The Raw Data on PCI

Last month’s indictment of a man who allegedly stole millions of credit card numbers from retailers as varied as T.J. Maxx, BJ’s Wholesale Club and Barnes & Noble has reignited the conversation over data security. And while retailers are receiving a black eye in the press, credit card companies and banks are running as fast as they can for the nearest exit.

After the major credit card companies formed the Payment Card Industry Council in 2006, they created an absurd number of mind-boggling requirements for retailers under the pretense of keeping data safer. Large companies must now be certified “compliant” by checking more than 200 items off a to-do list, costing retailers billions of dollars and considerable lost time.

Once companies have jumped through all of these hoops, logic would have it that their systems would be safe, yet Heartland Payment Systems, Hannaford Bros. and Network Solutions were all certified “PCI compliant” before their systems were hacked.

And PCI compliance doesn’t provide safe harbor for retailers. Those that are breached aren’t offered protection; instead, they’re immediately dropped like a hot potato and forced to pay thousands of dollars a month to the credit card companies until they are deemed “compliant” once again.

The card companies’ PCI-compliance scheme is not the answer to protecting data. In fact, I’d argue it’s just another way for credit card companies and banks to pass the buck – and to make quite a few in the process in the form of $25,000-per-month fines on merchants that are not certified.

After taking it on the chin for years, retailers are getting fired up. At last month’s NRFtech conference, PetSmart executive chairman Phil Francis urged technology executives to go back to their offices and tell their CEOs precisely how much the company is spending on compliance. Bob Carr, CEO of Heartland Payment Systems, acknowledged in his keynote address that PCI-compliance assessments “aren’t worth the paper they’re written on.”

Despite all of the issues surrounding PCI compliance, the larger problem lies in the fact that retailers are required by credit card companies and banks to retain credit card data – data that most retailers do not want in the first place.

If merchants had the option of keeping nothing more than an authorization code provided at the time of sale and a truncated receipt, the process would be more cost-effective and eliminate at least part of the risk. In that scenario, credit card companies and banks would be the only ones with large amounts of data, and they could protect their card numbers however they wished.

With breaches in the news almost every day, it’s time for banks and credit card companies to be held accountable on data security. Until then, retailers will be stuck in a no-win situation with PCI — and our shoppers will be left out in the cold.