Visa Inc. on Wednesday made it clear that acquiring banks and issuers must not require merchants to retain full credit card numbers for dispute resolution.
San Francisco-based Visa clarified its rules for merchant retention of credit card data in a joint statement with the National Retail Federation (NRF), which has long advocated that retailers shouldn't be required to store full card numbers.
Acquirers and issuers must allow merchants to present "a truncated, disguised or masked card number on a transaction receipt" for dispute resolution, Visa said. The unnecessary storage of full Primary Account Numbers (PANs) by merchants has led to data compromise, theft and unintentional disclosure, the company said.
"Visa and the National Retail Federation agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests," the organizations said. "While Visa does not require merchants to store full card numbers beyond settlement, NRF's comments indicated that marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors."
Diana Kelley, founder and partner at consulting firm SecurityCurve, said the announcement is a good step.
"For a long time, merchants and the NRF have been pushing for a way to minimize PCI scope by only having to store a truncated PAN and a unique non-PAN token. Unfortunately for a number of reasons -- many of them legacy related -- this was not being supported by PCI [Data Security Standard] and banks," she said.
"So this announcement is a very positive move in the right direction," she added. "Let merchants concentrate on providing good products and service and not have to keep PANs after authorization and let the banks/card companies concentrate on keeping PAN information safe."
The only caveat, Kelley said, was that some legacy systems may require software updates or upgrades and POS systems may need software and hardware upgrades. "But in the long run this investment should be made up for by the reduction in PCI protection since merchants will no longer need to store PANs past authorization," she said.
Visa on Wednesday also released best practices for card number truncation, which it may incorporate formally into its operation regulations. The company is accepting industry feedback on the best practices until Aug. 31, 2010
"Visa's priority is protecting cardholders and the integrity of the electronic payments systems," Eduardo Perez, head of global payment system security at Visa, said in a prepared statement. "By reducing the amount of vulnerable data in merchant systems that must be protected from compromise, merchants can see greater security as well as more streamlined compliance needs."