Approximately 1,000 merchants will have different validation action

San Francisco – July 21, 2006 – Visa U.S.A. announced today that it is expanding the criteria of its merchant validation levels for compliance with the Payment Card Industry Data Security Standard (PCI DSS). Visa’s move is designed to decrease the risk of data compromises by shifting higher-volume merchants across all payment channels into a more rigorous compliance validation category.

“Protecting the environment is critical to ensuring the future growth of electronic payments,” said Mike E. Smith, Senior Vice President, Enterprise Risk and Compliance, Visa U.S.A. “Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace.”

The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year. Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year.

While none of the validation requirements themselves have changed, merchants moving into a new validation level will be responsible for complying with that category’s validation responsibilities. For example, merchants moving from Level 4 to Level 2 must now have quarterly network security scans performed by a qualified independent scan vendor.

The revised criteria impact a relatively small number of merchants. Less than 1,000 Level 4 merchants are expected to move into the Level 2 category, while an equal number of former level 2 merchants processing fewer than 1 million e-commerce transactions per year will move to level 3.

Within the next two months, acquirers will identify any merchant changing levels. These merchants are required to validate PCI compliance with their acquirer by Sept. 30, 2007, generally 12 months from the date of identification.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and any entity that stores, transmits or processes cardholder data. Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.

A summary of the changes are listed in the chart below:

Merchant Level	New Criteria	Prior Criteria	Required Validation Action
Merchant Level 1	No change	Any merchant processing over 6 million Visa transactions per year or compromised in the past year, regardless of acceptance channel.	No change to validation action for this level. Annual onsite audit and quarterly scans required.
Merchant Level 2	Any merchant processing 1 million to 6 million Visa transactions per year, regardless of acceptance channel.	Any merchant processing between 150,000 and 6 million Visa e-commerce transactions per year.	No change to validation action, but new definition expands the number of level 2 merchants to include former level 4 merchants. Annual self-assessment questionnaire and quarterly scans required.
Merchant Level 3	Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year.	Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.	No change to validation action, but new definition expands level 3 to include merchants formerly in level 2 processing fewer than 1 million e-commerce transactions per year. Annual self-assessment questionnaire and quarterly scans required.
Merchant Level 4	Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year.	Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6 million Visa transactions per year.	No change to validation action, but new definition reduces the number of level 4 merchants. Annual self-assessment questionnaire and quarterly scans may be required as specified by the member.