Who would question the assumption that retailers should protect their customers’ credit card data? The retailers. As businesses that take credit cards have embarked on the costly trek toward the Payment Card Industry‘s (PCI) compliance, some members of the National Retail Federation, an industry trade association, are wondering why this security effort has fallen into their laps.
Last October, David Hogan, CIO of the NRF, challenged the basic assumption behind PCI’s new Data Security Standard (DSS)—that retailers need to keep credit card data at all. In a letter to the PCI Security Standards Council General Manager Bob Russo, Hogan suggested that if credit card companies didn’t force merchants to store this information in the first place, then merchants wouldn’t have to invest “hundreds of millions of dollars annually” and “jump through extraordinary hoops” to protect it.
Instead of keeping “reams of data,” Hogan writes, retailers could store just the authorization code given at the time of sale, along with part of the receipt: stuff no data thief could possibly want or use. With no credit card data to steal, hackers would look elsewhere. As for merchants, they’d still retain enough evidence of a valid transaction to serve their customers, such as by processing returns.
And to what targets would hackers have to aim, with no credit card info in the stores? To “credit card companies and their member banks,” Hogan writes, who could secure their caches of data “in whatever manner they wished.” In other words, it’s their data—let them take the responsibility for it.
In a statement, the PCI Security Standards Council said that the request needs to be taken up with the card companies themselves, though the Council said it would respond after reviewing the letter.