The National Retail Federation said Friday that retailers were being unfairly blamed for failing to protect consumers from identity theft and credit card fraud.
This defense of the retail industry is a response to growing public concern over data breaches at TJX, Stop & Shop, Ralph Lauren and other retailers, as well as planned legislation in Massachusetts, Rhode Island and possibly at the federal level to make retailers rather than banks pay for all security costs.
Dave Hogan, the NRF’s chief information officer, blamed credit card associations and point-of-sale technology vendors for the current tangle of retail computer systems that transmit and store consumer data in an unsafe manner.
Credit card associations such as Visa have security guidelines called Payment Card Industry Data Security Standards, commonly known as PCI. The standards mandate that retailers do not print out more than five numbers of a credit card or an expiration date on a receipt, and do not retain anywhere in their systems sensitive information such as the three-digit security codes found on the backs of cards, among other things. These and other safeguards are also required by a federal law that went into effect late last year. Since the law took effect, more than 30 large retailers, including Oakley Inc., have been sued for failing to properly truncate credit card information on receipts.
Only 40 percent of the largest retailers are PCI-compliant today, said Hogan. “But it is not due to lack of trying.”
He called the PCI guidelines “convoluted.” Hogan said it could take six to nine months for a retailer to find out if it was in compliance — if it can get an answer at all — because the banking and card associations have no structure in place and not enough resources to handle the questions that arise. Plus, he said, “The requirements have changed four or five times” over the past few years.
Retailers must rely on vendors who claim their systems are PCI-compliant, said Hogan and NRF senior vice president and general counsel Mallory Duncan.
Point-of-sale experts agreed that retail systems were not secure, but differed over whether retailers or vendors were to blame.
“Most of the obvious stuff has been fixed,” said Nikki Baird, an analyst with Forrester Research Inc. of Cambridge, Mass. But even new software can have legacy code in it. “Where people get hung up is the deeper stuff: ‘We didn’t realize in this particular log we were holding this data. We thought that was taken care of.'”
“The final responsibility rests with the retailer,” said Greg Buzek, a consultant and analyst with IHL Consulting Group of Franklin, Tenn. A POS vendor can certify its systems, but the retailer must also certify the implementation, he said. “Every one of us has a car that can go faster than the speed limit,” he said. “If we drive faster than the speed limit and get into an accident, is that the manufacturer’s fault or the driver’s?”
The verification process costs millions of dollars. Credit card associations can fine retailers for failing to comply with the guidelines, but the verification process can cost millions of dollars, so some retailers are considering whether it may be more advantageous to pay the fines instead. Baird advised compliance.
Hogan suggested setting up a certification process funded from credit card interchange fees, which are the amounts the retailers pay to credit card associations such as Visa and MasterCard.