Visa moves to reduce payment card data in retail systems

It wants banks to accept truncated data, tokens in lieu of full account numbers

A new payment card security initiative launched by Visa Inc. Wednesday could eliminate the need for retailers and other organizations to store full, 16-digit credit and debit card numbers on their systems.

The move comes in response to long-standing pressure from the National Retail Federation (NRF), which insists that merchants should not be required to store the information because of security risks.

Many must do so because credit card issuing banks and the merchant's own financial institutions require the full 16-digit primary account number (PAN) in order to resolve refunds, charge backs and other customer disputes. In some cases, large retailers also voluntarily store PAN data, either because they need it internally or because of legacy systems.

Visa itself meanwhile, does not require merchants to store PAN data, but it does require them to protect the data in accordance with Payment Card Industry Data Security Standards (PCI DSS).

Under the initiative unveiled yesterday, Visa will push card issuers and acquiring banks to allow merchants to present truncated, disguised or otherwise masked card numbers for dispute resolution cases. Some permit this already, but the goal is to make the practice broader, said Eduardo Perez, head of global payment system security at Visa.

As part of the effort, Visa will urge card issuers, acquirers and processors to adopt systems that do not depend on full PAN data for dispute resolution and other issues, Perez said. An "acquiring" bank is the payment industry term for a financial institution that vets and clears a merchant to accept payment card transactions.

In addition, Visa also announced a set of best practices for tokenization, a process in which PAN data is replaced by a set of proxy numbers that can then be used for dispute resolution and other purposes. Visa's best practices are meant to inform vendors, service providers, merchants and acquires on issues such as proper generation and management of tokens and ways to protect tokenization systems.

For the moment, at least, Visa is only recommending that banks and processors consider making the changes as part of a broader effort to improve security in the payment industry, Perez said. It is also asking them to consider storing all the PAN data themselves rather than requiring merchants to do it, he said.

Visa plans to seek feedback from industry stakeholders on the challenges and issues involved in moving to a more secure payment industry model, he said. After Visa reviews the feedback, it will decide whether to make the recommendations, a mandated requirement, he said.

David Hogan, a senior vice president and CIO at the NRF, welcomed the move and said it would benefit not just retailers but also every other entity that accepts payment card transactions.

"I think it was definitely influenced by feedback from the NRF and the merchant community," Hogan said. "This sets into place a mechanism for merchants to reduce the scope of their PCI compliance."

Visa's move makes it clear to banks that they cannot require merchants to store PAN data against their will, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon