SAN FRANCISCO, Calif.– Merchants that process the most credit and debit card transactions have until Sept. 30, 2009 to prove they no longer store any consumers’ sensitive card data on their systems, according to Visa Inc.’s announcement of the most recent card data security standards.

The payment card industry data security standards are developed and promulgated by the Data Security Council, an open industry body with representatives from all the major card brands that sets card data security standards for the entire card payments system. The deadline impacts merchants which process more than 1 million card transactions per year (called level 1 and 2 merchants).

Merchants found not in compliance after that date can be fined and face other enforcement measures, Visa said. Previously, Visa has suggested the majority of the biggest merchants are already compliant with the data security standards.