Visa and NRF Seek to Reduce Vulnerable Payment Card Data in Merchant Systems
SAN FRANCISCO, Jul 14, 2010 (BUSINESS WIRE) --
Visa Inc. (NYSE: V) launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
"Visa's priority is protecting cardholders and the integrity of the electronic payments system," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs."
Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF's comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:
National Retail Federation senior vice president and chief information officer David Hogan welcomes Visa's effort. "We have long advocated that retailers should not be required to store their customers' full card numbers and instead rely on an alternative identification number to reference a transaction," he said. "NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers' information while potentially reducing the scope of the PCI Data Security Standard. Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction," said Hogan.
"Making data less vulnerable to card thieves by eliminating it wherever possible has been a major focus by Visa for several years now," Perez said. "Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats. Working with the National Retail Federation has helped us identify an issue and address it effectively."
Card Number Truncation Best Practices
Additionally, Visa has developed global best practices for acquirers and merchants who choose not to store full card numbers to truncate, disguise or mask card information in cardholder and merchant receipts, reducing the amount of sensitive information in storage. The following are best practices for card number truncation:
Visa will work with key stakeholders to consider incorporating the best practices formally into Visa Operating Regulations and is soliciting industry feedback until August 31, 2010. The best practices are available at https://www.visa.com/cisp.
Visa previously established efforts to ensure that merchants do not store prohibited data elements which are specifically targeted by criminals, including card security codes and PIN data. In particular, Visa has required the largest Visa-accepting merchants to confirm that they do not store such prohibited data and thus far 96 percent of Level 1 and 2 merchants globally have done so. In addition, Visa has promoted the use of secure payment applications to ensure small and medium sized merchants do not store prohibited data.
About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks--VisaNet--that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit https://www.corporate.visa.com.
SOURCE: Visa Inc. and National Retail Federation