Prat Moghe, CEO of security vendor Tizor Systems, a Maynard, Mass.-based security firm, called the NRF's demand political posturing and said it would do little to improve retail security anytime soon.
"I think a lot of this is about moving culpability back to the credit card companies and saying don't make this my problem alone," Moghe said. "They seem to have realized that going on the defense as an industry doesn't help. There is just more and more they have to do." By speaking out aggressively at a time when retail industry information security practices are under scrutiny by consumers and lawmakers, the NRF is hoping to spread the liability for card data protection, he said.
Even if the NRF's demands were immediately met, it would take several years before retailers could purge their systems and applications of credit card data, he said. Over the years, retailers have collected and stored credit card data in myriad systems and places -- including relatively old legacy environments -- and they are just now realizing the data can be a challenge, he said. Purging it can be a bigger headache because the data is often inextricably linked to and used by a variety of customer and marketing applications; simply removing it could cause huge disruptions.
"We are not talking about one isolated system that stores all this data," he said
Until retailers can get rid of the data, they will need to continue to implement PCI controls whether they like it or not, Moghe said.
Under PCI, credit card companies have also already been pushing retailers to purge their systems of some customer data, including the card verification codes and PIN block data that is stored on magnetic stripes on the back of payment cards.
According to Gartner, Visa levied more than $4.5 million in PCI non-compliance-related fines last year. At least some of that was aimed at companies that were storing prohibited card data on their systems.
The NRF letter comes just days after the passage of a major Sept. 30 PCI deadline after which merchants face fines ranging from $5,000 to $25,000 for non-compliance. Up to now, most of the fines levied have been on breached entities or on companies that kept prohibited card data.
Computerworld is an InfoWorld affiliate