The National Retail Federation said Friday that retailers were being unfairly blamed for failing to protect consumers from identity theft and credit card fraud.
This defense of the retail industry is a response to growing public concern over data breaches at TJX, Stop & Shop, Ralph Lauren and other retailers, as well as planned legislation in Massachusetts, Rhode Island and possibly at the federal level to make retailers rather than banks pay for all security costs.
Dave Hogan, the NRF's chief information officer, blamed credit card associations and point-of-sale technology vendors for the current tangle of retail computer systems that transmit and store consumer data in an unsafe manner.
Credit card associations such as Visa have security guidelines called Payment Card Industry Data Security Standards, commonly known as PCI. The standards mandate that retailers do not print out more than five numbers of a credit card or an expiration date on a receipt, and do not retain anywhere in their systems sensitive information such as the three-digit security codes found on the backs of cards, among other things. These and other safeguards are also required by a federal law that went into effect late last year. Since the law took effect, more than 30 large retailers, including Oakley Inc., have been sued for failing to properly truncate credit card information on receipts.
Only 40 percent of the largest retailers are PCI-compliant today, said Hogan. "But it is not due to lack of trying."
He called the PCI guidelines "convoluted." Hogan said it could take six to nine months for a retailer to find out if it was in compliance — if it can get an answer at all — because the banking and card associations have no structure in place and not enough resources to handle the questions that arise. Plus, he said, "The requirements have changed four or five times" over the past few years.
Retailers must rely on vendors who claim their systems are PCI-compliant, said Hogan and NRF senior vice president and general counsel Mallory Duncan.
Point-of-sale experts agreed that retail systems were not secure, but differed over whether retailers or vendors were to blame.
"Most of the obvious stuff has been fixed," said Nikki Baird, an analyst with Forrester Research Inc. of Cambridge, Mass. But even new software can have legacy code in it. "Where people get hung up is the deeper stuff: 'We didn't realize in this particular log we were holding this data. We thought that was taken care of.'""The final responsibility rests with the retailer," said Greg Buzek, a consultant and analyst with IHL Consulting Group of Franklin, Tenn. A POS vendor can certify its systems, but the retailer must also certify the implementation, he said. "Every one of us has a car that can go faster than the speed limit," he said. "If we drive faster than the speed limit and get into an accident, is that the manufacturer's fault or the driver's?"
The verification process costs millions of dollars. Credit card associations can fine retailers for failing to comply with the guidelines, but the verification process can cost millions of dollars, so some retailers are considering whether it may be more advantageous to pay the fines instead. Baird advised compliance.
Hogan suggested setting up a certification process funded from credit card interchange fees, which are the amounts the retailers pay to credit card associations such as Visa and MasterCard.
Harrods plans to remove the famous statue of Princess Diana and Dodi Al Fayed from the bottom of the Egyptian escalators and hand it back to Mohamed Al-Fayed. “We are very proud to have played our role in celebrating the lives of Diana, Princess of Wales and Dodi Al Fayed at Harrods and to have welcomed people from around the world to visit the memorial for the past 20 years,” said Michael Ward, Harrods managing director. “With the announcement of the new official memorial statue to Diana, Princess of Wales at Kensington Palace, we feel that the time is right to return this memorial to Mr. Al Fayed and for the public to be invited to pay their respects at the palace.” More on the news, with reporting by @loreleimarfil, at WWD.com. #wwdnews
@prada is introducing a new project at its men’s fall 2018 show this Sunday: “Prada Invites.” The fashion house invited four celebrated creative minds – @ronanaerwanbouroullec, Konstantin Grcic, @herzogdemeuron and @rem.koolhaas – to each create a unique item with its iconic nylon material. The designs will be unveiled on the runway show, which will take place at the company’s warehouse in Viale Ortles 25. #wwdfashion #mfwm (📷: @martinocarrera)
@kering_official is spinning off its stake in puma in an effort to focus on its luxury brands, the brand operator announced yesterday. “We are proud to have supported the turnaround of Puma, which now has unrivaled capabilities to take full advantage of the specific dynamics of its global markets and is poised to achieve substantial growth,” said François-Henri Pinault, Kering’s chief executive officer and chairman. Artémis will become a “long-term strategic shareholder” of Puma with a 29 percent stake. #wwdnews #wwdfashion (📷: @jilliansollazzo)
The fashion world mourns for celebrated street style photographer, Nabile Quenum, who died at age 32 in Paris.
Quenum, creator of the fashion blog “J’ai Perdu Ma Veste,” was a fashion week fixture, and regularly shot for New York magazine’s The Cut, among other outlets, and brands such as Louis Vuitton, Moncler and Adidas. He was also actively involved in the #NoFreePhotos initiative, which kicked off in the fall. Read more about Quenum in @kbsmoke's story on WWD.com. #wwdnews
@verwanggang and @maisonladuree have teamed up on a dessert collab called Vera Wang Pour Ladurée. The collection, which launched this week, features a specialty macaroon, as well as a wedding cake inspired by one of the designer’s gowns. “I could not imagine a more delicate or sophisticated creation to grace any couple’s celebration,” said Wang. #wwdfashion