Among medium-sized merchants, compliance grew from 15% in December 2006 to 43% as at the end of September 2007, says Visa. The two groups of merchants - Level 1 and Level 2 - account for approximately two-thirds of Visa's US transaction volume.

As of 1 October Visa began levying fines of $25,000 a month to US acquirers for each of their Level 1 merchants that has not validated PCI DSS compliance by a 30 September deadline.

The deadline was set in December last year when Visa introduced a $20 million incentive programme in order to increase merchant compliance. The programme targeted acquirers responsible for the largest 1200 merchants.

Visa hasn't disclosed if it has imposed any fines for failing to comply with the PCI DSS.

However the card association does say that 99% of Level 1 and 2 merchants have confirmed they are not storing data - such as magnetic stripe and PIN information - that can be used fraudulently by hackers.

Concerns about the security of cardholder data have escalated this year following the TJX security breach earlier this year.

TJX said in March that fraudsters who hacked its computer systems managed to steal 45.7 million credit and debit card numbers over a period of more than 18 months. But according to filings in a bank case against TJX, the breach is even bigger than first reported and 94 million Visa and MasterCard accounts could have been exposed.

Visa says it is also pushing for PCI DSS compliance among smaller merchants. In May the company disclosed requirements for US acquirers to identify security risks among their smaller merchant customers and develop an educational programme to raise their awareness and understanding of the PCI DSS.