Visa gives some merchants added compliance measures
LATEST NEWS
- Video will drive UFB uptake, but NZ lacks content choices: ComCom || 1
- TelstraClear's half-year revenue drops by 4 percent, but telco posts $1m profit
- Peter Finch leaves CIO post at Gen-i || 1
- 2degrees announces 875,656 customers
- NZ Fauna app fills 'crazy' lack of animal info || 4
- Megaupload interest a mixed blessing for Pirate Party || 2
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
The changes affect 1,000 Visa merchants that process between 1 million and 6 million credit card transactions annually
By Jaikumar Vijayan | Framingham | Wednesday, 2 August, 2006
Visa USA has changed the way it classifies some merchants under the Payment Card Industry data security program, a move that will require about 1,000 retailers and other businesses to meet more-rigorous standards for validating their compliance with the PCI edicts.
The changes, which were announced July 21, affect a group of Visa's so-called Level 4 merchants that process between 1 million and 6 million credit card transactions annually. They are being shifted to the Level 2 category as part of a bid by Visa to tighten security requirements for a broader set of merchants.
Under the PCI program, Level 2 merchants must submit to quarterly network vulnerability scans and fill out a 75-question self-assessment form each year. Similar measures are recommended but not required for Level 4 merchants.
As a result, merchants in that category have rarely paid attention to the recommendations, says David Taylor, vice president of data security strategies at Protegrity, a company that offers PCI compliance services. "Some small and midsize businesses have never taken PCI seriously, and they should," Taylor says. "So this is a good thing."
"When it's just a recommendation, people give it less credence," agrees Robin Hogan, a product manager at Consul Risk Management, a security auditing company. "This makes sure that people are doing what they're supposed to do."
Also as part of Visa's reclassification, about 1,000 merchants that solely do business online and process fewer than 1 million transactions annually will move from Level 2 to Level 3 status; both have similar requirements for compliance validation.
In a statement, Visa says it decided that the revised placement of merchants "would be more straightforward." Level 2 now will include all entities processing between 1 million and 6 million transactions per year, the company says, while Level 3 will be for e-commerce merchants that process 20,000 to 1 million transactions. Level 4 will consist of smaller e-commerce merchants and brick-and-mortar businesses that process fewer than 1 million transactions annually.
Chris Farrow, director of the Center for Policy and Compliance at security vendor Configuresoft, says that shifting from Level 2 to Level 3 isn't a major concern for merchants because their compliance requirements are nearly identical. But businesses moving from Level 4 to Level 2 face a "huge change," Farrow says. "They are the guys who are going to have to scramble."
The merchants being moved to Level 2 have until September 30, 2007, to show compliance with the stiffer requirements. Merchants that claim to be PCI-compliant can be hit with hefty fines by Visa if they experience security breaches because of a lack of proper controls.
MOST POPULAR
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
