Breach, Compliance Management, Threat Management, Data Security, Incident Response, TDR

Retail lobby offers alternative to PCI standard

The world's largest retail lobby today announced a plan that might free merchants from some of the most complex requirements of the Payment Card Industry (PCI) standard.

In a letter to PCI Security Standards Council, General Manager Bob Russo, the chief information officer of the National Retail Federation, said parts of the PCI standard are only necessary because credit card companies require merchants to store numbers for retrieval requests, such as returns or charge backs.

"We believe the time has come to rethink the assumptions behind PCI," CIO David Hogan wrote in the letter. "Let me be clear. All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store data in the first place."

The PCI Data Security Standard, overseen by the PCI Security Standards Council and enforced by the payment brands, is a 12-step process for securing cardholder data. Requirements include encryption, access controls, monitoring and testing systems and processes for vulnerabilities.

Hogan proposed a plan in which credit card companies would allow merchants to only store authorization codes and a truncated, or shortened, receipt of the sale. This would save them time and money associated with complex requirements such as encryption.

"The authorization code would provide proof that a valid transaction had taken place and been approved by the credit card company, and the sales receipt would provide validation for returns or proof of purchase," the letter said. "Neither would contain the full account number and would therefore be of no value to a potential thief. Any inquiries about a credit transaction would be between the cardholder and the card-issuing bank."

Hogan said that when he proposed his idea a few months ago, he received a "noncommittal" response from a major credit card company, which he would not name.

A spokesman for Visa, the largest U.S. payment system, today declined comment on the letter and referred to an August paper which reminds merchants not to store prohibited information, comprised of magnetic stripe, CVV2 and PIN data.

But Hogan told today that even the basic account number – which is permitted to be stored under PCI, but must be protected by encryption – can lead to identity theft.

"You get rid of that, the incentive to hack almost disappears overnight," he said. "We're just trying to come up with a different model to protect the consumer. If I have a question about a particular charge, that should be between me and the credit card issuer."

The PCI Security Standards Council, in a statement, said Hogan "should be directing his concerns to those individual [payment] brands," but that the organization planned a response.

Diana Kelley, a Burton Group analyst, told that the proposal seems to make sense.

"The primary account number (PAN) can be stored, but if that account number gets out, that's what people use to go shopping," she said. "If you can keep a unique number related to an authorization, why would you have to keep the full PAN?"

According to the latest figures from Visa, 44 percent of level-one merchants, who process more than six million transactions each year, and 38 percent of level-two merchants, who process from one to six million transactions, have achieved PCI compliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.