As a large number of retailers recently found out, being classified as a lower-tier merchant for purposes of PCI compliance brings, at best, only temporary reporting relief.

With VISA updating its PCI reporting matrix in late 2006, many formerly level-3 and level-4 retailers suddenly found themselves reclassified as level-2. Not only did that bring such merchants into the focus of their acquiring banks, but new deadlines and stricter enforcement have served to increase pressure on these retailers to comply with PCI.

Furthermore, new guidelines point to other changes in the future that may impact even more merchants.

What Exactly Happened?

In September of 2006, VISA changed the transaction volume threshold for level-2 merchants from counting only e-commerce transactions to counting transactions through all payment channels. Admittedly a subtle change, but one that created a significant impact: many retailers that formerly did very little or no business online, and were as a result classified at the lowest two PCI compliance tiers, suddenly became level-2. Their in-store transactions were counted, and the million annual transaction volume threshold was easily crossed.

Such newly classified level-2 retailers are generally not small. They may have a few hundred stores nationwide, but still clear less than the 6 million annual card transactions per brand needed to be classified as level-1. Because the card brands do not aggregate transactions, VISA only counts VISA transactions, making the VISA level-1 threshold more difficult to cross.