|
|
|
From November 2007
By Tracy Mullin
Over the summer, several NRF executives met
to discuss retailers’ efforts to protect
customer data. In particular, discussion
centered on the $1 billion-plus and thousands of
hours retail companies have spent working toward
Payment Card Industry (PCI) Data Security
Standard compliance.
Inevitably, someone asked why retailers keep
this data, anyway. The short answer: They have
to. But what if they didn’t? |
 |
Retailers are essentially forced by credit card
companies to keep certain data, including card
numbers, for 12 to 18 months to satisfy
retrieval requests when a charge is disputed.
But what if there were a way to handle these
requests without requiring merchants to keep
sensitive data – thus reducing the incentive for
criminals to hack into our systems to steal it?
We started questioning retailers. We asked CIOs,
most of whom would prefer not to store the data
at all. We checked with CMOs, who acknowledged
they could often use what they needed within a
few days. We queried data security experts, who
concluded the plan was logistically possible.
After vetting the idea within the industry, NRF
sent a letter to the PCI Security Standards
Council. Instead of forcing retailers to keep
this data, we requested that retailers be given
a choice. We even proposed a solution for
handling chargebacks, asking card companies to
let us use the authorization code from each
transaction to handle disputes, and a truncated
card number for returns.
There would certainly be some initial investment
and headache required of retailers, their
financial partners and solution providers. But
ultimately, if the end goal is protecting
customer data, keeping sensitive information in
as few places as possible is an appropriate
first step.
This seems to be a solution that would make
sense to customers. After all, if a person
wanted to protect priceless family heirlooms, we
wouldn’t tell them to put thicker bars on their
doors and windows – we’d suggest they put the
goods in a safe deposit box at the bank. At the
end of the day, this is about giving retailers
the choice not to keep sensitive customer data,
with a guarantee that they won’t be punished by
credit card companies if they opt not to do so.
Since NRF proposed its solution, some card
companies have begun playing a game of “pass the
buck.” While they are jockeying for position,
the best interests of consumers are being left
on the sidelines.
Retailers will continue to invest millions to
ensure the safety of customer data, but are
asking that card companies meet them halfway.
Instead of requiring merchants to keep
information they don’t want, the card industry
should work with them to keep this information
secure. |
| |
