Visa Clarifies Security Rules

Merchants may store only partial credit card numbers on the receipts they keep in case charges are challenged.

July 16, 2010

WASHINGTON - This week Visa Inc. said it??s going to reduce unnecessary storage of sensitive card information in merchant payment systems. Specifically, Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.

"By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs," said Visa??s Eduardo Perez, head of global payment system security, in a statement.

StorefrontBacktalk.com writes that Visa??s announcement is an "unusual twist in the ongoing saga of Visa versus the retailers," noting that merchant groups, such as NACS, have maintained for years that retailers should not be forced to retain primary account number (PAN) data ?" to which Visa typically responded: "We don??t require that."

Now Visa is recognizing that there was in fact confusion and ample room for misinterpretation.

"Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full PANs for exception processing to resolve disputes. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during disposal," noted a Visa statement. "Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions."

Gray Taylor, NACS payments consultant, noted: "We are pleased that Visa has decided to enforce some operating rules that benefit the retailer. In meetings with Visa, we have constantly highlighted the acquirers?? requirement to retain PAN data for retrievals as inconsistent with Visa rules and PCI standards, and Visa has agreed. With Visa??s decision, retailers are out of at least one 'damned if you do, damned if you don??t?? situation related to data security compliance."

Advertisement
Advertisement
Advertisement