they are going to do in terms of getting (changes) out, this is probably seen as a prelude to that," he said.

Taylor said that Visa's change to the classification schema likely has to do with additional changes that the card companies will make by summer's end when it comes to enforcement. He explained that it is well-known that announcements are pending for a new enforcement body that will act separately from, but on the behalf of, all of the card companies.

"If you put together (this announcement) with the pending announcement for PCI Co., the corporation that is going to manage PCI compliance, what they're doing is saying, ‘If we get PCI Co. announced, what we are going to do is broaden the scope of who PCI Co. is responsible for monitoring,'" he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.