Visa USA, which has imposed fines on acquirers whose merchants do not comply with its data security rules, says it will begin rewarding those that do next year.
To this end, the San Francisco association has budgeted $20 million for its Payment Card Industry Compliance Acceleration Program, it said Tuesday. The program is focused on Visa's largest merchants, known as Level 1, which handle more than six million transactions a year and on Level 2 merchants, which handle from one million to six million transactions. Together, the two categories comprise more than two-thirds of Visa's volume, it said.
Eduardo Perez, the vice president of payment system risk at Visa, said that 36% of its Level 1 merchants comply with the PCI Data Security Standard, and 62% have submitted a report detailing how and when they expect to become compliant.
"This program is going to continue to focus their efforts," Mr. Perez said. Some acquirers and merchants may speed up their compliance timelines to make sure they meet a deadline to qualify for the cash rewards.
The PCI Data Security Standard was adopted by the card companies in 2004 as a uniform set of rules for data and network security. Visa said it is focusing on merchants that violate its rules for storing data such as the "card verification value," which is hidden in the card's magnetic stripe and used to verify its authenticity, or the "CVV2," which is printed on the card to verify it for remote transactions and PINs.
Acquirers will be eligible to receive incentive funds from the program for merchants that are compliant by Aug. 31 and have not had a data breach. Acquirers will get a larger payment for each merchant compliant by March 31.
Visa would not say how much it is offering, but Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., estimated that it is probably about $50,000 per merchant.
A survey she did in November of 50 merchants of all sizes found that 8.5% "have spent more than $1 million already just to become PCI-compliant," she said.
Michael E. Smith, Visa's senior vice president of enterprise risk and compliance, said the money is not intended to offset merchants' costs and acquirers are not required to pass on any of the funds to merchants. Acquirers could use the money to fund their own efforts to bring their merchants into compliance.
Though the program focuses on the top two merchant levels, acquirers will also have to show that they have compliance programs for Level 3 and Level 4 merchants.
Gartner's Ms. Litan said the incentive program is "a step in the right direction, but it needs to go further." "The fines are going to drive compliance a lot more," she said.
