BROOKFIELD, Wis. — If your restaurant accepts Visa credit cards, beware. Visa USA issued a data security alert Aug. 31 to warn merchants about the risks associated with storing magnetic-stripe and other sensitive data on point-of-sale systems. The alert recommends specific actions that merchants can take to mitigate these risks.
To support compliance with the Visa USA Cardholder Information Security Program, Visa issues security alerts when vulnerabilities are detected in the marketplace, or as a reminder about best practices.
Security vulnerability
Visa announced in a news release that it is aware of credit and debit compromises that resulted from the improper storage of mag-stripe data after transaction authorization was completed. The mag-stripe holds data in two tracks.
Track information is received by a merchant's POS system when a card is swiped. Some merchant POS systems improperly store that data after authorization, violating Visa's operating regulations. Hackers are aware of the vulnerability and are targeting certain POS systems to steal this information.
Visa also has observed compromises involving other data elements, namely card verification value 2 (CVV2), PINs and PIN blocks. CVV2 is the 3-digit number typically found on the signature panel of the card. PIN blocks are encrypted versions of PINs.
According to Visa, merchants may only store specific data elements, including the cardholder's name, primary account number, expiration date and service code, from the mag-stripe to support card acceptance. But that information must be protected in accordance with the Payment Card Industry Data Security Standard.
Merchants may mistakenly believe they need to store prohibited elements to process merchandise returns and transaction reversals, Visa says. Acquirers should ensure their merchants have proper processes for each type of transaction.
Recommended mitigation strategy
To safeguard their systems and reduce risk from a compromise, merchants should make sure that they are not storing prohibited data.
Visa offers the following suggestions:
· Ask the software vendor to verify that your software version does not store mag-stripe data, CVV2, PINs or encrypted PIN blocks. If it does, those data elements must be removed immediately.
· Ask the software vendor to share a list of files written by the application, and a summary of the content to verify prohibited data is not stored.
· Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.
· Search for and expunge all historical prohibited data elements that may be residing within your payment-system infrastructure.
· Confirm that it's necessary to store the data you're keeping. If not, don't store it.
· Verify that your POS software meets Visa Payment Application Best Practices. A list of PABP compliant applications is available on Visa's Web site.
