Retail Federation Seeks Changes to PCI Rules

The National Retail Federation today in a letter to a payments industry security group requested changes in how the credit card industry requires merchants to store credit card data. The letter from the NRF to the Payment Card Industry (PCI) Security Standards Council cited concern over breaches by crooks of merchant databases of consumer card information.

By storing the data, the merchants are putting themselves at risk if the data is lost or stolen. TJX, parent company of TJ Maxx, recently agreed to provide consumers with $30 vouchers (up to two per person) for an incident in which card data from some 46 million consumers fell into unauthorized hands. Reports estimate that the total cost to the retailer will be $168 million.

However, NRF said the timing of its letter was coincidental and that the issue of storing credit card numbers has been discussed “for several months.”

“The challenge that we see out there is that the merchants, the banks and the credit card company all have the goal of protecting the consumer,” said David Hogan, NRF chief information officer, who authored the letter. But storing card numbers defeats that purpose.

The card associations, including MasterCard and Visa, require that the merchants store the numbers in order to trace any chargebacks, according to the federation.

“The same people that are telling us to protect it, are the ones telling us to store the data,” Hogan said. “We’re trying to build a fortress around this data, but any time we build a higher wall, the criminal comes back with a higher ladder.”

Discussions with card associations about the issue have been amiable – unlike fights over interchange fees, according to Hogan. But the card associations have been noncommittal to any changes, prompting the letter to the PCI Council. The council includes representatives from card associations, banks and merchants.

“If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,” Hogan said in the letter.

The federation recommends in the letter that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring that merchants keep reams of data for an extended period of time.

“If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished,” Hogan wrote. “The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”

Bob Russo, the PCI council’s general manager, told insideARM.com this summer that debt purchasing and collection industry may not have worry about the standards (“PCI Standards May Not Apply to Debt Purchasers, Collectors,” 8/6). “Our concern is payment card fraud. The standard seeks to protect the credit card number on the front of the card and the magnetic strip information,” he said.

Typically, card issuers will deactivate a card number before selling it to a debt purchaser, said Russo. Once the number is deactivated, the card doesn’t have to be PCI compliant, he said. It’s conceivable that an issuer could reactivate a number and sell it to a purchaser — though that doesn’t seem likely, especially since the cardholder wasn’t paying his debt, he said.

Russo suggested purchasers and agencies contact issuers to determine if the issuer would demand a card remain PCI compliant after it has been deactivated.