Visa USA is warning that two versions of Fujitsu's point-of-sale software may inadvertantly store customer data, including PIN numbers, during debit card transactions.
According to a report by the Wall Street Journal, versions of Fujitsu's Raft and GlobalStore PoS software could be used in a way that allows the cash register to store customer data such as PINs.
Retailers are forbidden from storing data under card industry guidelines. The Payment Card Industry Data Security Standard (PCI), which defines how card data should be managed, expressly forbids retailers from storing PINs online, but compliance with the standard is thought to be under 20% in the US.
The issue came to a head recently following a security breach at an unspecified merchant that forced a number of US banks to re-issue debit cards to customers after it transpired that decrypted PIN codes were being used on cloned ATM cards.
Visa told WSJ reporters that it had sent out the alert to large merchant acquirers warning them of the security issues after becoming aware of data retention problems with the Fujitsu software. The card firm did not make any direct link with the PIN debit fraud.
Fujitsu representatives denied that the software was problematic and disagreed with Visa's decision to issue the warning, according to the WSJ.
The vendor says the versions of Raft and GlobalStore software cited by Visa are around 18 months old and their customers are continually upgrading their software products.
Keith McNamara, a senior vice president for software operations at Fujitsu, told the paper that the software itself doesn't allow retailers to store customer data. Instead, other tools can be installed and linked to the Fujitsu products that could permit the tracing or storage of sensitive encrypted data.