By  on October 4, 2007

The National Retail Federation Wednesday called on credit card companies to change the way they process transactions so retailers will no longer be liable when customer data is stolen. The change will also be good for consumers, said NRF chief information officer David Hogan, because it will make customer data more secure.

Instead of retailers keeping a customer's credit card number as part of its sales records, the bank would hold it. The retailer would retain only a truncated receipt and an authorization number linking back to the bank's data.

If retailers don't retain credit card numbers, they won't attract thieves, contended Hogan. The novel proposal would reverse the way credit card transactions have been handled for more than 40 years.

"To me, it is a very common sense approach," said Hogan. "We keep hearing about major breaches that keep occurring. One common thread is that they want credit card data. If we can change this [requirement to keep credit card numbers], there isn't going to be any incentive for these guys to go after that. The info will reside where it belongs, at the banks. That's their core competency."

There is growing public and industry concern over data security, as breaches at TJX, Stop & Shop, Ralph Lauren and other retailers, as well as at banks such as Citibank, make headlines. In addition, retailers have been sued for failing to comply with new federal laws designed to protect consumer data. When breaches have occurred, retailers, banks and credit card companies have tussled over who is responsible. Last month, a report from the Canadian government held that TJX was at fault, and TJX offered a preliminary settlement to its affected customers.

Credit card companies require retailers to comply with security standards known as Payment Card Industry Data Security Standards, or PCI. A deadline for Tier 1 retailers to comply passed at the beginning of this month. The NRF has called the standards "convoluted" and said only 40 percent of the largest retailers are compliant so far. By necessity, security standards are constantly evolving as thieves discover new ways to break into systems.

Under the NRF's proposal, if a customer contacts his or her credit card company to dispute a charge, the retailer would still be able to show a receipt with a signature, date and amount to prove a transaction had taken place and been authorized.The NRF sent its request to the PCI Security Standards Council Wednesday. A spokesman there said members of the council were reviewing the proposal, but had no immediate comment.

To continue reading this article...

To Read the Full Article

Tap into our Global Network

Of Industry Leaders and Designers

load comments
blog comments powered by Disqus