Do you trust the merchants to protect your credit cards?

On 4 October 2007,  The National Retail Federation (NRF) Chief Information Officer and Senior Vice President, David Hogan wrote a letter to the Payment Card Industry (PCI) Standards Council requesting that the card industry to stop requiring merchants to store complete card numbers. Currently, some merchants are required to keep credit card numbers for up to 18 months to satisfy card retrieval and dispute requests. The letter said, “"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place." NRF proposes that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to keep the data for an extended amount of time. The letter further stated that, “If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished."

The proponents of this proposal state that the banks already keep and protect all of the information and hence, they would not have to put additional security measures in place. Merchants would need to retain a non-sensitive (and useless to identity thieves) transaction/approval numbers, rather than very sensitive cc numbers and identifying info. This would significantly reduce the risk of the security breaches, which is the ultimate goal of PCI.

The opponents of this proposal state that it will be a logistical nightmare and cost millions of dollars. To implement this proposal, all card processors (banks) would need to upgrade their infrastructure to process the new payment mechanism and provide the ability to retrieve transactions based on transaction/approval numbers. All point of sale systems would need to be modified to work in the new paradigm. Lastly, the merchants would need to upgrade their software and change their practices to ensure that they are not keeping any sensitive information. All this is easier said than done. The unanswered questions are:

·   Who will foot the bill?

·   Will the acquiring banks take on the additional liability?

·   Will the merchants change their practices?

I believe that this is a reasonable suggestion that will reduce the overall risk of security breaches at the merchant if the credit card companies and the retailers are able to resolve the abovementioned issues (which are not trivial by any stretch of the imagination). But this should not be treated as an alternative to security. Merchants do many other things in their everyday business that puts cardholder data at risk; i.e., transferring card numbers on invoices, writing purchase orders, copying credit card numbers on slips of paper, etc. Merchants will continue to come across sensitive data and will continue to do things that will put the data at risk for convenience, record keeping, and marketing. PCI has its shortcomings, but one thing that it has done is made the merchants a lot more security aware, and that is a good thing.