This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, "We don't require that." But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.
Visa's official statement stressed confusion and misinterpretation as the key culprit. Execs on Wednesday, however, said the data retention is just as often caused by outdated equipment and software, on both the retailer and acquirer ends.
"Due to misinterpretation of Visa dispute processing rules, some acquirers require their merchants to unnecessarily store full Primary Account Numbers (PANs) for exception processing to resolve disputes. The unnecessary storage of full card PAN information by merchants has led to incidents of data compromise, theft or unintended disclosure during disposal," the Visa statement said. "Additional confusion exists due to inconsistent dispute resolution practices by issuers and acquirers in use across different geographies, leading some merchants to conclude that PAN data must be retained for all transactions."
The distinction between "strongly discourage" and "forbid" is significant. Again, from Visa's memo: "Visa does not require merchants to store PANs, but does recommend that merchants rely on their acquirer/processor to manage this information on the merchants' behalf."
In short, Visa doesn't want the data retained, but it is leaving the decision to those closest to the merchants. That stance may change this fall.
Visa is seeking comment from the community through August 31. After that, depending on the feedback, a policy change may materialize that could outright ban the practice of requiring retailers to retain the data, Visa's Perez said in an interview. He added: "We may be requiring it at some point."
Prohibiting acquirers from requiring such data is a powerful first step. But even that move would still leave the door open to lots of PAN retention from retailers who willingly keep that data.
Both Visa and the National Retail Federation (NRF) issued related statements on July 14. Each spoke of various ways transactions could be handled without PAN retention, most of which revolve around either truncation or some variation of tokenization.
"Understanding the significant commitment by merchants to secure the payment system and protect sensitive cardholder information from criminals," said the joint Visa-NRF statement, "Visa is clarifying that existing operating regulations ensure acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number."
That joint statement added: "Merchants should not be obligated by their acquiring banks to store card numbers for the purpose of satisfying card retrieval requests."
Part of the holdup for this type of token approach is outdated legacy systems, with both some acquirers and retailers, Perez said. Those systems will have to be upgraded to support any tokenization approach. Those assessors and retailers "should start to make changes," he saidNRF CIO David Hogan said in the joint statement that he welcomed "this clarification from Visa" and dubbed it "a promising step." He added: "Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it. The bottom line is that they should not be penalized for not storing card information."
Hogan took it one step further and said that such efforts—whether truncation, tokenization or something else—"potentially reduces the scope of the PCI Data Security Standard."
That claim of reduced PCI scope is not new. However, it's not clear that tokenization would have a significant effect on scope reduction. Properly deployed—and if it works (always a big if)—tokens could potentially make breaches slightly less likely. And they might, over time, minimally reduce the hours of paperwork that PCI requires. That, in itself, could reduce costs.
As long as the retail chain is the deep pocket—which is how lawyers look at large retail chains—it will have the ultimate responsibility. If consumers walk into a Wal-Mart and hand an associate a Visa card (or even if they swipe it themselves) and if that data is later compromised, the blame will fall right back to the retailer.
As long as tokens can eventually be used to identify the full card data, that retailer had better assume the first and handle PCI processes as though truncation didn't exist. That's the only safe assumption to make.
If you have an extremely important document, it's wise to assume that your backup will fail and to make multiple copies, stick it on a thumb drive, bring it home, print it out and stick it in a safe. The same should be said for PCI. Operate on the premise that all security systems will probably fail tonight, and you'll likely make the proper decisions.
Visa also on Wednesday re-issued its tokenization best practices. "We know from working with the industry and from forensics investigations, that there are some common implementation pitfalls that have contributed to data compromises," Perez said in the document. "For example, entities have failed to monitor for malfunctions, anomalies and suspicious activity, allowing an intruder to manipulate the tokenization system undetected."
Visa's policy on PAN retention has not changed in recent years, but the policy of American Express has. As of October 2008, American Express changed its policy and no longer requires retailers to retain full account numbers and "card account number information is not required for dispute purposes," said Lisa Gonzalez Anselmo, Amex's director of public affairs and communications. That said, Amex does "require that merchants keep a copy of the sales receipt for 24 months."