, SecurityFocus 2007-10-09
Beset by the public-relations nightmare of numerous data breaches, U.S. retailers proposed last week that they not be required to store credit-card data following a transaction.
In a letter sent Thursday to the Payment Card Industry (PCI) Security Standards Council, the group responsible for setting data-security guidelines for merchants and vendors, the National Retail Federation requested that member companies be allowed to instead keep only the authorization code and a truncated receipt, the NRF said in a statement.
"With this letter, we are officially putting the credit-card industry on notice," David Hogan, chief information officer for the NRF, said in the statement. "Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place."
The call for a change follows a number of high-profile data breaches at major retailers. In 2005, breaches at Sam's Club and an office supply chain resulted in hundreds of thousands of accounts being compromised. Last year, nearly 20,000 people who had shopped at the AT&T online store were notified that their information had been stolen. And earlier this year, retail giant TJX Companies, which owns the TJ Maxx and Marshalls chains, announced that online intruders had stolen credit- and debit-card data belonging to some 46.5 million accounts. The accounts have already been used as part of a counterfeit gift-card scheme, according to Florida officials.
That history underscores the need to minimize the number of locations in which credit-card information is stored, Hogan stated.
"If all merchants took advantage of this option (to eliminate storing sensitive credit-card data), credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," Hogan stated in the letter. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."
Yet, others point out that many retailers already have the option to minimize the data that they keep, which is determined by the credit-card company and card issuer. The problem is that they are not adhering to the standards, said Bruce Spitzer, director of communications for the Massachusetts Bankers Association, which has filed suit against TJX Companies for reimbursement of its members costs in replacing customers' cards.
"It is a smokescreen," Spitzer said. "They just want to change the subject."