The Green Sheet Online Edition
August 09, 2010 • Issue 10:08:01
New best practices for data storage
Visa Inc. and the National Retail Federation launched a "best practices" information campaign to help merchants safeguard stored card data, mainly by reducing its storage.
The campaign is aimed at merchants who are unclear about the rules governing payment data storage and the acquiring players who work with them, according to Eduardo Perez, Global Head of Data Security for Visa.
Perez said Visa initiated the effort after hearing concerns from the NRF and other retail groups about "continuing misconceptions" held by many merchants, particularly the mistaken idea that storing entire payment card numbers was necessary to conduct chargebacks.
"We've focused in the past around the need for merchants not to store prohibited card data, like the CVV, CVV2 and PIN," Perez said. "Here we're focusing on expanding that to encourage merchants not to store PAN [primary account number] unless there's a legitimate business reason for doing so.
And then, if they do have to store it, to protect it in line with PCI Data Security Standards."
Visa and the NRF will spread word of their best practices through communications to financial partners and other businesses as well as through Internet postings, according to Visa.
Directives to merchants, acquirers
The best practices for protecting card data include the directive that merchants employ receipt truncation to disguise or suppress all but the last four digits of a card number on both the customer and merchant copies of a receipt, and that acquirers provide transaction data storage and substitute transaction identifiers (tokens, etc.) for merchants who wish not to store full card numbers.
Visa and the NRF also call for measures to protect card numbers contained in all communications sent between two payment parties, such as emails, reports and statements.
Perez said merchants can best achieve these security aims by partnering with acquiring firms that employ good security practices - like tokenization and encryption for the storage and transmission of data - and by using validated payment applications at the POS that operate in accordance with the Payment Card Industry (PCI) Data Security Standard (DSS).
Perez said the new best practices are aimed at small and large merchants alike and that the ongoing use of information campaigns like this one has helped curb noncompliance.
"Ninety-five percent of our level 1 and 2 merchants have and continue to validate on an annual basis their PCI DSS compliance, and we believe [information campaigns] have had a positive impact on their ability to eliminate cardholder data and better protect data that remains in their system.
"It's a combination of [large and small] merchants that this is reaching out to," he added. "We still find, surprisingly, that some large merchants have the opportunity to reduce their card data.
What we're saying is the first line of defense for data security is not to store data at all, and that for anything you do store, you focus on protecting that, at a minimum, by adhering to the PCI Data Security Standard."
A new strategy
Perez added that the new best practices could be incorporated into the PCI DSS. "If you look at the history of the rules we have in place, in many cases they started off as best practices," he said.
"Our approach has been that we want to introduce best practices to the marketplace first, allow the marketplace sufficient time to adopt them, and then if it makes sense to at some point consider making some or all of those best practices into rules to deal with potential stragglers. That's been a better approach than coming out and establishing rules right away."
With its new campaign, Visa and the NRF are taking a new tack in appealing to merchants that remain unswayed by the PCI DSS, according to Theodore Svoronos, Vice President, Business Development and Strategic Partnerships for Group ISO Inc.
Rather than have the PCI DSS "spoon fed" to merchants, this new approach is an attempt to persuade them that implementing best practices is in their best interests, Svoronos said. "It's looking at it less from a compliancy standpoint and more from a business standpoint," he added. "With the compliancy angle, we scared the pants off half the people out there, while the other half are saying, 'It's not gonna happen to me.'
"Now, to get everyone to truly understand the vision, you give the message that this is your business, and this is how important it is to your business not to store data incorrectly. You personalize it by bringing it to their livelihood."
A fitting acquisition
Visa's security promotion campaign fittingly coincides with its takeover of online gateway provider CyberSource Corp., an eminent player in the e-commerce fraud fight. On July 20, 2010, CyberSource revealed that its stockholders approved the acquisition by Visa, with 99.7 percent of shareholders reportedly voting in favor.
The vote effectively finalizes a $2 billion takeover that was first disclosed by the two companies in April. CyberSource, which acquired the online gateway Authorize.Net in 2007, processes about 25 percent of all e-commerce dollars in the United States and operates a global fraud prevention platform that uses software analytics and vast repositories of e-merchant data to combat online payment fraud.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.