Digital Transactions Authoritative, insightful and timely information for payments professionals
Not always the best of friends, the National Retail Federation and Visa Inc. saw fit on Wednesday to jointly announce that Visa had clarified its card-number storage rules to affirm that merchants may present a truncated or disguised number on a transaction receipt for dispute resolution in place of a full card number. The declaration, in separate press releases from both organizations, does not amount to a rules change, but by casting light on the issue, Visa might spur merchants to reduce their practice of unnecessary and risky storage of card numbers, perhaps with a little help from acquirers.
Visa says it issued the clarification to remind merchant acquirers, merchants, and card issuers about what merchants are responsible for under Visa’s operating regulations in chargeback resolution and re-presentments, according to Eduardo Perez, Visa’s head of global payment system security. The basic rule is that merchants are required to store the primary account number, or PAN, only until settlement is completed. Acquirers and issuers must allow merchants to present a “truncated, disguised, or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number,” the releases say.
“In some cases there’s been confusion there,” Perez tells Digital Transactions News.
The confusion comes from a number of sources. Some acquirers have, according to Perez, “either explicitly or implicitly” required that merchants store the full PAN for possible chargeback resolution, which can come long after settlement. Issuers too sometimes insist on the PAN rather than a masked number, he says. Computer hackers prize full PANs, not surprisingly, and they have stolen millions of stored card numbers through successful data breaches in recent years.
While the NRF has often protested the cost and operational burdens on merchants of implementing the card networks’ common security rules, the Payment Card Industry data-security standard (PCI), and supports the pending debit card interchange regulation amendment in Congress whereas the networks strongly oppose it, the nation’s largest retail trade group has worked with Visa and other networks on security matters for years. David Hogan, senior vice president and chief information officer at the Washington, D.C.-based NRF, says his organization has been trumpeting the value of PAN alternatives for some time. “It just took a while for them [Visa] to come to realize that yeah, there probably is an issue,” he says. The NRF also has brought up number storage with American Express Co., MasterCard Inc., and Discover Financial Services.
In its clarification, Visa stipulated that merchants may keep truncated or disguised card numbers and thereby reduce the amount of potential vulnerable data stored in their systems. Many old, or legacy, merchant computer systems have unwittingly contributed to data breaches by automatically storing full card numbers, often without their owners’ knowledge.
On a closely related note, Visa also announced five global “best practices” for card-number truncation that it is considering for formal inclusion in its operating rules. One, already in effect in the U.S., says merchants should disguise or suppress all but the last four digits of the card number on the cardholder’s transaction receipt.
The other four are: the merchant receipt should disguise or suppress the card number so that it displays a maximum of the first six and last four digits of the PAN; acquirers should support merchants who choose not to store full card numbers by providing transaction data storage; acquirers should enable their computer systems to provide merchants with substitute transaction identifiers or tokens in place of full card numbers; and acquirers should disguise or suppress card numbers in any communications with merchants, including e-mails, statements, and reports. Visa is taking comments on the items until Aug. 31.
Separately, Visa announced best practices for tokenization, a system for replacing the full PAN with proxy numbers that are valueless to fraudsters. Visa’s recommendations cover token generation; token mapping, or the process of associating a token with its original PAN value; card data vaults, the central repositories of data used for token mapping; and cryptographic key management.
Visa’s VisaNet processing network has provided single-use tokens since the 1990s for pure settlement and ancillary processes, but the best practices address multiuse tokens that can be used for more complicated functions such as fraud management, recurring or subscription payments, and merchant loyalty programs, according to Visa. Visa also issued the best practices because improper token implementations have been linked to data breaches, says Hap Huynh, a business leader in Perez’s group. Sometimes merchants’ computer systems can’t link tokens with underlying PANs, causing problems, and in other cases merchants fail to do simple things such as turn on the tokenization system and keep it running, Huynh says. “That particular function needs to be monitored,” he says.
