NRF: Retailers should not be required to keep credit-card numbers
Washington, D.C. The National Retail Federation told a congressional panel Tuesday that security standards imposed on merchants by the credit-card industry are only “an elaborate patch,” and that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit-card fraud.
“All of us -- merchants, banks, credit-card companies and our customers -- want to eliminate credit-card fraud,” NRF senior VP and CIO David Hogan said. “But if the goal is to make credit-card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit-card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”
Hogan’s comments came as he testified at a hearing on whether data-security standards mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit-card companies reduce “cybercrime.” The hearing was held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The PCI standards include more than 200 requirements intended to protect consumers against credit-card fraud committed by criminals who hack into computer systems. But Hogan said the guidelines are “onerous, confusing and constantly changing,” and have required retailers to replace previous security programs with new programs that are different but not necessarily better.
"While PCI can reduce some fraud -- at extraordinary cost -- it is not nearly as effective as a redesign of the card processes themselves,” Hogan said. “Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software.
However, what is ironic about this scenario is that the credit-card companies’ rules require merchants to store for extended periods credit-card data that many retailers do not want to keep.”