Evan Schuman's StorefrontBacktalk

Visa on Wednesday (July 14) sent a direct message to acquiring banks: Stop making retailers retain credit card information unless you want to stop servicing Visa. A key Visa security executive (Eduardo Perez, the head of global payment system security) said the brand is now merely “strongly encouraging [acquirers] to not require” retailers to store PANs but, by September, that might become an official edict.

This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, “We don’t require that.” But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.

Visa’s official statement stressed confusion and misinterpretation as the key culprit. Execs on Wednesday, however, said the data retention is just as often caused by outdated equipment and software, on both the retailer and acquirer ends.

“Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during disposal,” the Visa statement said. “Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions.”

The distinction between “strongly discourage” and “forbid” is significant. Again, from Visa’s memo: “Visa does not require merchants to store PANs, but does recommend that merchants rely on their acquirer/processor to manage this information on the merchants’ behalf.”

In short, Visa doesn’t want the data retained, but it is leaving the decision to those closest to the merchants. That stance may change this fall.

Visa is seeking comment from the community through August 31. After that, depending on the feedback, a policy change may materialize that could outright ban the practice of requiring retailers to retain the data, Visa’s Perez said in an interview. He added: “We may be requiring it at some point.”

Prohibiting acquirers from requiring such data is a powerful first step. But even that move would still leave the door open to lots of PAN retention from retailers who willingly keep that data.

Both Visa and the National Retail Federation (NRF) issued related statements on July 14. Each spoke of various ways transactions could be handled without PAN retention, most of which revolve around either truncation or some variation of tokenization.

“Understanding the significant commitment by merchants to secure the payment system and protect sensitive cardholder information from criminals,” said the joint Visa-NRF statement, “Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.”

That joint statement added: “Merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests.”

Part of the holdup for this type of token approach is outdated legacy systems, with both some acquirers and retailers, Perez said. Those systems will have to be upgraded to support any tokenization approach. Those assessors and retailers “should start to make changes,” he said