The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing ((The clarification was made on the Issuer side of the transaction.)).

Tokens at Major Magic's, by Benimoto

Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure.

Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I have had an acquirer or processor require a merchant to store this data post settlement for chargeback purposes. Sometimes it takes a little dot-connecting (like at one particular LARGE processor that shall remain nameless), but ultimately a few hours of work on behalf of my clients got written statements from their processors allowing truncated numbers for chargebacks.

Not just for Visa, by the way… but for EVERY payment brand.

In addition, Visa released their own brief on tokenization best practices.  I’m disappointed that Visa remained rather ambiguous on their statements about tokens, and left the definition as broad as they did.

As I’ve argued before, a token should NOT have a mathematical relationship to the original value (which is essentially the definition in PCI DSS today… Requirement 3.4, index tokens, albeit still linked to a cryptographic value, but traditionally not cryptographically related). Their definition just says it should not be computationally feasible, though also referring to doing this via a “known strong cryptographic algorithm.”

Leaves some room for interpretation!

Had I written the brief, I would say that a token cannot have a mathematical relationship to the original value, and instead, should be a reference value. Instead, I’d call things like hashes and other cryptographic-based “token” technology simply cipher text—because that’s exactly what it is. Regardless of your market position, I think that we can all (though in some cases anonymously) agree that the best option for a token is one that is not mathematically related—computational feasibility be damned.

This post originally appeared on

Possibly Related Posts: