Retailer PCI Rebellion: 'No More Storing Credit Card Numbers'

The retail industry's main trade association says it's time to rethink the Payment Card Initiative (PCI).

In a letter yesterday to the PCI Security Standards Council, the National Retail Federation said the only way to make credit card data less susceptible to fraud is to stop forcing retailers to store credit card data at all. David Hogan, senior vice president and CIO for the NRF, said that instead, credit card companies and their banks should give retailers the option to retain only the authorization code for the transaction as well as a "truncated receipt" rather than storing the vulnerable data for the one year to 18 months period.

"Let me be clear. All of us -- merchants, banks, credit card companies and our customers -- want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place," Hogan said in the letter.

Hogan argued that PCI is supposed to prevent the spate of credit card data fraud that has hit several retailers, but that it can't keep up with black hat hackers.

"Data breaches have continued to occur at an unacceptable rate. There have been numerous instances of hackers targeting sophisticated retail computer systems that store or process credit card data, stealing the data and then using it to commit fraud," he said. "[PCI] is a valiant attempt to prevent large stockpiles of credit card data from getting into the wrong hands. However, it is unlikely PCI will ever be able to keep pace with the continually-evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."

But MasterCard reportedly called the NRF's comments "inaccurate and unjustified." The credit card firm said retailers are allowed to store credit card data in a "truncated format, which minimizes risk," according to a published report. "In addition, a merchant may choose to store no cardholder data at all based on their own risk assessments and individual approaches to managing data storage according to their own business needs," MasterCard's statement said.

Amichai Shulman, CTO of Imperva, says technically, merchants don't have to store the data, but they do it for practical reasons, such as due to the way their POS system works, or to ensure they can settle any credit-card disputes with customers, for instance.

"The best approach would be to implement better security practices on both sides, merchant and processor," Shulman says. "One of the most common attack vectors for accessing credit card data stores is through web application vulnerabilities. Web application firewalls can block these attacks."

And database monitoring can also help, says Shulman, whose company develops such software.

A recent report by Forrester Research said that 81 percent of merchants retain credit card data, and that they typically keep too much of this data. Seventy-three percent store expiration dates, 71 percent store verification codes, and 57 percent, card-stripe data, the report said. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Meanwhile, the NRF said any credit card transaction inquiries should instead occur between the cardholder and the bank that issued the card. "If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," he said. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

One security source who did not want to be named says that while the NRF is right in its argument against retailers storing credit card data, the trade association also must provide better security standards and best practices to its member retailers.

Retailers have struggled to meet the PCI compliance deadline, which has been extended twice since its first milestone in June of 2005. Sixty percent of the respondents in the U.S. and the U.K. will plan to be fully compliant in the next year, according to the Forrester report, which was sponsored by RSA.

The NRF's Hogan said that 40 percent of retailers have been PCI-certified, and another 50 percent are either in the process of complying or have submitted their "initial validation."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.