Button: Member Login

NRF to Credit Card Companies: Stop Forcing Retailers to Store Credit Card Data

Click here to download complete version of letter to PCI Security Standards Council

For Immediate Release
Contact: Scott Krugman or Craig Shearman (202) 783-7971
krugmans@nrf.com or shearmanc@nrf.com 

NRF to Credit Card Companies:
Stop Forcing Retailers to Store Credit Card Data
--Letter to PCI Council Outlines Retail Industry’s Commitment to Data Security--

Washington, October 4, 2007 -- Citing concern over data breaches, the National Retail Federation today, in a letter to Payment Card Industry (PCI) Security Standards Council, requested changes in how the credit card industry requires merchants to store credit card data. 

“All of us -- merchants, banks, credit card companies and our customers -- want to eliminate credit card fraud,” said NRF Chief Information Officer David Hogan in the letter. “But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place.” 

The letter outlines the retail industry’s commitment to PCI compliance while addressing the issue that PCI itself does not discourage hackers from attempting breaches of retailers’ systems. 

“With this letter, we are officially putting the credit card industry on notice,” said Hogan. “Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.” 

Credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months in order to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all. 

Hogan outlined NRF’s approach in the letter, stating that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring that merchants keep reams of data for an extended period of time, putting retail customers at unnecessary risk. 

“If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished,” said Hogan. “The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.” 

Hogan concluded the letter by stating, “We believe this is the most effective and efficient approach to protecting credit card data and preventing a continuation of the data breaches that have been seen in recent years. If the PCI Security Standards Council is willing to solve this problem, NRF and its members stand ready to work with you to help you protect the nation’s consumers from the growing threat of credit card fraud.” 

The National Retail Federation is the world’s largest retail trade association, with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalog, Internet, independent stores, chain restaurants, drug stores and grocery stores as well as the industry’s key trading partners of retail goods and services. NRF represents an industry with more than 1.4 million U.S. retail establishments, more than 23 million employees – about one in five American workers – and 2006 sales of $4.7 trillion. As the industry umbrella group, NRF also represents more than 100 state, national and international retail associations. www.nrf.com.