Visa confirmed Monday it has issued an alert warning that some point-of-sale software may be storing PINs in violation of industry rules, leading to suspicions that the root of the recent debit card debacle may have been out-of-date or misconfigured software.

"….we provided a confidential alert to a limited number of financial institutions advising them that a particular configuration of certain software could cause it to store cardholder data," Visa said in a statement e-mailed to TechWeb. "We further advised them of the existence of a software upgrade designed to address the problem."

On Friday, the Wall Street Journal said it had seen a copy of the alert, which the newspaper claimed identified two point-of-sale (POS) programs created by Fujitsu Transaction Solutions Inc., a Frisco, Texas-based subsidiary of Japan's Fujitsu Ltd. In some settings, those programs -- RAFT and GlobalStore -- were retaining customer information.

"We alert member financial institutions in instances where any point-of-sale software or modification of it has a potential to put cardholder data at risk," Visa said. Visa's guidelines state -- as do those of the credit card industry overall -- that retailers aren't to store data, such as an PINs, which could fall into hackers' hands.

Fujitsu denied that its software was storing customer data, and said that Visa was mistaken. "Our software doesn't capture PIN data," said Ed Soladay, the chief operating officer of Fujitsu Transaction Solutions. "And I wish we could have talked about this [with Visa] before the alert came out. We were very dismayed when we heard about it, and we're in conversations now to clear it up with them."

But while Soladay said that the current versions of RAFT and GlobalStore software comply with the PCI (Payment Card Industry) data security standard, which forbids PIN storing, even temporarily, he couldn't rule out that a retailer using Fujitsu's software wasn't keeping the PINs.

"Retailers often use tracers, programs that can capture all kinds of data, during pilots," said Soladay, "and sometimes they forget to remove them when they go live. We recommend that retailers never use a tracer in a live environment, simply because the data could be at risk.

"I think it's a good assumption [that if PINs were stored], they were captured by a tracer."

The timing of the alert -- on the heels of a disclosure that massive numbers of debit cards had been compromised -- led to speculation that it may have been how data was available to hackers. The theft of debit card account numbers and PINs has allowed criminals to empty bank accounts from numerous national and regional banks, including Washington Mutual and Bank of America.

Previously, experts pegged the breach as a hack, since both the debit card account numbers and the associated PINs seem to have been stolen. A Visa spokesman, however, refused to comment on whether the alert was related to the debit card theft, or even if any data was stolen as a result of Fujitsu's software retaining data.