Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The company effectively expanded the VISA qualifications to bring more merchants under higher levels in the PCI security standard.
There are four merchant validation levels, in which merchants are grouped based on the number of transactions they facilitate each year. Each successive level has more stringent security requirements for its members.
Most notably, the new system will bump more companies up to the second-highest tier — Merchant Level 2 — by classifying them as processing 150,000 to 6 million transactions each year. Visa had previously categorized Level 2 as those who processed 1 million to 6 million annual transactions.
Visa representatives said that the changes were made to decrease the risk of data compromises.
"Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace," said Mike Smith, senior vice president of enterprise risk and compliance.
David Taylor, vice president of data security strategies for Protegrity Corporation, said that while he is surprised that Visa made a solo announcement without any of the other card companies, he sees this move as a precursor to more changes in the PCI data standard and its enforcement. Many in the security world are expecting an update to the standard to be announced by the end of summer, he said.
"Whatever it is they are going to do in terms of getting (changes) out, this is probably seen as a prelude to that," he said.
Taylor said that Visa's change to the classification schema likely has to do with additional changes that the card companies will make by summer's end when it comes to enforcement. He explained that it is well-known that announcements are pending for a new enforcement body that will act separately from, but on the behalf of, all of the card companies.
"If you put together (this announcement) with the pending announcement for PCI Co., the corporation that is going to manage PCI compliance, what they're doing is saying, ‘If we get PCI Co. announced, what we are going to do is broaden the scope of who PCI Co. is responsible for monitoring,'" he said.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.