In a letter sent Thursday to the Payment Card Industry (PCI) Security Standards Council, the group responsible for setting data-security guidelines for merchants and vendors, the National Retail Federation requested that member companies be allowed to instead keep only the authorization code and a truncated receipt, the NRF said in a statement.

"With this letter, we are officially putting the credit-card industry on notice," David Hogan, chief information officer for the NRF, said in the statement. "Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place."

The call for a change follows a number of high-profile data breaches at major retailers. In 2005, breaches at Sam's Club and an office supply chain resulted in hundreds of thousands of accounts being compromised. Last year, nearly 20,000 people who had shopped at the AT&T online store were notified that their information had been stolen. And earlier this year, retail giant TJX Companies, which owns the TJ Maxx and Marshalls chains, announced that online intruders had stolen credit- and debit-card data belonging to some 46.5 million accounts. The accounts have already been used as part of a counterfeit gift-card scheme, according to Florida officials.

That history underscores the need to minimize the number of locations in which credit-card information is stored, Hogan stated.

"If all merchants took advantage of this option (to eliminate storing sensitive credit-card data), credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," Hogan stated in the letter. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

Yet, others point out that many retailers already have the option to minimize the data that they keep, which is determined by the credit-card company and card issuer. The problem is that they are not adhering to the standards, said Bruce Spitzer, director of communications for the Massachusetts Bankers Association, which has filed suit against TJX Companies for reimbursement of its members costs in replacing customers' cards.

"It is a smokescreen," Spitzer said. "They just want to change the subject."

Despite the breaches, nearly a third to half of large retailers still do not adhere to the Payment Card Industry's best practices for data security, according to media reports. The deadline for compliance set by Visa already expired on September 30.

The PCI Data Security Standards (PCI DSS) stresses that most transactions do not need to store the full account numbers or the Card Verification Value version 2 (CVV2), the three- to four-digit number that allows cards to be verified, according to a Visa data security brief (PDF) on the topic. In most cases, truncated account numbers are the recommended way to store credit-card data, the brief stated.

Visa, currently in a quiet period following a global restructuring, would not comment on the issues, and Mastercard International could not immediately be reached for comment.

However, Prat Moghe, founder and CTO of auditing and protection firm Tizor Systems, stressed that, even if the retailers did not store credit-card account information, they will most likely want to keep data about their customers and transactions on hand for business analysis. Given that, the companies will still have to protect that data from online intruders, because it could still be used to perpetrate identity fraud, he said.

"The retailers do store a lot of data in addition to credit card data," Moghe said. "The risks of identity theft are not going away with credit-card information. I don't think that they are recognizing that data as a security issue as well."

For the most part, consumers are not clamoring for more security, according to analysts. In a survey of TJX customers, analyst firm Gartner found that, while 77 percent of those polled blame the company for the theft, only 22 percent would not shop at the company's stores. In September, TJX announced it had agreed on a settlement to end consumer lawsuits, but many -- including the judge in the case -- have criticized the settlement as lacking teeth.

While the healthcare industry and financial industry have strict compliance requirements mandated by law, retailers have largely escaped such a fate, but complying with PCI DSS is in everyone's best interest, said Moghe.

"If credit card data is unnecessarily being stored, does it have to be there? I think that is a legitimate point to bring up," he said. "They should, however, not be keeping any data that they don't need in the long term. And, in the short term, they need to secure the data that they do have."

If you have tips or insights on this topic, please contact SecurityFocus.