MasterCard Says It Wants Retailers to Stop Storing Mag-Stripe Data

Having recently agreed to standardize their protocols for transaction-data protection primarily at online merchants, the card networks are beginning to push for improved security of stored data at brick-and-mortar retail locations, as well. The move comes in the wake of alarming breaches of card-transaction data at physical retail stores, including the theft last week of such data at 103 of 175 stores in the DSW Shoe Warehouse chain. Without specifically linking its latest initiative to such cases as the DSW theft, MasterCard International has kicked off a major campaign the primary intent of which is to remind merchants that the association's rules forbid the storage of data collected from magnetic stripes during card swipes. “Some merchants believe they need to store that data to prevail in a chargeback [dispute], and they don't,” says Gerritt Kerkstra, senior vice president for acquirer relations at MasterCard. “We need to step up our communication of this prohibition and communicate it to the right people [at merchant locations].” MasterCard unleashed its new program, dubbed the Payment Data Protection program, this week in an effort to reinforce existing data-security rules for Internet merchants and to underscore effective data-storage rules for all retailers, the network says. The campaign, Kerkstra says, will include widespread trade advertising as well as frequent speaking engagements and other channels. He says merchants that store mag-stripe data heighten the risk of fraud by making it easier for hackers who obtain that data to make counterfeit cards. Mag-stripe data includes such information as PIN prompts and card-verification code values, which are necessary at the time authorization messages are transmitted but need not be stored by merchants, MasterCard says. Kerkstra adds that while MasterCard can enforce its ban by imposing penalties on acquiring banks?which would in turn pass these fines on to merchants?the bank card association prefers to encourage voluntary compliance through such efforts as the new campaign. “The issue is too severe not to move forward,” he says. “We think our acquirers need help. We think it's time to raise the level of awareness.” The new campaign includes references to what it calls best practices retailers can follow to protect transaction data, such as maintaining firewalls, encrypting data, and avoiding vendor-supplied password defaults. Card networks permit merchants to collect and store such data as cardholder name and account number. The program also reinforces MasterCard's data-security rules for online merchants?its Site Data Protection (SDP) rules?which in January became part of a uniform industry standard called the Payment Card Industry data-security (PCI) standard, which also embraces similar rules that had been established by Visa, American Express, and Discover. Although PCI covers brick-and-mortar as well as Internet merchants, the card networks so far have established deadlines for compliance audits only for e-commerce. The deadline for most Web merchants is June 30.