It has been suggested that Macy's lack of cooperation is due to the fact that the retailer is not PCI (Payment Card Industry)-compliant. Federated Department Stores, which purchased Macy's and then changed its name to Macy's, also owns Men's Wearhouse, David's Bridal, Filene's Basement, and Premier Salon in Canada, among others. In short, it is a giant, one of many that Visa has been trying for quite some time to get to comply with its best practices, the PCI Data Security Standard, which as an industry standard, has no actual force of law.
Although the PCI rules lack legal teeth, no large retailer could afford to be out of compliance because all the major banks that process their credit cards would take away that right. As a member of the organization, Macy's would also be subject to heavy fines, as much as $100,000 per month.
Nevertheless, Macy's is not cooperating.
This begs another question: Have the merchant banks and major financial services companies that own these credit cards been looking the other way? In other words, is Macy's too big to blow the whistle on?
The idea that such a huge company never bothered to get its database compliant is shocking but frankly not hard to believe.
In high tech, we've seen this kind of behavior before. Many companies pay lip service to standards, only to ignore them in practice. But at least when this happens, it is usually just an inconvenience, one that can at times cost their customers lots of money to ensure interoperability.
But when Macy's refuses to hand over the names of customers whose children might be in serious danger, it is downright criminal as far as I can see.
Does this give self-regulation a black eye?
It certainly doesn't help.