The National Retail Federation said Friday that retailers were being unfairly blamed for failing to protect consumers from identity theft and credit card fraud.
This defense of the retail industry is a response to growing public concern over data breaches at TJX, Stop & Shop, Ralph Lauren and other retailers, as well as planned legislation in Massachusetts, Rhode Island and possibly at the federal level to make retailers rather than banks pay for all security costs.
Dave Hogan, the NRF's chief information officer, blamed credit card associations and point-of-sale technology vendors for the current tangle of retail computer systems that transmit and store consumer data in an unsafe manner.
Credit card associations such as Visa have security guidelines called Payment Card Industry Data Security Standards, commonly known as PCI. The standards mandate that retailers do not print out more than five numbers of a credit card or an expiration date on a receipt, and do not retain anywhere in their systems sensitive information such as the three-digit security codes found on the backs of cards, among other things. These and other safeguards are also required by a federal law that went into effect late last year. Since the law took effect, more than 30 large retailers, including Oakley Inc., have been sued for failing to properly truncate credit card information on receipts.
Only 40 percent of the largest retailers are PCI-compliant today, said Hogan. "But it is not due to lack of trying."
He called the PCI guidelines "convoluted." Hogan said it could take six to nine months for a retailer to find out if it was in compliance — if it can get an answer at all — because the banking and card associations have no structure in place and not enough resources to handle the questions that arise. Plus, he said, "The requirements have changed four or five times" over the past few years.
Retailers must rely on vendors who claim their systems are PCI-compliant, said Hogan and NRF senior vice president and general counsel Mallory Duncan.
Point-of-sale experts agreed that retail systems were not secure, but differed over whether retailers or vendors were to blame.
"Most of the obvious stuff has been fixed," said Nikki Baird, an analyst with Forrester Research Inc. of Cambridge, Mass. But even new software can have legacy code in it. "Where people get hung up is the deeper stuff: 'We didn't realize in this particular log we were holding this data. We thought that was taken care of.'"
Issa Rae stopped by WWD's NYC headquarters to talk about season two of "Insecure," which premieres this Sunday on HBO. Click link in bio for all the details. #wwdeye (📷: @jgreenery; Styled by @mayteallende)
A Stella McCartney sketch of a custom dress made from protein-based silk in partnership with biotech lab Bolt Threads. The dress will be displayed at The Museum of Modern Art's upcoming design exhibition, "Items: Is Fashion Modern?"