Secure Payments, PCI DSS, Regulatory Compliance Blog

Does The Right Hand Know What the Left Hand Is Doing?

June 8th, 2007 by Jeff Hall Posted in Card Brands, Encryption, Merchant, PCI DSS, Point of Sale, Service Provider, Third-Parties

credit-card.jpgAccording to Digital Transaction News, Visa USA is ready to introduce account-level processing (ALP).

“Visa claims ALP will allow smoother transitions to new cards for cardholders, and will let merchants, in partnership with issuers, design more effective rewards programs.”

Sounds good so far, but wait there is more.

“The key change is the switch from managing transactions through the six-digit bank identification number (BIN) within a card’s 16-digit number and instead using the full account number.”

Wait a minute, did we read that right? Did they say what we thought they said? Yes they did. To paraphrase, the key change is the switch from using the six-digit BIN (3.3 compliant) and instead using the full PAN. This will just add fuel to the fire over storing the full PAN.

And it just keeps getting better.

“The new process affecting Visa-branded consumer cards will allow a credit cardholder to keep the same account number even if his issuer upgrades his card”

Yes, that is right, not only do we now encourage storing the PAN, but we are going to allow the PAN to remain the same even when the card changes. This just sounds like a way to generate even more replacement card numbers.

Does anyone think that encryption will not be critical to managing this situation? How many organizations are handling encryption properly right now? Some, but not enough. Think this will just make things worse? Probably, at least in the near term. Think the “bad guys” will take advantage of this new capability? Without a doubt.

The article goes on to say that this new approach will likely cause merchants a POS software upgrade headache to support ALP. POS software will have to be able to insert a field code, known as 62.23, in the authorization message. This field code will be a single alphabetic code that indicates the card product that was presented for the transaction.

As of October 2007, Visa will require all acquirers to be able to receive the new field code in the authorization message. Acquirers will use the code to determine the correct interchange, chargeback rights and other characteristics such as loyalty points to be accrued for each individual transaction.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 3 Responses to “Does The Right Hand Know What the Left Hand Is Doing?”

  2. By DAG on Jun 11, 2007

    This and the RFID* credit card problems both look like disconnects. Both of these are solutions that I am inclinded to walk away from as a consumer.

    * See: Vulnerabilities in First-Generation RFID-enabled Credit Cards, by Thomas S. Heydt-Benjamin, Daniel V. Bailey, Kevin Fu, Ari Juels, and Tom O’Hare

  3. By POS Equipment on Nov 14, 2008

    credit cards are such a big responsablity that i dont think most people should have them

  1. 1 Trackback(s)

  2. Feb 19, 2008: Card Without Merchant Account

Sorry, comments for this entry are closed at this time.