Visa Inc. today clarified its regulations to ensure merchants know they are not required to store cardholders’ full 16-digit credit and debit card numbers for use in case of post-transaction disputes.
The clarification, which applies to online and offline merchants,, could help retailers reduce the cost and hassle of complying with payment card security standards.
In a joint statement with the National Retail Federation, Visa said that for post-transaction disputes merchants can present issuers and acquirers with truncated, disguised or masked card numbers on receipts, the statement says.
“Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it,” says David Hogan, the retailing trade group’s senior vice president and chief information office. He adds that the statement is aimed more at issuers and acquirers than merchants.
Acquirers should offer systems to merchants that allow full card numbers to be replaced with “substitute transaction identifiers,” such as tokens, says the statement. A token turns a card number into a code that would be of no use to a criminal. Often an outside payment services vendor holds the code and provides the retailer with the actual card number only when it’s needed. That way the retailer does not have to hold, and protect, cardholder data in its own computer network.
Visa’s clarification could make it easier and cheaper for merchants to comply with the Payment Card Industry Data Security Standard, which is overseen by the card networks and designed to protect payment card data. “This will significantly reduce the scope of PCI compliance for merchants,” Hogan says.
However, the other major card networks have yet to issue similar clarifications, he adds, though he says he is hopeful that American Express Co., MasterCard Worldwide Inc., Discover Financial Services and JCB International will soon follow Visa’s lead. Comments from the other networks were not immediately available.
The Visa statement also advises that:
• On the cardholder receipt, merchants should disguise or suppress all but the last four digits of the card number and suppress the full expiration date.
• On the merchant’s copy of the receipt, merchants should disguise or suppress card digits so that a maximum of the first six and last four digits of the card number are displayed.
• Acquirers support their merchants who choose not to store full card numbers by providing transaction data storage.