From Bill Brenner at TechTarget (who never calls anymore now that I’m independent- where’s the love?).
From the letter, written by NRF Chief Information Officer David Hogan: “All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. With this letter, we are officially putting the credit card industry on notice. Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.” The letter notes that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all.
This is an exceptionally great idea. I’ve been covering PCI since the start and never realized that one of the reasons retailers were keeping card numbers was because of the credit card companies themselves.
I’m not fully convinced they really mean it. I’ve worked with hundreds of retailers of all sizes over the years, and many keep card numbers for reasons other than the credit card company requirements. Most of their systems are built on using card numbers as customer identifiers, and removing them is a monumental task (one that some forward-looking retailers are actually starting). Retailers often use card numbers to validate purchases and perform refunds. Not that they have to, but I wonder how many are really willing to make this change?
I’ve long thought that the PCI program was designed more to reduce the risks of the credit card companies than to protect consumers. There are many other ways we could improve credit card security aside from PCI, such as greater use of smart cards and PIN-based transactions. Fortunately, even badly motivated actions can have positive effects, and I think PCI is clearly improving retail security.
PCI, and credit card company practices, really push as much liability on the retailers and issuing banks as possible. Retailers are challenging them on multiple fronts, especially transaction fees.
This is the kind of challenge I like to see- eliminating stored card numbers removes a huge risk (but not all risk, since the bad guys can still attack on a transaction basis), would reduce compliance costs, and simplify infrastructures.
We traditionally talk about four ways to respond to risk- transfer, avoid, accept, mitigate. As a martial artists I have to admit I prefer avoiding a punch than blocking it, getting hit, or having someone else take it on the chin for me.