Simmering discontent within the retail industry over the payment card industry (PCI) data security standards erupted into the open Thursday with the National Retail Federation (NRF) asking credit card companies to stop forcing retailers to store payment card data.
In a tersely worded letter to the PCI Security Standards Council, which oversees implementation of the standard, NRF CIO David Hogan asked credit card companies to stop making retailers "jump through hoops to create an impenetrable fortress" to protect card data. Instead, "retailers want to eliminate the incentive for hackers to break into their systems in the first place."
"With this letter, we are officially putting the credit card industry on notice," Hogan said in a statement. The NRF, a trade association whose membership includes most of the major retailers in the U.S., is the national voice for about 1.4 million U.S retail establishments.
In an interview with Computerworld Thursday, Hogan said the letter was provoked by a "lot of frustration" in the industry about PCI guidelines and the deadlines associated with implementing them. If the goal of PCI is to protect credit card data, the easiest and most common sense approach is to stop requiring merchants to store the data in the first place, he said.
PCI is a data security standard mandated by Visa International, MasterCard Worldwide, American Express, Discover, and the Japan Credit Bureau (JCB). It requires companies to implement a set of prescribed security controls for protecting card holder data. Though it went into effect more than two years ago, a large number of big retailers are still non-compliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.
According to Hogan, credit card companies require retailers and others accepting payment card transactions to store certain card data sometimes for up to 18 months so that it can be retrieved in the event of charge backs and other disputes.
But rather than have thousands of retailers store the data, credit card companies and their banks should do so, Hogan said. Retailers only need an authorization code provided at the time of a sale to validate a charge and a receipt with truncated credit card information to handle returns and refunds. If that were done, he said, most retailers probably wouldn't store any card holder data.
According to Hogan, under the current process, credit card companies and their banks already have the information needed for retrieval purposes, and it should be their responsibility to store and protect the data. "It is a very fundamental shift. But if you think about it, it is a very common-sense approach."
PCI mandates are challenging retailers to build fortresses around credit card data, he said. "We build these higher walls and the hackers bring in taller ladders and this kind of keeps scaling up all the time."
NRF: Credit card companies should store customer data
Jon Hurst, president of the Retailers Association of Massachusetts, backed the NRF's position. With all of the attention paid to PCI, what's gone unnoticed is the fact that card companies themselves require certain amounts of data to be stored because of disputed transactions, he said. If not for that requirement, many retailers -- especially the large ones -- would probably not keep data and therefore wouldn't be pressed to secure it, he said.
Prat Moghe, CEO of security vendor Tizor Systems, a Maynard, Mass.-based security firm, called the NRF's demand political posturing and said it would do little to improve retail security anytime soon.
"I think a lot of this is about moving culpability back to the credit card companies and saying don't make this my problem alone," Moghe said. "They seem to have realized that going on the defense as an industry doesn't help. There is just more and more they have to do." By speaking out aggressively at a time when retail industry information security practices are under scrutiny by consumers and lawmakers, the NRF is hoping to spread the liability for card data protection, he said.
Even if the NRF's demands were immediately met, it would take several years before retailers could purge their systems and applications of credit card data, he said. Over the years, retailers have collected and stored credit card data in myriad systems and places -- including relatively old legacy environments -- and they are just now realizing the data can be a challenge, he said. Purging it can be a bigger headache because the data is often inextricably linked to and used by a variety of customer and marketing applications; simply removing it could cause huge disruptions.
"We are not talking about one isolated system that stores all this data," he said
Until retailers can get rid of the data, they will need to continue to implement PCI controls whether they like it or not, Moghe said.
Under PCI, credit card companies have also already been pushing retailers to purge their systems of some customer data, including the card verification codes and PIN block data that is stored on magnetic stripes on the back of payment cards.
According to Gartner, Visa levied more than $4.5 million in PCI non-compliance-related fines last year. At least some of that was aimed at companies that were storing prohibited card data on their systems.
The NRF letter comes just days after the passage of a major Sept. 30 PCI deadline after which merchants face fines ranging from $5,000 to $25,000 for non-compliance. Up to now, most of the fines levied have been on breached entities or on companies that kept prohibited card data.
Computerworld is an InfoWorld affiliate
This story, "Retail group takes a swipe at PCI" was originally published by Computerworld.