GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

A political action plan for ISOs


Industry Update

New best practices for data storage

Financial reform bill passes. What now?

Cash-only holiday to protest Durbin Amendment

ETA/Strawhecker report: Reason for optimism


Research Rundown

Top 25 privately held industries for the last 10 years

Selling Prepaid

Prepaid in brief

Evolution Benefits ties prepaid to philanthropy

What's next in gifting technology

Walter Paulsen
Giiv Inc.


Three kinds of consolidation to watch

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Is dial dead?

Ken Musante
Eureka Payments LLC

Agent or employee: Which are you?

Adam Atlas
Attorney at Law

Budgeting: A crucial management skill

Vicki M. Daughdrill
Small Business Resources LLC

Best practices for crisis communications

Peggy Bekavac Olson
Strategic Marketing

Putting the cold call in its proper place

Jeffrey Shavitz
Charge Card Systems Inc.

More than PCI

Tim Cranny
Panoptic Security Inc.

Avoid 'always be closing' and other old traps

Jeff Fortney
Clearent LLC

Company Profile

Voltage Security Inc.

New Products

Determine the best interchange for each transaction

Merchant Warehouse

Layered protection for ACH

ProtectPay ACH
ProPay Inc.


Focus on success with self-help CDs



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 09, 2010  •  Issue 10:08:01

previous next

New best practices for data storage

Visa Inc. and the National Retail Federation launched a "best practices" information campaign to help merchants safeguard stored card data, mainly by reducing its storage.

The campaign is aimed at merchants who are unclear about the rules governing payment data storage and the acquiring players who work with them, according to Eduardo Perez, Global Head of Data Security for Visa.

Perez said Visa initiated the effort after hearing concerns from the NRF and other retail groups about "continuing misconceptions" held by many merchants, particularly the mistaken idea that storing entire payment card numbers was necessary to conduct chargebacks.

"We've focused in the past around the need for merchants not to store prohibited card data, like the CVV, CVV2 and PIN," Perez said. "Here we're focusing on expanding that to encourage merchants not to store PAN [primary account number] unless there's a legitimate business reason for doing so.

And then, if they do have to store it, to protect it in line with PCI Data Security Standards."

Visa and the NRF will spread word of their best practices through communications to financial partners and other businesses as well as through Internet postings, according to Visa.

Directives to merchants, acquirers

The best practices for protecting card data include the directive that merchants employ receipt truncation to disguise or suppress all but the last four digits of a card number on both the customer and merchant copies of a receipt, and that acquirers provide transaction data storage and substitute transaction identifiers (tokens, etc.) for merchants who wish not to store full card numbers.

Visa and the NRF also call for measures to protect card numbers contained in all communications sent between two payment parties, such as emails, reports and statements.

Perez said merchants can best achieve these security aims by partnering with acquiring firms that employ good security practices - like tokenization and encryption for the storage and transmission of data - and by using validated payment applications at the POS that operate in accordance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Perez said the new best practices are aimed at small and large merchants alike and that the ongoing use of information campaigns like this one has helped curb noncompliance.

"Ninety-five percent of our level 1 and 2 merchants have and continue to validate on an annual basis their PCI DSS compliance, and we believe [information campaigns] have had a positive impact on their ability to eliminate cardholder data and better protect data that remains in their system.

"It's a combination of [large and small] merchants that this is reaching out to," he added. "We still find, surprisingly, that some large merchants have the opportunity to reduce their card data.

What we're saying is the first line of defense for data security is not to store data at all, and that for anything you do store, you focus on protecting that, at a minimum, by adhering to the PCI Data Security Standard."

A new strategy

Perez added that the new best practices could be incorporated into the PCI DSS. "If you look at the history of the rules we have in place, in many cases they started off as best practices," he said.

"Our approach has been that we want to introduce best practices to the marketplace first, allow the marketplace sufficient time to adopt them, and then if it makes sense to at some point consider making some or all of those best practices into rules to deal with potential stragglers. That's been a better approach than coming out and establishing rules right away."

With its new campaign, Visa and the NRF are taking a new tack in appealing to merchants that remain unswayed by the PCI DSS, according to Theodore Svoronos, Vice President, Business Development and Strategic Partnerships for Group ISO Inc.

Rather than have the PCI DSS "spoon fed" to merchants, this new approach is an attempt to persuade them that implementing best practices is in their best interests, Svoronos said. "It's looking at it less from a compliancy standpoint and more from a business standpoint," he added. "With the compliancy angle, we scared the pants off half the people out there, while the other half are saying, 'It's not gonna happen to me.'

"Now, to get everyone to truly understand the vision, you give the message that this is your business, and this is how important it is to your business not to store data incorrectly. You personalize it by bringing it to their livelihood."

A fitting acquisition

Visa's security promotion campaign fittingly coincides with its takeover of online gateway provider CyberSource Corp., an eminent player in the e-commerce fraud fight. On July 20, 2010, CyberSource revealed that its stockholders approved the acquisition by Visa, with 99.7 percent of shareholders reportedly voting in favor.

The vote effectively finalizes a $2 billion takeover that was first disclosed by the two companies in April. CyberSource, which acquired the online gateway Authorize.Net in 2007, processes about 25 percent of all e-commerce dollars in the United States and operates a global fraud prevention platform that uses software analytics and vast repositories of e-merchant data to combat online payment fraud.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios