The National Retail Federation (NRF) is calling for the Payment Card Industry (PCI) Security Standards Council to stop requiring merchants to store card data.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of mandatory requirements for protecting cardholder data, which are governed by the PCI Security Standards Council. These requirements apply to all card companies, merchants, and service providers which store, process, or transmit cardholder data.

In a letter to the PCI Security Standards Council, the NRF says merchants are committed to PCI DSS compliance. But PCI in itself does not discourage hackers from attempting to break into retailers’ computer systems, it says. Although PCI has been in existence for several years, it has not prevented several major card security breaches, the U.S retail trade association says.

“All of us – merchants, banks, credit card companies and our customers – want to eliminate card fraud,” David Hogan, the NRF’s Chief Information Officer, says in the letter. “But, if the goal is to make card data less vulnerable, the ultimate solution is to stop requiring merchants to store the data in the first place.”

The fact that retailers store card data acts as a challenge to hackers, Hogan says. “Instead of being forced to jump through hoops to create an impenetrable level of data security, retailers should eliminate the incentive for hackers to break into their systems in the first place,” he says.

Card companies typically require retailers to store card numbers anywhere from one year to 18 months in order to satisfy card company retrieval requests. According to the NRF, retailers should have a choice as to whether or not to store card numbers. They should have the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, the NRF says.

“The bottom line is that it makes more sense for card companies to protect their data from thieves by keeping it in a relatively few secure locations, than to expect millions of merchants across the U.S. to lock up their data for them,” Hogan says.

Copyright © 2006 Verifone Inc. All rights are reserved.

MerchantSeek
Your Payment Acceptance Source