Visa, NRF Seek to Reduce Vulnerable Payment Card Data in Merchant Systems

7/15/2010

Visa Inc. has launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and protect sensitive cardholder information from criminals, Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.

Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF indicates that there is marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:

Issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution.
Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.

Card number truncation best practices

Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. Best practices for card number truncation include:

On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the U.S.).
On the merchants' copy of the receipt, merchants should disguise or suppress so that a maximum of the first six and last four digits of the card number are displayed (1234-56##-####-1234) and suppress the full expiration date on the merchant copy of receipts.
Acquirers should support their merchants who choose not to store full card numbers by providing transaction data storage. Merchants may then retain only disguised or suppressed card numbers on the merchant copy of the receipts.
Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens, in place of using full card numbers.
Acquirers should disguise or suppress card numbers in any merchant communications, such as email, reports, statements, etc. The Payment Card Industry Data Security Standards (PCI DSS) already requires that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).

Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010. The best practices are available at http://www.visa.com/cisp.

Visa previously established efforts to ensure that merchants do not store other, more sensitive data elements which are specifically targeted by criminals, including card security codes and PIN data. In particular, Visa has required the largest Visa accepting merchants to confirm that they do not store such prohibited data and thus far 96 percent of Level 1 and 2 merchants globally have done so. In addition, Visa has promoted the use of secure payment applications to ensure small and medium sized merchants do not store prohibited data.

RELATED PCI NEWS

Hypercom's Optimum 4200 Countertop & Mobile Products Achieve PCI PTS 2.1 Security Approval

McAlister's Deli Partners with SecureConnect to Encourage PCI Compliance among Franchise Community

Related Topics