Visa warns merchants who don't meet PCI deadline

Visa USA is warning large merchants who accept credit cards that they will face higher transaction fees if they are not fully compliant with the payment card industry (PCI) data security standard by 30 September.


Visa USA is warning large merchants who accept credit cards that they will face higher transaction fees if they are not fully compliant with the payment card industry (PCI) data security standard by 30 September.

The company recently issued updates and clarifications regarding certain components of its PCI compliance acceleration programme to the acquiring banks that authorise merchants to accept credit card transactions. The updates offer greater detail on the penalties and incentives that go into effect 1 October for all large entities covered under PCI.

Acquiring banks, which under PCI are contractually responsible for ensuring that merchant members meet PCI requirements, are expected to communicate the updates to the largest merchants over the next few days, according to a source who asked not to be named.

Under PCI, all companies that accept credit cards are required to comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging. The standards are being pushed by Visa, MasterCard Worldwide, Discover, American Express and JCB.

The rules went into broad effect more than two years ago; since then, credit card companies have been pushing merchants to implement the requirements. As part of the effort, Visa last year announced a compliance acceleration programme under which it detailed specific incentives and penalties to get Tier 1 and Tier 2 merchants (those processing more than a million credit card transactions annually) to implement the requirements by 30 September, 2007.

In its recent update, Visa said that as of 1 October, non-compliant merchants in these categories will no longer qualify for the best available tiered interchange rates. Visa and Interlink transactions submitted by non-compliant merchants that are normally eligible for tiered interchange rates will be downgraded one interchange tier starting 1 October, according to a document made available to Computerworld.

According to the document, merchants must validate compliance with the PCI data security standard in order to be returned to the best-available rate within Visa interchange tiers. Visa will reinstate the merchant to that interchange rate within 20 business days of compliance validation by the acquiring bank. The deadlines apply to companies who were identified as being in the Tier 1 or tier 2 categories prior to 1 January, 2007.

Interchange rates are the commissions that merchants pay for each credit card transaction. Merchants in different tiers have different rates, with the largest ones paying less than their smaller counterparts. Analysts in the past have said the prospect of losing this benefit has been a major driver of PCI compliance efforts among large merchants that process millions of transactions annually.

In its update, Visa noted that merchants who can validate compliance by 30 September, 2008 may qualify for a refund of three months worth of the interchange differential. But to qualify, an executive-level officer would need to attest that the merchant had tried its best to comply by the 30 September, 2007 deadline but was unable to do so and needed the extra time, the document noted.

Under Visa's compliance acceleration program, Tier 1 merchants that fail to ensure compliance by 30 September, 2007, will also be assessed fines starting at $25,000 per month. At the same time, Visa will reward acquiring banks whose members are fully compliant by the deadline date. The company has set aside $20m (£10m) in reward money under the incentive programme and has already paid out about $7m (£3.51m) to compliant companies.

Visa officials could not be reached immediately for comment.

"Recommended For You"

Visa drops RBS subsidiary from compliance list after data breaches Visa: Criticism of PCI standard 'misplaced'