This is page 2 of:
Visa To Acquirers: Stop Forcing PAN Retention
NRF CIO David Hogan said in the joint statement that he welcomed “this clarification from Visa” and dubbed it “a promising step.” He added: “Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information.”
Hogan took it one step further and said that such efforts—whether truncation, tokenization or something else—”potentially reduces the scope of the PCI Data Security Standard.”
That claim of reduced PCI scope is not new. However, it’s not clear that tokenization would have a significant effect on scope reduction. Properly deployed—and if it works (always a big if)—tokens could potentially make breaches slightly less likely. And they might, over time, minimally reduce the hours of paperwork that PCI requires. That, in itself, could reduce costs.
As long as the retail chain is the deep pocket—which is how lawyers look at large retail chains—it will have the ultimate responsibility. If consumers walk into a Wal-Mart and hand an associate a Visa card (or even if they swipe it themselves) and if that data is later compromised, the blame will fall right back to the retailer.
As long as tokens can eventually be used to identify the full card data, that retailer had better assume the first and handle PCI processes as though truncation didn’t exist. That’s the only safe assumption to make.
If you have an extremely important document, it’s wise to assume that your backup will fail and to make multiple copies, stick it on a thumb drive, bring it home, print it out and stick it in a safe. The same should be said for PCI. Operate on the premise that all security systems will probably fail tonight, and you’ll likely make the proper decisions.
Visa also on Wednesday re-issued its tokenization best practices. “We know from working with the industry and from forensics investigations, that there are some common implementation pitfalls that have contributed to data compromises,” Perez said in the document. “For example, entities have failed to monitor for malfunctions, anomalies and suspicious activity, allowing an intruder to manipulate the tokenization system undetected.”
Visa’s policy on PAN retention has not changed in recent years, but the policy of American Express has. As of October 2008, American Express changed its policy and no longer requires retailers to retain full account numbers and “card account number information is not required for dispute purposes,” said Lisa Gonzalez Anselmo, Amex’s director of public affairs and communications. That said, Amex does “require that merchants keep a copy of the sales receipt for 24 months.”
July 15th, 2010 at 9:12 am
Rearranging the deck chairs… While you must applaud Visa for coming out with a strong recommendation to improve the payment system, this particular action will do nothing to reduce the frequency of merchants getting breached. PAN data has very limited value to the criminals. You can’t make a counterfeit card with it. The major threat to merchants today is the memory parsing malware that was identified by Trustwave back in 2008. The way to protect against this threat is to secure the merchant’s network, a PCI-DSS requirement. End to end encryption is starting to look like a promising security layer as well.
A more meaningful recommendation for the acquiring banks would have been: “Now that we’re past July 1 and all your merchants are running PA-DSS validated software, please make sure they install a commercial firewall and stop using their POS system for surfing the internet.”
If this recommendation becomes an edict, it will create costly churn for the merchants, acquiring banks and technology providers that does nothing to stop the breaches.
July 15th, 2010 at 11:05 am
I guess that means merchants will soon be required to switch to ‘host-based’ processing systems, and deal with all the associated headaches, since the ‘terminal-based’ transaction systems most merchants are currently using require storing PANs until the settlement batch is submitted. (Or does that not count as ‘storage’? Neither the PCI Council nor the card brands have been willing to clarify that point.)
July 15th, 2010 at 11:31 am
I’ve been saying it for years.. Why the &$##$@(& do merchants store ANYTHING? The only exception being subscription services that need to bill users periodically, and even that can be done differently, securely, and just as efficiently.
The convenience customers get for not having to present a credit card when they return something they bought is far out-weighed by the risk involved in trusting a stranger with your card’s information.
PCI is just like the patriot act. Totally useless other than for PCI-certifying agencies, which are now making a ton of money charging for the privilege of having merchants answer ridiculous surveys “correctly”.
Alex
July 29th, 2010 at 9:27 am
Alex, your insight into PCI is outstanding. I now don’t feel like I am the only one that thinks that PCI is nothing more than the good old boys putting together another business to make a ton of money on forced fees.