Visa To Acquirers: Stop Forcing PAN Retention
Written by Evan SchumanVisa on Wednesday (July 14) sent a direct message to acquiring banks: Stop making retailers retain credit card information unless you want to stop servicing Visa. A key Visa security executive (Eduardo Perez, the head of global payment system security) said the brand is now merely “strongly encouraging [acquirers] to not require” retailers to store PANs but, by September, that might become an official edict.
This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, “We don’t require that.” But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.
Visa’s official statement stressed confusion and misinterpretation as the key culprit. Execs on Wednesday, however, said the data retention is just as often caused by outdated equipment and software, on both the retailer and acquirer ends.
“Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during disposal,” the Visa statement said. “Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions.”
The distinction between “strongly discourage” and “forbid” is significant. Again, from Visa’s memo: “Visa does not require merchants to store PANs, but does recommend that merchants rely on their acquirer/processor to manage this information on the merchants’ behalf.”
In short, Visa doesn’t want the data retained, but it is leaving the decision to those closest to the merchants. That stance may change this fall.
Visa is seeking comment from the community through August 31. After that, depending on the feedback, a policy change may materialize that could outright ban the practice of requiring retailers to retain the data, Visa’s Perez said in an interview. He added: “We may be requiring it at some point.”
Prohibiting acquirers from requiring such data is a powerful first step. But even that move would still leave the door open to lots of PAN retention from retailers who willingly keep that data.
Both Visa and the National Retail Federation (NRF) issued related statements on July 14. Each spoke of various ways transactions could be handled without PAN retention, most of which revolve around either truncation or some variation of tokenization.
“Understanding the significant commitment by merchants to secure the payment system and protect sensitive cardholder information from criminals,” said the joint Visa-NRF statement, “Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.”
That joint statement added: “Merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests.”
Part of the holdup for this type of token approach is outdated legacy systems, with both some acquirers and retailers, Perez said. Those systems will have to be upgraded to support any tokenization approach. Those assessors and retailers “should start to make changes,” he said
July 15th, 2010 at 9:12 am
Rearranging the deck chairs… While you must applaud Visa for coming out with a strong recommendation to improve the payment system, this particular action will do nothing to reduce the frequency of merchants getting breached. PAN data has very limited value to the criminals. You can’t make a counterfeit card with it. The major threat to merchants today is the memory parsing malware that was identified by Trustwave back in 2008. The way to protect against this threat is to secure the merchant’s network, a PCI-DSS requirement. End to end encryption is starting to look like a promising security layer as well.
A more meaningful recommendation for the acquiring banks would have been: “Now that we’re past July 1 and all your merchants are running PA-DSS validated software, please make sure they install a commercial firewall and stop using their POS system for surfing the internet.”
If this recommendation becomes an edict, it will create costly churn for the merchants, acquiring banks and technology providers that does nothing to stop the breaches.
July 15th, 2010 at 11:05 am
I guess that means merchants will soon be required to switch to ‘host-based’ processing systems, and deal with all the associated headaches, since the ‘terminal-based’ transaction systems most merchants are currently using require storing PANs until the settlement batch is submitted. (Or does that not count as ‘storage’? Neither the PCI Council nor the card brands have been willing to clarify that point.)
July 15th, 2010 at 11:31 am
I’ve been saying it for years.. Why the &$##$@(& do merchants store ANYTHING? The only exception being subscription services that need to bill users periodically, and even that can be done differently, securely, and just as efficiently.
The convenience customers get for not having to present a credit card when they return something they bought is far out-weighed by the risk involved in trusting a stranger with your card’s information.
PCI is just like the patriot act. Totally useless other than for PCI-certifying agencies, which are now making a ton of money charging for the privilege of having merchants answer ridiculous surveys “correctly”.
Alex
July 29th, 2010 at 9:27 am
Alex, your insight into PCI is outstanding. I now don’t feel like I am the only one that thinks that PCI is nothing more than the good old boys putting together another business to make a ton of money on forced fees.