The massive data breach at The TJX Companies made public earlier this year – and a string of similar smaller breaches at various other firms since then – appears to be goading merchants to accelerate their adoption of the Payment Card Industry (PCI) data security standard.
As of this month, about 96% of the world's largest businesses that accept credit and debit cards for payment have confirmed that they are no longer storing magnetic stripe information on their systems, according to Visa USA.
Magnetic stripe data, also known as “track data”, includes the security verification codes on the back of each payment card as well as personal identification number (PIN) data from merchant payment systems. Older retail payment systems often captured and stored this data by default, without the merchants even being aware of that the information was being retained.
Industry analysts believe the storage of such data has made retail systems an attractive target for hackers. The practice is explicitly banned under PCI, which is a data security standard mandated by Visa, MasterCard Worldwide, American Express, Discover Financial Services and JCB International Credit Card.
Purging track data marks an important step towards full compliance with PCI, said Michael Smith, senior vice-president of enterprise risk and compliance at Visa.
“By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure,” Smith said in a statement.
The progress on the track data front comes amid an overall uptick in the adoption of the controls mandated by PCI. According to Visa, so far, about 40% of 327 Level 1 merchants – those processing more than 6 million transactions per year – have validated their compliance with the standard. Another 50% have been audited for compliance with the standard and are working to address issues that were identified in those audits. The remaining 10% are still working on their initial compliance assessments.
In December 2006, about 36% out of the 230 merchants then considered to be at Level 1 had validated compliance. Since then, 97 more merchants have been added to that category.
The validated compliance level among Level 2 merchants – those processing between 1 million and 6 million cards each year – was 33%, while another 42% have submitted their initial validation requirements, Visa said. The remaining 25% are beginning the validation process. Last December, the number of compliant Level 2 merchants stood at 15%.