NRF Calls PCI Standards 'Elaborate Patch'
WASHINGTON --The National Retail Federation (NRF) told a congressional panel security standards imposed on merchants by the credit card industry are only "an elaborate patch," and that a system where retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud, the organization reported.
"All of us—merchants, banks, credit card companies and our customers—want to eliminate credit card fraud," NRF senior vice president and CIO, David Hogan, said in a statement. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Hogan’s comments came as he testified at a hearing on whether data security standards mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit card companies reduce "cybercrime." The hearing was held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The PCI standards include more than 200 requirements intended to protect consumers against credit card fraud committed by criminals who hack into computer systems. But Hogan said the guidelines are "onerous, confusing and constantly changing," and require retailers to replace previous security programs with new programs that are different but not necessarily better, according to a company press release.
"PCI is little more than an elaborate patch. While PCI can reduce some fraud—at extraordinary cost—it is not nearly as effective as a redesign of the card processes themselves," Hogan said. "Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software. However, what is ironic about this scenario is that the credit card companies’ rules require merchants to store for extended periods credit card data that many retailers do not want to keep."
Visa and MasterCard claim retailers aren’t required to keep card information, but Hogan said retailers are required to produce a card receipt when purchases are disputed. If the retailer can’t produce the receipt, the card companies issue a "chargeback" and the amount of money in question is deducted from the retailer’s account, even if the transaction was legitimate, the organization reported.
Hogan told the subcommittee NRF proposed to the PCI Security Standards Council that retailers no longer be required to store credit card numbers in 2007, and recommended retailers should have the option of letting card companies and banks store the information instead. Retailers who choose to participate would only have to keep a transaction authorization code and a truncated receipt without the customers’ full credit card number. Credit card companies would agree to accept the code and truncated receipt as proof of any disputed purchases. This would eliminate the risk of hackers stealing data from participating retailers because the retailers would no longer hold the information, Hogan said. The credit card industry dismissed the NRF proposal without addressing its merits, but has yet to offer any alternative, according to the NRF.
Related News:
-- PCI Compliance Will Cost Billions in C-Store/Petroleum Industry
-- NRF Announces Best Practices for PCI Compliance
-- Visa Requires all New Fuel Pumps to Support Triple DES
-- CSNews Hosts PCI Webinar
"All of us—merchants, banks, credit card companies and our customers—want to eliminate credit card fraud," NRF senior vice president and CIO, David Hogan, said in a statement. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Hogan’s comments came as he testified at a hearing on whether data security standards mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit card companies reduce "cybercrime." The hearing was held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The PCI standards include more than 200 requirements intended to protect consumers against credit card fraud committed by criminals who hack into computer systems. But Hogan said the guidelines are "onerous, confusing and constantly changing," and require retailers to replace previous security programs with new programs that are different but not necessarily better, according to a company press release.
"PCI is little more than an elaborate patch. While PCI can reduce some fraud—at extraordinary cost—it is not nearly as effective as a redesign of the card processes themselves," Hogan said. "Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software. However, what is ironic about this scenario is that the credit card companies’ rules require merchants to store for extended periods credit card data that many retailers do not want to keep."
Visa and MasterCard claim retailers aren’t required to keep card information, but Hogan said retailers are required to produce a card receipt when purchases are disputed. If the retailer can’t produce the receipt, the card companies issue a "chargeback" and the amount of money in question is deducted from the retailer’s account, even if the transaction was legitimate, the organization reported.
Hogan told the subcommittee NRF proposed to the PCI Security Standards Council that retailers no longer be required to store credit card numbers in 2007, and recommended retailers should have the option of letting card companies and banks store the information instead. Retailers who choose to participate would only have to keep a transaction authorization code and a truncated receipt without the customers’ full credit card number. Credit card companies would agree to accept the code and truncated receipt as proof of any disputed purchases. This would eliminate the risk of hackers stealing data from participating retailers because the retailers would no longer hold the information, Hogan said. The credit card industry dismissed the NRF proposal without addressing its merits, but has yet to offer any alternative, according to the NRF.
Related News:
-- PCI Compliance Will Cost Billions in C-Store/Petroleum Industry
-- NRF Announces Best Practices for PCI Compliance
-- Visa Requires all New Fuel Pumps to Support Triple DES
-- CSNews Hosts PCI Webinar