StorefrontBacktalk

Retail Group Lobbying To Have Credit Card Data No Longer Stored

Written by Evan Schuman

October 4th, 2007

Retailing's most powerful lobby—the National Retail Federation (NRF)—is launching a campaign to change the way that credit cards and retailers interact. Conceding that the Payment Card Industry (PCI) procedures have simply not been effective at stopping massive retail breaches, NRF CIO David Hogan has been pushing for a radical change in tactics, one that will require Visa, MasterCard and AmericanExpress to change procedures.

"It is unlikely PCI will ever be able to keep pace with the continually-evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks," Hogan said in a letter to Bob Russo, the head of the PCI Security Council. "We believe the time has come to rethink the assumptions behind PCI."

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Already a Subscriber? Login Here

Username
Password
Login
Forgot Your Password? \| Site License

Posted in IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud

3 Comments | Read Retail Group Lobbying To Have Credit Card Data No Longer Stored

Matt Harrigan Says:
October 4th, 2007 at 10:00 am
What NRF has suggested is actually the best case scenario for the retailers, the card brands, the council, and all other parties in the PCI ecosystem.

If a retailer or service provider stops storing data all together, then the potential for fraud goes away. Additionally, the organization that was formerly storing cardholder data, and is now not doing so does not have to undergo the compliance process.

Its good for the card brands, because they no longer have to absorb the risk of their banks, who no longer have to absorb the risk of their merchants, who no longer have to worry about being compliant.

Unfortunately, it’s not something that happens overnight.

There are a few products out there which tokenize credit card data, eliminating the need for explicitly protecting it.
Marc Says:
October 4th, 2007 at 1:24 pm
The removal of card storage lessens the impact of a breach, but does not completely mitigate it. There is always the issue of a well placed trojan on a register or server that sits there and quietly captures card data being sent out for authorization.

It will take a little longer for the bad guys to get their data, but they will get it.

The real answer is to take the card number out of the loop of the transaction. When the card number never leaves the card, then there is nothing to steal from the merchant. The card associations need to fundamentally overhaul how transactions are authorized and settled. The technology exists (smart cards, PKI), but there is no incentive to make the associations change. They make plenty of money the way things work now, and they get to pass on fines when there is a breach. It’s good for them all over!
Matt Harrigan Says:
October 4th, 2007 at 2:24 pm
It’s an idea for change – an idea for change that requires a wholesale change on the part of an industry which has millions of entities – merchants, SPs, 3rd parties, equipmment vendors, the brands, etc, handling trillions of records and transactions.

It’s analagous to suggesting that the solution to global warming is that everyone cease to use fossil fuel powered cars. Sure, that would be great, if there were a hydrogren refueling station, or electric charger on every corner, and someone was going to simply hand out the new automobiles.

Sure, its a good idea, but its going to take time, money, and commitment on the part of the folks in the path of transactions, and ALOT of thought leadership.
Plus, as marc indicated, there will always be some unique identifier that maybe isn’t being stored, but is traversing some network somewhere, and is potentially subject to being snatched by said “bad guys.”

I think that the formation of the SSC, the community meetings that are occurring, and the opportunities that participating organizations have to contribute to standards -have- helped to advance security, and reduce fraud.

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.