Processor Best Practices You Can Use

Visa just released its Cardholder Data Security Best Practices for VisaNet Processors. I think there are some things in this document that you as merchants can use, too. Here are a few examples with my comments/observations:Entities should identify their organization’s lines of business as well as the processes involved in storing, processing and/or transmitting cardholder data. By accurately identifying all business processes that handle cardholder data, processors can better define the scope of the cardholder data environment and ensure its adequate protection.Great advice for everyone: document your payment process and minimize PCI scope. In my world, this is "PCI Requirement 0", meaning you should do this before you even start to attack the entirety of the DSS.Truncate cardholders’ primary account number (PAN) when business processes do not require use of the full PAN.Truncation takes the data out of scope. And why are you saving the full PAN anyway? For more, consider...Support unique identifier tokens (e.g., a Visa Transaction ID is used in someregions) for recurring payments and dispute resolutions, thereby eliminatingmerchants’ storage of PAN data and reducing scope for acquirer processingsystems where use of the full PAN is unnecessary.Bingo! In my experience, there are two frequently-cited and equally unnecessary reasons schools and other merchants retain PANs. One reason (continue reading...)