Tuesday, October 9, 2007
NRF Chief Information Officer David Hogan addressed the letter to Bob Russo, the PCI council's General Manager, and claimed that the PCI DSS has largely failed in its ultimate goal – to protect sensitive customer information from theft and fraudulent use. He argued that merchants should be required to store minimal customer data, if any.
"PCI … was supposed to prevent such crimes," Hogan wrote. "However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."
According to Hogan, if the PCI DSS does not work, "the ultimate solution is to stop requiring merchants to store card data in the first place."
Hogan told The Green Sheet, "[Not storing the data] is a commonsense approach to reduce the risk of credit card fraud."
Hogan's idea was merchants should only have to store the authorization code provided at the time of sale and a truncated receipt. Therefore, the merchant would have a record of the transaction, showing approval by the credit card company. The sales receipt would be adequate as proof of purchase and in case of returns.
"Neither [the authorization code or the receipt] would contain the full account number. and would therefore be of no value to a potential thief," Hogan said.
But Adil Moussa, an Analyst for the Aite Group – an independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry – took issue with Hogan's plan.
"Very logical, but really not the way to go," Moussa said. "The authorization code is not long enough. It's only six digits long and there is the possibility of duplication [of the numbers]."
Moussa preferred another approach that would utilize a "unique transaction code to identify the transaction and keep that record for ulterior processing of chargebacks if they happen."
But Scott Krugman, Vice President of Industry Public Relations at the NRF, disagreed with Moussa. According to Krugman, the authorization code and the receipt solution offered by Hogan would have enough accurate information in case of a chargeback.
"It's very, very, very simple," Krugman said. "The merchant should have [the customer's credit card number] only long enough to complete the transaction."
Moussa understood the NRF's concerns. "Mr. Hogan is saying, let's keep it simple," he said. "Why don't you (the card companies and the PCI council) simplify it so we (the merchants) don't have to jump through so many hoops?"
"All parties are interested in the same thing: To protect customers' information," Krugman said.
When it comes to merchants storing customer data, however, Hogan said "they (the PCI council and the card Associations) are talking from both sides of their mouth."
Requirement 3 of the PCI DSS guidelines states:
But, in Hogan's letter to the PCI Council, he wrote, "Credit card company rules require merchants to store the credit card data that criminals are so eager to steal."
Hogan wondered if the card companies created the PCI DSS in order "to make money" from fines levied on merchants who do not achieve PCI compliance.
"If they, the card companies, would agree in principal [with Hogan's idea] it's good for the consumer. … But if they don't want to significantly reduce data breaches and ultimately credit card fraud, then they're not that serious about helping the consumer."
At press time, The Green Sheet had been unable to reach Mr. Russo for comment.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
