The National Retail Federation said Friday that retailers were being unfairly blamed for failing to protect consumers from identity theft and credit card fraud.
This defense of the retail industry is a response to growing public concern over data breaches at TJX, Stop & Shop, Ralph Lauren and other retailers, as well as planned legislation in Massachusetts, Rhode Island and possibly at the federal level to make retailers rather than banks pay for all security costs.
Dave Hogan, the NRF's chief information officer, blamed credit card associations and point-of-sale technology vendors for the current tangle of retail computer systems that transmit and store consumer data in an unsafe manner.
Credit card associations such as Visa have security guidelines called Payment Card Industry Data Security Standards, commonly known as PCI. The standards mandate that retailers do not print out more than five numbers of a credit card or an expiration date on a receipt, and do not retain anywhere in their systems sensitive information such as the three-digit security codes found on the backs of cards, among other things. These and other safeguards are also required by a federal law that went into effect late last year. Since the law took effect, more than 30 large retailers, including Oakley Inc., have been sued for failing to properly truncate credit card information on receipts.
Only 40 percent of the largest retailers are PCI-compliant today, said Hogan. "But it is not due to lack of trying."
He called the PCI guidelines "convoluted." Hogan said it could take six to nine months for a retailer to find out if it was in compliance — if it can get an answer at all — because the banking and card associations have no structure in place and not enough resources to handle the questions that arise. Plus, he said, "The requirements have changed four or five times" over the past few years.
Retailers must rely on vendors who claim their systems are PCI-compliant, said Hogan and NRF senior vice president and general counsel Mallory Duncan.
Point-of-sale experts agreed that retail systems were not secure, but differed over whether retailers or vendors were to blame.
"Most of the obvious stuff has been fixed," said Nikki Baird, an analyst with Forrester Research Inc. of Cambridge, Mass. But even new software can have legacy code in it. "Where people get hung up is the deeper stuff: 'We didn't realize in this particular log we were holding this data. We thought that was taken care of.'""The final responsibility rests with the retailer," said Greg Buzek, a consultant and analyst with IHL Consulting Group of Franklin, Tenn. A POS vendor can certify its systems, but the retailer must also certify the implementation, he said. "Every one of us has a car that can go faster than the speed limit," he said. "If we drive faster than the speed limit and get into an accident, is that the manufacturer's fault or the driver's?"
The verification process costs millions of dollars. Credit card associations can fine retailers for failing to comply with the guidelines, but the verification process can cost millions of dollars, so some retailers are considering whether it may be more advantageous to pay the fines instead. Baird advised compliance.
Hogan suggested setting up a certification process funded from credit card interchange fees, which are the amounts the retailers pay to credit card associations such as Visa and MasterCard.
@margotrobbie steps out onto the red carpet wearing @miumiu. The actress is nominated for “Outstanding Performance by a Female Actor in a Leading Role” in “I, Tonya” at the #SagAwards. (📷: Stewart Cook) #wwdfashion
For @massimogiorgetti of @msgm, the Nineties are his favorite decade. “They had a huge impact on my personal growth. What I like of the Nineties is that they are not so precise in terms of style as other decades…there was actually a bit of everything,” he said. As seen on MSGM’s Spring 2018 show: tie-dye and a bit of grunge, two styles that are synonymous with the decade #wwdfashion #wwddecades (📷: @kukukuba)
Breaking News: @hedislimane joins @celine as its new artistic, creative and image director. One of fashion’s preeminent image-makers and trendsetters, Slimane is to join the LVMH brand on Feb. 1 and unveil his first fashion proposition for men and women next September during Paris Fashion Week. It marks a major homecoming for Slimane, who cemented his reputation – and influenced men’s tailoring for more than a decade – as the designer of Dior Homme between 2000 and 2007. He went on to reinvent and ignite the house of Yves Saint Laurent, which he rechristened Saint Laurent, between 2012 and 2016 – all the while maintaining a close relationship with the Arnault family, which controls LVMH and Dior. Read the full exclusive story on WWD.com. Link in bio. #wwdnews #wwdfashion
“Personally I believe the Eighties have been the richest and more vivacious period for international fashion,” Giorgio Armani said when asked what his favorite decade of fashion is. It was a moment of disruption and experimentation and only thinking back to the first years of that decade is always an emotion for me, for what they have meant to me and my work.” The influence is clear in @giorgioarmani spring 2018 collection, pictured here, which was full of bright colors and unexpected prints. Read more about which decades designers loved most on WWD.com #wwdfashion #wwddecades (📷: @aitorrosasphoto)
For Lady Gaga’s only Italian show on her “Joanne World Tour,” the singer wore a range of @versace_official outfits. The standout piece: this custom-made bodysuit inspired by the brand’s spring 2018 collection. #wwdfashion (RG: @ladygaga)
@_camillaruth_ is expanding on the wellness-craze concept with @westbourne – a new NYC restaurant that’s both a healthy-minded café as well as a business that gives back to the community. Marcus works with the Robin Hood foundation to give back to The Door, a non-profit providing youth development services, and also hires employees through The Door. Read our full interview with Marcus on giving back through food on WWD.com. #wwdeye (📷: @lexieblacklock)