Visa Changes Retail Security Rules

Visa has changed its retail security requirement structure, which will, because of a change in definition of what a qualifying transaction is, force more retailers to use its more stringent security procedures.

Visa on July 21 changed its retail security requirement structure, which will—because of a change in definition of what a qualifying transaction is—force more retailers to use its more stringent security procedures.

The core change includes all transactions when determining what level a retailer should be; Visa uses four levels to group retailers based on their volume of transactions.

The criteria was previously limited to online purchases. "The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year," a Visa statement said. "Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year."

Mark Rasch, a former federal prosecutor who now serves as vice president for Solutionary, a security software and consultancy firm, said that the actions of July 21 may not have an immediate impact on retailers, but they will certainly have a long-term impact as Visa uses this as the first step before cracking down with strict enforcement. As it is, retailers are notorious for not complying with Visas guidelines and not doing enough audits and related checks.

"I would say that this is more evolutionary than revolutionary," Rasch said. "What theyre doing is theyre tweaking the standards, trying to redefine who the classes of different merchants are and what the obligations of each of those different classes are going to be."

Rasch questions whether categorizing merchants solely by the number of transactions is the best approach.

"I dont know that thats necessarily the best measure of how sophisticated a merchant you are and how much security youre going to need," Rasch said. "One of the things you may want to look at is the dollar value of the transactions or the risks of the transactions themselves. If you do a lot of small-dollar-value transactions, you may be more or less risky than a person who does a fewer number of high-dollar transactions."

Retail technology analysts who discussed the new Visa PCI rules in a Web audiocast late on July 21 agreed that the changes will almost certainly impact a lot more than the thousand or so merchants that Visa said it will impact, as the changes will likely cause all retailers to be more strict about credit card authentication issues.

Retail Center Editor Evan Schuman can be reached at


Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.