Merchant Trade Groups Come Together to Advocate for Changes to Data Security Standards

Read the letter to the PCI Security Standards Council

For Immediate Release
Contact: Kathy Grannis (202) 783-7971
E-mail: grannisk@nrf.com 

Merchant Trade Groups Come Together to Advocate for Changes to Data Security Standards
--Letter to PCI Council and Credit Card Companies Outlines Important Changes to Help Safeguard Customer Data-- 

Washington, DC, June 9, 2009 -- In an effort to create more transparency and clarity in how data security standards are developed, several trade associations representing merchants ranging from retail, restaurants and hospitality sent a joint letter to the Payment Card Industry (PCI) Security Standards Council and credit card executives outlining several guidelines that could be implemented immediately that would make PCI more effective and cost efficient. 

The letter sent by the National Retail Federation, National Restaurant Association, American Hotel and Lodging Association, National Council of Chain Restaurants, Association for Convenience & Petroleum Retailing, Merchant Advisory Group and the International Franchise Association, proposed the following recommendations: 

• Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued.  This will result in more informed revisions and will increase merchants’ ability to effectively implement the revised standards.  We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9 (ASC X9).  As ASC X9 also maintains data security standards, we recommend the PCI SSC partner with them in an effort to create a single standard that could be used by all.  

• Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants, including Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply.  This will allow merchants to most effectively assess and implement the necessary actions needed to meet the requirements of the revision.  Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to December 31, 2009. 

• Follow, and adopt, the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end to end data encryption.  By leveraging end to end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves.

• Utilize the concepts of key controls and controls rationalization to restructure the more than two hundred detailed requirements of the PCI DSS.  (These concepts are similar to what the U.S. Government enacted for publicly traded companies as part of the Sarbanes-Oxley Act.) This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model.

• Require credit card companies and their banks to provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution, putting customers at unnecessary risk. 

“Whether you are a restaurant, department store, hotel or a gas station, data security is always a top priority,” said NRF CIO Dave Hogan. “With the support of the broader merchant community, we hope to make clear that there needs to be more collaboration in how these standards are created, communicated and enforced.” 

The National Retail Federation is the world's largest retail trade association, with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalog, Internet, independent stores, chain restaurants, drug stores and grocery stores as well as the industry's key trading partners of retail goods and services. NRF represents an industry with more than 1.6 million U.S. retail establishments, more than 24 million employees - about one in five American workers - and 2008 sales of $4.6 trillion. As the industry umbrella group, NRF also represents more than 100 state, national and international retail associations. www.nrf.com.  

 

• ###