Visa, National Retail Federation Seek to Reduce Vulnerable Card Data
WASHINGTON -- Visa Inc. has launched a global effort with the National Retail Federation to reduce unnecessary storage of sensitive card information in merchant payment systems.
Visa is hoping to clarify that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
"Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats," the company said in a statement. "Working with the National Retail Federation has helped us identify an issue and address it effectively."
Visa's priority is protecting cardholders and the integrity of the electronic payments system, added Eduardo Perez, head of global payment system security for Visa. "By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs."
Visa and NRF believe merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. NRF has indicated there is marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors.
Under Visa operating regulations issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution. Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.
"We have long advocated that retailers should not be required to store their customers' full card numbers and instead rely on an alternative identification number to reference a transaction," according to David Hogan, NRF's senior vice president and chief information officer. "Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information."
Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. Best practices for card number truncation include:
* On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number and suppress the full expiration date (currently required in the United States).
* On the merchants’ copy of the receipt, merchants should disguise or suppress so that a maximum of the first six and last four digits of the card number are displayed and suppress the full expiration date.
* Acquirers should support merchants who choose not to store full card numbers by providing transaction data storage. Merchants may then retain only disguised or suppressed card numbers on the merchant copy of the receipts.
* Acquirers should evolve their systems to provide merchants with substitute transaction identifiers or tokens in place of using full card numbers.
* Acquirers should disguise or suppress card numbers in any merchant communications, such as email, reports, statements, etc. The Payment Card Industry Data Security Standards already requires that card numbers transmitted over public networks must be rendered unreadable (e.g. by encryption, truncation or hashing).
Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010.