Retailers take swipe at PCI security rules

Credit card companies need to get tough if they want retailers to comply with Payment Card Industry (PCI) rules.


Simmering discontent over PCI data security standard boiled over in October month when the National Retail Federation (NRF) publicly called on credit card companies to take more responsibility for storing card data.

In a terse letter to the PCI Security Standards Council, which oversees implementation of the standard, NRF CIO David Hogan called on credit card companies to stop making retailers "jump through hoops to create an impenetrable fortress" to protect card data.

Instead, he asked the council to work with retailers "to eliminate the incentive for hackers to break into their systems in the first place".

The letter from the NRF, whose members include most major US retailers, was sent after many of the trade association's members apparently failed to meet a deadline to comply with the PCI data security standard.

The standard requires retailers to implement a set of prescribed controls for protecting cardholder data. Compliance is mandated by credit card companies Visa International, MasterCard International, American Express, Discover Financial Services and the Japan Credit Bureau.

About 325 Tier 1 merchants, those that process more than 6m credit card transactions per year, are subject to monthly fines of $5,000 to $25,000 for failing to comply with the standard.

In an interview, Hogan argued that retailers and others accepting payment-card transactions should not have to comply with the PCI mandate that they store certain card data for up to 18 months in case it's needed to mitigate disputes.

He suggested that credit card companies and their banks, not retailers, should be responsible for storing the data.

In that case, Hogan said, retailers would only need to store an authorisation code provided at the time of a sale to validate a charge, plus a receipt with truncated credit card information to handle returns and refunds.

"It is a very fundamental shift," he said. "But if you think about it, it is a very common sense approach."

The PCI mandates now require that retailers build unnecessary "fortresses" around credit card data, Hogan said. "We build these higher walls, and the hackers bring in taller ladders, and this kind of keeps scaling up all the time," he added.

"Recommended For You"

After Target, Neiman Marcus breaches, does PCI compliance mean anything? Security deadline missed by a third of Visa merchants