Retailers Challenge the Networks’ Card-Data Storage Requirements

A leading retailer trade group on Thursday called for the payment card networks to stop forcing merchants to store credit card numbers, in effect challenging banks and the networks to take more responsibility for preventing data thefts. In a letter to the PCI Security Standards Council, an organization the networks created last year to oversee and update the Payment Card Industry data-security standard, or PCI, National Retail Federation senior vice president and chief information officer David Hogan says the networks' requirement that merchants store card numbers for possible retrieval long after a card transaction creates undue fraud risk. Merchants are then required to reduce that risk by adhering to PCI, according to the NRF. Depending on the merchant's size, computer systems, and point-of-sale hardware and software, PCI compliance can be a multimillion dollar expense. PCI contains a dozen main mandates and scores of dependent requirements ranging from data encryption to scans, tests, firewalls, passwords, and anti-virus programs as well as data storage. While noting that retailers invest “hundreds of millions” of dollars annually to improve credit card data security, Hogan also says in the letter PCI compliance alone won't be enough to protect consumers. A better solution, according to Hogan, would be to permit retailers to store only an authorization code generated at the time of the sale, and a truncated receipt. Those items would suffice for settling disputed sales would remove retailers from the crosshairs of computer hackers looking for card data they can use fraudulently, according to the NRF. “With this letter, we are officially putting the credit card industry on notice,” says Hogan in an NRF news release. “Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.” Hogan addressed his letter to PCI Council general manager Robert M. Russo Sr., who wasn't available for an interview. In a statement, the Council punted to the networks. “The Council will respond to the letter in kind after reviewing the request in further detail,” the statement says. “However, it must be recognized that the payment brands?and not the Council?operate the systems underlying the payments process, as well as the compliance programs. Because of this, Mr. Hogan should be directing his concerns to those individual brands.” The statement goes on to say that the Council welcomes input from the NRF, which it notes is a registered participating organization. A spokesperson for Visa USA, the largest card network, said Visa won't comment on the letter but notes that Visa on Aug. 27 issued a notice about what's permitted and not permitted in storing card data. According to the NRF and sources familiar with card security, the bank card networks require merchants to store 16-digit account numbers, names, and expiration dates for possible retrieval, including chargeback resolution, for as long as 18 months after a card sale. They do not permit the storage of full magnetic-stripe data, including PIN blocks (encrypted debit card personal identification numbers) and the three-digit validation codes printed on the back of bank cards and used for further security in card-not-present sales. The issue of payment-card data storage has been in the headlines almost constantly for the past two years because of data breaches that resulted in thefts of millions of payment card numbers and other personal financial data. The biggest breach was the intrusion into TJX Cos. Inc.'s computer system that compromised nearly 46 million cards (Digital Transactions News, Sept. 24). Speaking to Digital Transactions News, Hogan says “PCI wouldn't go away,” but that the NRF's proposal is a simpler solution that would make retailers a smaller target for hackers while easing the financial burden of PCI compliance. “The path we have been going down, PCI mandates, 225-plus sub-requirements, is not the path to go down,” he says. He adds that the NRF estimates all merchants have spent more than $1 billion over the past three years on PCI compliance, an expense that will be ongoing because of required periodic system scans and audits. All that effort won't deter hackers if they know a retailer may be storing thousands or millions of card numbers, according to Hogan. “We build a firewall, and they come in with a taller ladder,” he says. The NRF's proposal seemingly wouldn't correct the problem posed by some older POS software systems, which automatically record and store magnetic-stripe data, one of the biggest security weaknesses PCI supporters are trying to correct. But Hogan says that with most large retailers having already achieved or being close to full PCI compliance, those problems primarily affect smaller merchants usually ignored by hackers. The NRF's letter partially confirmed some analysts' claims that PCI places too much of the data-security burden on merchants. “Strategically [the letter] is a brilliant move, and long overdue,” says Avivah Litan, a vice president at Stamford, Conn.-based technology research firm Gartner Inc. who has advocated that banks, processors, and the card networks use other methods, such as one-time transaction identifiers, to secure data. Adil Moussa, a payments analyst at Boston-based Aite Group LLC, said in a statement that PCI compliance is “very hard on merchants financially,” and that the NRF's proposal “make sense.” It needs to be expanded, however, he said. “Storing the authorization number is not a viable solution as those six-digit numbers can be easily recycled and a merchant might have the same authorization number twice,” Moussa said. “It makes more sense to use a unique transaction code to identify the transaction and keep that record for ulterior processing of chargebacks if they happen. After going the route of enforcing PCI, I feel it will be difficult for [card] associations to change the course, but it might be something to consider.”