An open letter the National Retail Federation sent to the Payment Card Industry Security Standards Council in early October sparked another war of words between merchants and payment card networks over data security.
Retailers are forced to "jump through extraordinary hoops" to meet data-security standards set by the Payment Card Industry Security Standards Council, David Hogan, senior vice president and chief information officer at the National Retail Federation, states in the letter. The Washington D.C.-based federation sent the letter to Bob Russo, general manager of the Wakefield, Mass.-based council, which oversees the PCI data-security standard that merchants must apply when handling sensitive transaction information.
Retailers spend millions each year to better protect credit card-account information and to comply with the PCI security standard, yet there continue to be unacceptable levels of data breaches, according to Hogan, who questions what he calls the card industry's "requirement" that merchants store credit card data.
"Credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt," Hogan states in the letter. "The authorization code would provide proof that a valid transaction had taken place and was approved by the credit card company, and the sales receipt would provide validation for returns or proof of purchase."
The council responded with its own open letter to the federation on Oct. 5, stating that retailers opposed to credit card data-storage requirements are wrong to air their grievances to the council.
"The payment brands, and not the council, operate the systems underlying the payments process as well as the compliance programs," a PCI council spokesperson tells Cards&Payments. "Mr. Hogan should be directing his concerns to those individual brands."
MasterCard Worldwide contends it does not require merchants to retain transaction data. "In the event that a merchant chooses to store the primary account number to resolve issues arising after a purchase is completed, the account number may be stored in a truncated format, which minimizes risk," MasterCard said in a statement.
That explanation, Hogan contends, is "disingenuously accurate." "Once you cut through their lawyer-speak, all they are really saying is that a merchant who does not keep credit card data gives up protections against disputed charges under the card-company rules," he says.
In a statement, Rosetta Jones, Visa USA vice president, did not address the data-storage issue directly. However, she called the federation's letter "simply an attempt to improve merchant profits by shifting their cost of doing business onto the backs of consumers."
(c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
Authoritative analysis and perspective for every segment of the payments industry
Authoritative analysis and perspective for every segment of the industry
Have an account? Sign In