Visa Inc. is revising its validation requirements for the Payment Card Industry data security standard to boost compliance by merchants in other countries.
All merchants are expected to adhere to the standard, but Visa has set staggered deadlines for validation — providing proof of adherence. Acquirers can be fined if their merchant clients cannot prove they meet the requirements by the deadlines.
For the purpose of validation, merchants are categorized according to size, but the categories vary by region. Under rule changes that were announced this week and will take effect over the course of next year, the category definitions Visa currently uses in the United States will be applied elsewhere. Being put in a new category may also change a merchant's requirements in areas like on-site assessments.
In the United States, merchants are divided into four categories. Among Level 1 merchants, which handle more than 6 million Visa transactions annually, 87% have validated their PCI compliance. So have 86% of Level 2 merchants, which handle from 1 million to 6 million transactions a year, and 57% of Level 3 merchants, which handle 20,000 to 1 million e-commerce transactions a year. (All other merchants are considered Level 4.)
As a result, "we've seen compromise events come down in the U.S., particularly large-scale compromise events," Eduardo Perez, Visa's head of global data security, said in an interview. By exporting that approach, Visa expects "similar success in preventing compromises in other marketplaces by driving compliance, especially among large merchants."
The new guidelines will apply everywhere except in some countries in Europe. (Last year Visa Europe spun off from Visa Inc. as it prepared to go public.)
Under the new guidelines, by September merchants in the Level 1 category must validate full compliance, and those in Level 2 must stop storing prohibited data, such as PIN codes. (Visa said companies that have suffered data breaches may also be subject to the Level 1 deadline and criteria.)
In February, Visa plans to redefine its categories for service providers (companies that handle data on behalf of merchants, acquirers, and issuers). Providers that handle more than 300,000 transactions a year or are connected to the VisaNet system will be held to stricter validation standards than they must meet now.
There are 566 merchants worldwide that are considered Level 1, and under the new rules, about 50 more be added to that category.
Some regions will be affected more drastically than others, the company said. The United States, Canada, and Asia Pacific regions already have four categories of merchants, but there are just two in the Central Europe/Middle East/Africa region and three in the Latin America/Caribbean one.
Visa will handle Level 4 merchants differently than large ones, Mr. Perez said, largely because they are often subject to the whims of payment system providers.
Mr. Perez would not say whether Visa's progress in the United States has resulted in increased fraud abroad, though he said "criminals are constantly on the watch for the lowest-hanging fruit."
Avivah Litan, a vice president and research director at the market research company Gartner Inc., said that card fraud is rampant in some foreign countries. "They don't have disclosure laws outside the U.S., but there's lots of breaches."
Visa's efforts are having an effect in places where it has focused its efforts on enforcing the PCI standard, Ms. Litan said. The company is "the thought leader and the active enforcer" among the card brands. "To their credit, they've borne most of the burden."
MasterCard Inc. did not return a call requesting comment.
