Visa Inc launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals.
Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number. "Visa's priority is protecting cardholders and the integrity of the electronic payments system," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs."
Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF's comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:
-- Issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution.
-- Merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems. National Retail Federation (NRF) senior vice-president and chief information officer David Hogan welcomes Visa's effort.
"We have long advocated that retailers should not be required to store their customers' full card numbers and instead rely on an alternative identification number to reference a transaction," he said. "NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers' information while potentially reducing the scope of the PCI Data Security Standard, said Hogan.
Merchants should be encouraged to minimise both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalised for not storing card information. This clarification from Visa is a promising step in that direction," Hogan added.-PR