The US National Retail Federation
has told a congressional panel that security standards imposed on merchants by the credit card industry are only "an elaborate patch," and that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud.
"All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud," NRF senior vice president and chief information officer David Hogan said. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Hogan's comments came as he testified at a hearing on whether data security standards mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit card companies reduce cybercrime. The hearing was held by the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The PCI standards include more than 200 requirements intended to protect consumers against credit card fraud committed by criminals who hack into computer systems. But Hogan said the guidelines are "onerous, confusing and constantly changing," and have required retailers to replace previous security programs with new programs that are different but not necessarily better.
"PCI is little more than an elaborate patch. While PCI can reduce some fraud — at extraordinary cost — it is not nearly as effective as a redesign of the card processes themselves," Hogan said. "Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software. However, what is ironic about this scenario is that the credit card companies' rules require merchants to store for extended periods credit card data that many retailers do not want to keep."
Visa and MasterCard claim retailers aren't required to keep card information, but Hogan said retailers are required to produce a card receipt when purchases are disputed. If the retailer can't produce the receipt, the card companies issue a chargeback and the amount of money in question is deducted from the retailer's account, even if the transaction was legitimate.
Hogan told the subcommittee that NRF in 2007 proposed to the PCI Security Standards Council that retailers no longer be required to store credit card numbers. Under the proposal, NRF recommended that retailers should have the option of letting card companies and banks store the information instead. Retailers who choose to participate would only have to keep a transaction authorization code and a truncated receipt without the customers' full credit card number. Credit card companies would agree to accept the code and truncated receipt as proof of any disputed purchases. Doing so would eliminate the risk of hackers stealing data from participating retailers because the retailers would no longer hold the information, he said.
Also testifying was Michael Jones, senior vice president and chief information officer for NRF member Michaels Stores, a nationwide US arts and crafts specialty store with more than 1,000 locations. Jones said the PCI council needs to strike a better balance between the interests of banks and merchants.
"The PCI Security Standards Council was allegedly spun off from the credit card companies and set up as an independent governing body of credit card company, bank and merchant representatives," Jones said. "In fact, the council is set up so that the credit card companies and banks retain all power over the ultimate standards, fines and anything else connected to PCI. Because of this, the standards do not represent what is the best security but rather what is best for the credit card companies and their financial institution partners."
Like Hogan, Jones cited faults and contradictions in the PCI standards. For example, PCI requires that data be encrypted, but makes an exception for data on private networks, and requires that data be unencrypted when sent to a retailer's bank because the banks aren't equipped to accept encrypted data.