Retailers B*tch Slap PCI Security Standards Council, If You Believe Them
From Bill Brenner at TechTarget (who never calls anymore now that I’m independent- where’s the love?).
From the letter, written by NRF Chief Information Officer David Hogan:
“All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. With this letter, we are officially putting the credit card industry on notice. Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”
The letter notes that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all.
This is an exceptionally great idea. I’ve been covering PCI since the start and never realized that one of the reasons retailers were keeping card numbers was because of the credit card companies themselves.
I’m not fully convinced they really mean it. I’ve worked with hundreds of retailers of all sizes over the years, and many keep card numbers for reasons other than the credit card company requirements. Most of their systems are built on using card numbers as customer identifiers, and removing them is a monumental task (one that some forward-looking retailers are actually starting). Retailers often use card numbers to validate purchases and perform refunds. Not that they have to, but I wonder how many are really willing to make this change?
I’ve long thought that the PCI program was designed more to reduce the risks of the credit card companies than to protect consumers. There are many other ways we could improve credit card security aside from PCI, such as greater use of smart cards and PIN-based transactions. Fortunately, even badly motivated actions can have positive effects, and I think PCI is clearly improving retail security.
PCI, and credit card company practices, really push as much liability on the retailers and issuing banks as possible. Retailers are challenging them on multiple fronts, especially transaction fees.
This is the kind of challenge I like to see- eliminating stored card numbers removes a huge risk (but not all risk, since the bad guys can still attack on a transaction basis), would reduce compliance costs, and simplify infrastructures.
We traditionally talk about four ways to respond to risk- transfer, avoid, accept, mitigate. As a martial artists I have to admit I prefer avoiding a punch than blocking it, getting hit, or having someone else take it on the chin for me.
Adrian Lane Oct 5
“… the ultimate solution is to stop requiring merchants to store card data in the first place.”
What? Can someone confirm this? I have never heard a merchant or bank mention the CC# was stored as a requirement from Visa or Mastercard. Perhaps for transaction rollbacks or credits? And I am not aware of any place in the PCI standard that says it must be stored. I thought it was the vendor storing the number to protect themselves and pretend they were offering me a ‘convenience’ feature. If this is true, I am going to have to apologize for a whole bunch of nasty email I have sent to merchants over the past few years …
rmogull Oct 5
I’m asking around myself- but so far it seems true to at least some extent.
Adrian Lane Oct 8
I was not able to find anything concrete with a Google search. An Associated Press news article quoted a Visa representative as saying they could keep card data “truncated format which minimizes risk. In addition, a merchant may choose to share no cardholder data at all based upon their risk assessment and individual approaches to managing data storage according to their own business needs”. He implies that they need to keep the number for disputed charges; delete the number and you forfeit rights for disputed charges. I am still searching, but if the merchants have the ability to dispute charges and only retain the last four digits, then the entire problem space changes.
rmogull Oct 8
Great. “You don’t ahve to keep it, but if you don’t you can’t dispute charges.”
Agree- that could change quite a bit if you only need the last 4.
rybolov Oct 9
I’ve been saying it for years: life would be so much simpler for us security dweebs if we didn’t have all that pesky data sitting around. If you eliminate/reduced the data, you have reduced your risk. =)
Breina Montalvo Oct 11
While the NRF makes a valid point, it will NOT solve the problem. Recent events of throwing trans slips and sensitive customer data in a dumpster, would have happened whether they held the data for one day, one week, or three years! The bottom line is that someone didn’t think it was necessary to destroy that data!
Merchants are very lax about proper card acceptance procedures and are constantly doing things procedurally in their everyday business that puts cardholder data at risk; ie…transferring card numbers on invoices, purchase orders, slips of paper and even matchbook covers. (I have seen this first hand with my merchants) For future use and the sake of convenience or for record keeping, they will continue to store information in a database, operational software or notebook. Eliminating storage of cardholder information will not by itself prevent fraud within the workplace, carelessness with card not present environments, and just plain ignorance of the rules and regulations.