NRF Says Retailers Shouldn't Store Credit Card Data

Lora Bentley

eWEEK reported earlier this month that retailers are still stumbling over the same PCI compliance obstacles now as they were a year ago. According to an annual PCI audit summary from Verisign, the most common weaknesses for 2007 include lack of regular testing, failure to secure applications, and failure to protect data.

 

And even though the failure rates have dropped significantly in the last year, according to Verisign's numbers (from 70 percent to 80 percent down to the 40 percent to 50 percent range), InfoWorld blogger Matt Hines notes that many businesses are behind on PCI compliance:

According to some experts, many retailers and card processors are still way behind in terms of getting in line with the regulation from a technological standpoint -- with some companies apparently willing to take a wait-and-see approach to dealing with potential audits and fines.

Others, however, are moving beyond the wait-and-see approach. The National Retail Federation is lobbying the PCI Security Standards Council to radically change the requirements for merchants. Specifically, the NRF asks that the council stop requiring merchants to store credit card data. The argument goes something like this:

All of us -- merchants, banks, credit card companies and our customers -- want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place... Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.

On the other hand, credit card companies and issuing banks store the card data anyway. If merchants only kept receipts and the authorization codes for transactions, the card companies could use that data to verify transactions. There would be no reason for the card data to be held in several places at once, which would reduce the risk to which the cardholder is subject.

 

It definitely sounds reasonable.



Add Comment      Leave a comment on this blog post
Oct 10, 2007 8:41 AM Branden R. Williams Branden R. Williams  says:
It is actually! You can positively identify any transaction with these four data elements... 1) Date/Time of purchase, 2) Amount, 3) First six and last 4 of credit card number, and 4) the authorization code. The only requirement is that your Acquirer has the ability to search on those data elements. I'm a big advocate of deleting, truncating, erasing, whatever-you-want-to-call-it-ing, so that you don't have the data. What you don't have, you don't need to protect! Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.