Visa and NRF Unite Efforts to Improve Customer Data Security
Visa has launched a global effort to reduce unnecessary storage of sensitive card information in merchant payment systems. Understanding the significant commitment by merchants to secure the payment system and to protect sensitive cardholder information from criminals, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
Visa and the National Retail Federation (NRF) agree that merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests. While Visa does not require merchants to store full card numbers beyond settlement, NRF’s comments indicated marketplace confusion about what information merchants are required to store for dispute resolution by issuers, acquirers or processors. To clarify, Visa operating regulations stipulate the following:
NRF senior vice president and chief information officer David Hogan welcomes Visa’s effort. “We have long advocated that retailers should not be required to store their customers’ full card numbers and instead rely on an alternative identification number to reference a transaction. NRF has been pleased to take a leadership role working with Visa in this effort to assist retailers in our mutual goal of securing customers’ information while potentially reducing the scope of the PCI Data Security Standard. Merchants should be encouraged to minimise both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalised for not storing card information. This clarification from Visa is a promising step in that direction,” said Hogan.