Visa To Acquirers: Stop Forcing PAN Retention

Written by Evan Schuman
July 14th, 2010

Visa on Wednesday (July 14) sent a direct message to acquiring banks: Stop making retailers retain credit card information unless you want to stop servicing Visa. A key Visa security executive (Eduardo Perez, the head of global payment system security) said the brand is now merely “strongly encouraging [acquirers] to not require” retailers to store PANs but, by September, that might become an official edict.

This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, “We don’t require that.” But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.

Visa’s official statement stressed confusion and misinterpretation as the key culprit. Execs on Wednesday, however, said the data retention is just as often caused by outdated equipment and software, on both the retailer and acquirer ends.

“Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during disposal,” the Visa statement said. “Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions.”

The distinction between “strongly discourage” and “forbid” is significant. Again, from Visa’s memo: “Visa does not require merchants to store PANs, but does recommend that merchants rely on their acquirer/processor to manage this information on the merchants’ behalf.”

In short, Visa doesn’t want the data retained, but it is leaving the decision to those closest to the merchants. That stance may change this fall.

Visa is seeking comment from the community through August 31. After that, depending on the feedback, a policy change may materialize that could outright ban the practice of requiring retailers to retain the data, Visa’s Perez said in an interview. He added: “We may be requiring it at some point.”

Prohibiting acquirers from requiring such data is a powerful first step. But even that move would still leave the door open to lots of PAN retention from retailers who willingly keep that data.

Both Visa and the National Retail Federation (NRF) issued related statements on July 14. Each spoke of various ways transactions could be handled without PAN retention, most of which revolve around either truncation or some variation of tokenization.

“Understanding the significant commitment by merchants to secure the payment system and protect sensitive cardholder information from criminals,” said the joint Visa-NRF statement, “Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.”

That joint statement added: “Merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests.”

Part of the holdup for this type of token approach is outdated legacy systems, with both some acquirers and retailers, Perez said. Those systems will have to be upgraded to support any tokenization approach. Those assessors and retailers “should start to make changes,” he said


4 Comments | Read Visa To Acquirers: Stop Forcing PAN Retention

  1. pcidssguy Says:

    Rearranging the deck chairs… While you must applaud Visa for coming out with a strong recommendation to improve the payment system, this particular action will do nothing to reduce the frequency of merchants getting breached. PAN data has very limited value to the criminals. You can’t make a counterfeit card with it. The major threat to merchants today is the memory parsing malware that was identified by Trustwave back in 2008. The way to protect against this threat is to secure the merchant’s network, a PCI-DSS requirement. End to end encryption is starting to look like a promising security layer as well.

    A more meaningful recommendation for the acquiring banks would have been: “Now that we’re past July 1 and all your merchants are running PA-DSS validated software, please make sure they install a commercial firewall and stop using their POS system for surfing the internet.”

    If this recommendation becomes an edict, it will create costly churn for the merchants, acquiring banks and technology providers that does nothing to stop the breaches.

  2. PCI Guy Says:

    I guess that means merchants will soon be required to switch to ‘host-based’ processing systems, and deal with all the associated headaches, since the ‘terminal-based’ transaction systems most merchants are currently using require storing PANs until the settlement batch is submitted. (Or does that not count as ‘storage’? Neither the PCI Council nor the card brands have been willing to clarify that point.)

  3. Alex Wieder Says:

    I’ve been saying it for years.. Why the &$##$@(& do merchants store ANYTHING? The only exception being subscription services that need to bill users periodically, and even that can be done differently, securely, and just as efficiently.

    The convenience customers get for not having to present a credit card when they return something they bought is far out-weighed by the risk involved in trusting a stranger with your card’s information.

    PCI is just like the patriot act. Totally useless other than for PCI-certifying agencies, which are now making a ton of money charging for the privilege of having merchants answer ridiculous surveys “correctly”.


  4. Howard Falcon Says:

    Alex, your insight into PCI is outstanding. I now don’t feel like I am the only one that thinks that PCI is nothing more than the good old boys putting together another business to make a ton of money on forced fees.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.