Visa, along with National Retail Federation (NRF), has launched a new global effort to reduce unnecessary storage of sensitive card information in merchant payment systems.
Visa and NRF agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests.
Visa is clarifying the existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
According to the Visa clarifications, issuers must accept a disguised or suppressed card number on transaction receipts for dispute resolution and merchants may keep truncated or disguised card numbers and reduce the amount of potential vulnerable data stored in their systems.
Some of the practices developed by Visa include: On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number (####-####-####-1234) and suppress the full expiration date (currently required in the US).
On the merchants’ copy of the receipt, merchants should disguise or suppress the card number so that a maximum of the first six and last four digits of the card number are displayed (1234-56##-####-1234) and suppress the full expiration date on the merchant copy of receipts.
Eduardo Perez, head of global payment system security at Visa, said: “Making data less vulnerable to card thieves by eliminating it wherever possible has been a major focus by Visa for several years now. Visa is committed to helping develop workable solutions that reduce the burden on merchants who must secure their payment systems from criminal threats. Working with the NRF has helped us identify an issue and address it effectively.”
David Hogan, senior vice president and chief information officer at NRF, said: “Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information. This clarification from Visa is a promising step in that direction.”