Visa Sets Interchange Penalty Under PCI: A One-Tier Downgrade

Acquirers will be penalized one interchange tier for large merchants that qualify for volume-based tiered rates and fail to show compliance with the Payment Card Industry data-security standard (PCI) by Sept. 30, Visa USA says. In a document it released earlier this month to its members, Visa clarified an interchange penalty it announced in December as part of its PCI compliance-acceleration program (Digital Transactions News, Dec. 12, 2006), which also includes incentive payments for acquirers whose merchants achieve compliance within specified time limits. The December announcement said Level 1 and Level 2 merchants receiving interchange breaks that fail to validate compliance with PCI by Sept. 30 would no longer be eligible for the best available rate, but did not specify the extent of the penalty, known as a downgrade. The one-tier penalty would move non-compliant merchants to a higher rate than they would otherwise be eligible for and would apply to both Visa and Interlink transactions. The recent member communication, however, also offers some measure of relief. Visa says merchants that validate PCI compliance by Sept. 30 of next year could qualify for a refund totaling to the downgrade amount over a three-month span. To qualify, an executive-level officer with the merchant must certify the merchant tried its best to show compliance by Sept. 30, 2007, but needed more time. These merchants would also have their former rate restored within 20 business days of compliance validation by acquirers. Merchants validating compliance after Sept. 30, 2008 would still qualify for reinstatement of their best rate, but would no longer qualify for the refund. The deadlines are applicable to Level 1 and Level 2 merchants identified by acquirers before Jan. 1, 2007. These merchants process at least 1 million Visa transactions annually, with Level 1 merchants submitting 6 million or more transactions. Visa recently reported 40% of Level 1 and one-third of Level 2 merchants have now validated PCI compliance (Digital Transactions News, July 31). In the bank card networks, acquirers pay interchange to issuers and then pass the cost on to merchants, so merchants not in compliance by Sept. 30 would almost certainly receive the one-tier downgrade. The compliance acceleration program as announced in December also included fines for non-compliance. Backed by all of the general-purpose card networks, PCI includes a dozen broad-based security requirements that apply to all parties that touch transactions, including mandates regarding data encryption, non-storage of certain track data, and use of firewalls and anti-virus programs. Separately, the merchant that sustained the largest data breach so far on record reported on Tuesday its costs related to the intrusion have amounted to $130 million in after-tax charges. Framingham, Mass.-based TJX Cos. Inc. said in its second-quarter earnings report it has sustained $23 million so far this year in costs to fix its computer system and and has set aside a reserve of $107 million to cover expected losses and legal expenses. It also said it expected to sustain another $21 million in charges related to the incident, which it reported in January and in which hackers gained access to card data associated with nearly 46 million accounts. Discount merchandiser TJX operates a number of chains selling apparel and home fashions, including T.J. Maxx, Marshalls, and HomeGoods.