National Retail Federation and Visa promote card account elimination to advance data security
San Francisco, July 14, 2010
Visa Inc. (NYSE: V) launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
“Visa’s priority is protecting cardholders and the integrity of the electronic payments system,” said Eduardo Perez, Head of Global Payment System Security, Visa Inc. “By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs.”
Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF’s comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:
Issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution.
Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.
National Retail Federation senior vice president and chief information officer David Hogan welcomes Visa’s effort. “We have long advocated that retailers should not be required to store their customers’ full card numbers and instead rely on an alternative identification number to reference a transaction,” he said. “NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers’ information while potentially reducing the scope of the PCI Data Security Standard. Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction,” said Hogan.
“Making data less vulnerable to card thieves by eliminating it wherever possible has been a major focus by Visa for several years now,” Perez said. “Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats. Working with the National Retail Federation has helped us identify an issue and address it effectively.”
Card Number Truncation Best Practices
Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. The following are best practices for card number truncation:
On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the U.S.)
On the merchants’ copy of the receipt, merchants should disguise or suppress the card number so that a maximum of the first six and last four digits of the card number are displayed (1234-56##-####-1234) and suppress the full expiration date on the merchant copy of receipts.
Acquirers should support merchants who choose not to store full card numbers by providing transaction data storage. Merchants may then retain only disguised or suppressed card numbers on the merchant copy of the receipts.
Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens, in place of using full card numbers.
Acquirers should disguise or suppress card numbers in any merchant communications, such as email, reports, statements, etc. The Payment Card Industry Data Security Standards (PCI DSS) already requires that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).
Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010. The best practices are available at www.visa.com/cisp.
Visa previously established efforts to ensure that merchants do not store prohibited data elements which are specifically targeted by criminals, including card security codes and PIN data. In particular, Visa has required the largest Visa-accepting merchants to confirm that they do not store such prohibited data and thus far 96 percent of Level 1 and 2 merchants globally have done so. In addition, Visa has promoted the use of secure payment applications to ensure small and medium sized merchants do not store prohibited data.
Full press release and contacts