Visa warns of higher fees for merchants who don't meet PCI deadline

Computerworld - Visa U.S.A. Inc. is reiterating a message it issued last December, warning large merchants who accept credit cards that they will face higher transaction fees if they are not fully compliant with the Payment Card Industry (PCI) Data Security Standard by Sept. 30.

The company recently issued updates and clarifications regarding certain components of its PCI compliance acceleration program to the acquiring banks that authorize merchants to accept credit card transactions. The updates offer greater detail on the penalties and incentives that go into effect Oct. 1 for all large entities covered under PCI.

Acquiring banks, which under PCI are contractually responsible for ensuring that merchant members meet PCI requirements, are expected to communicate the updates to the largest merchants over the next few days, according to a source who asked not to be named.

Under PCI, all companies that accept credit cards must comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls and activity monitoring and logging. The standards are being pushed by Visa, MasterCard Worldwide, Discover Financial Services LLC , American Express Co. and Tokyo-based JCB Co.

The rules went into broad effect more than two years ago; since then, credit card companies have been pushing merchants to implement the requirements. As part of the effort, Visa last year announced a compliance acceleration program under which it detailed specific incentives and penalties to get Tier 1 and Tier 2 merchants (those processing more than 1 million credit card transactions annually) to implement the requirements by Sept. 30, 2007.

In its recent update, Visa said that as of Oct. 1, 2007, noncompliant merchants in these categories will no longer qualify for the best available tiered interchange rates. Visa and Interlink transactions submitted by noncompliant merchants that are normally eligible for tiered interchange rates will be downgraded one interchange tier starting October 1, according to a document made available to Computerworld.

According to the document, merchants must validate compliance with the PCI security standard in order to be returned to the best-available rate within Visa interchange tiers. Visa will reinstate the merchant to that interchange rate within 20 business days of compliance validation by the acquiring bank. The deadlines apply to companies that were identified as being in the Tier 1 or Tier 2 categories prior to Jan 1, 2007.

Interchange rates are the commissions that merchants pay for each credit card transaction. Merchants in different tiers have different rates, with the largest ones paying less than their smaller counterparts. Analysts in the past have said the prospect of losing this benefit has been a major driver of PCI compliance efforts among large merchants that process millions of transactions annually.