Just over a third of large-volume Visa merchants in the US failed to meet a 30 September deadline to comply with the Payment Card Industry's 12-part Data Security Standard, Visa has said, and those companies are facing fines.

Visa said 65% of the largest US merchants (those processing six million or more Visa transactions annually, known as Level I) have validated compliance with the PCI DSS 1.1., up from 36% in December. The standard is set by the PCI Security Standards Council, whose membership includes the card associations Visa, MasterCard, and American Express.

Visa also said validation for the PCI security standard among mid-sized merchants (those processing one million to six million Visa transactions annually) has reached 43%, up from 15% in December. This Level II group is expected by Visa to validate compliance by the end of the year. Level I and Level II merchants constitute two-thirds of Visa's transaction volumes, the company said.

Smaller merchants also are being encouraged to become compliant with PCI DSS, and a number say their banks and the card associations are contacting them with deadlines to achieve compliance, which may include a self-assessment audit or one performed by a PCI-qualified security assessor.

Visa in May announced requirements for US acquiring banks to identify security risks among their smaller merchant customers and develop an educational program to raise awareness about PCI DSS. Since then, 100 percent of the merchant banks active with Visa have submitted plans, the company said.

The PCI Security Standards Council is updating DSS for new requirements likely to pertain for next year, although debate about it is ongoing. Plans are expected to be finalised in the coming months.