Just over a third of large-volume Visa merchants failed to meet a Sept. 30 deadline to comply with the Payment Card Industry's 12-part Data Security Standard, Visa said Wednesday, and those companies are facing fines of US$25,000 per month.

Visa said 65 percent of the largest U.S. merchants (those processing six million or more Visa transactions annually, known as Level I) have validated compliance with the PCI DSS 1.1., up from 36 percent in December. The standard is set by the Wakefield, Mass.-based PCI Security Standards Council, whose membership includes the card associations Visa, MasterCard, and American Express. Visa also said validation for the PCI security standard among midsize merchants (those processing one million to six million Visa transactions annually) has reached 43 percent as of Sept. 30, up from 15 percent in December. This Level II group is expected by Visa to validate compliance by Dec. 31. Level I and Level II merchants constitute two-thirds of Visa's transaction volumes, the company said.

Smaller merchants also are being encouraged to become compliant with PCI DSS, and a number say their banks and the card associations are contacting them with deadlines to achieve compliance, which may include a self-assessment audit or one performed by a PCI-qualified security assessor.

Visa in May announced requirements for U.S. acquiring banks to identify security risks among their smaller merchant customers and develop an educational program to raise awareness about PCI DSS. Since then, 100 percent of the merchant banks active with Visa have submitted plans, the company said.

The PCI Security Standards Council is updating DSS for new requirements likely to pertain for next year, although debate about it is ongoing. Plans are expected to be finalized in the coming months.