A Thing
The Green SheetGreen Sheet

Tuesday, October 9, 2007

Is the PCI DSS pie in the sky? The NRF's Hogan wants to know

In a letter to the Payment Card Industry (PCI) Security Standards Council delivered Oct. 4, 2007, the National Retail Federation cited continued data security breaches despite the implementation of the PCI Data Security Standard (DSS) and the burden PCI compliance puts on merchants.

NRF Chief Information Officer David Hogan addressed the letter to Bob Russo, the PCI council's General Manager, and claimed that the PCI DSS has largely failed in its ultimate goal – to protect sensitive customer information from theft and fraudulent use. He argued that merchants should be required to store minimal customer data, if any.

"PCI … was supposed to prevent such crimes," Hogan wrote. "However, it is unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."

According to Hogan, if the PCI DSS does not work, "the ultimate solution is to stop requiring merchants to store card data in the first place."

Hogan told The Green Sheet, "[Not storing the data] is a commonsense approach to reduce the risk of credit card fraud."

Hogan's idea was merchants should only have to store the authorization code provided at the time of sale and a truncated receipt. Therefore, the merchant would have a record of the transaction, showing approval by the credit card company. The sales receipt would be adequate as proof of purchase and in case of returns.

"Neither [the authorization code or the receipt] would contain the full account number. and would therefore be of no value to a potential thief," Hogan said.

But Adil Moussa, an Analyst for the Aite Group – an independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry – took issue with Hogan's plan.

"Very logical, but really not the way to go," Moussa said. "The authorization code is not long enough. It's only six digits long and there is the possibility of duplication [of the numbers]."

Moussa preferred another approach that would utilize a "unique transaction code to identify the transaction and keep that record for ulterior processing of chargebacks if they happen."

But Scott Krugman, Vice President of Industry Public Relations at the NRF, disagreed with Moussa. According to Krugman, the authorization code and the receipt solution offered by Hogan would have enough accurate information in case of a chargeback.

"It's very, very, very simple," Krugman said. "The merchant should have [the customer's credit card number] only long enough to complete the transaction."

Moussa understood the NRF's concerns. "Mr. Hogan is saying, let's keep it simple," he said. "Why don't you (the card companies and the PCI council) simplify it so we (the merchants) don't have to jump through so many hoops?"

"All parties are interested in the same thing: To protect customers' information," Krugman said.

When it comes to merchants storing customer data, however, Hogan said "they (the PCI council and the card Associations) are talking from both sides of their mouth."

Requirement 3 of the PCI DSS guidelines states:

  • 3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

  • 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted).

But, in Hogan's letter to the PCI Council, he wrote, "Credit card company rules require merchants to store the credit card data that criminals are so eager to steal."

Hogan wondered if the card companies created the PCI DSS in order "to make money" from fines levied on merchants who do not achieve PCI compliance.

"If they, the card companies, would agree in principal [with Hogan's idea] it's good for the consumer. … But if they don't want to significantly reduce data breaches and ultimately credit card fraud, then they're not that serious about helping the consumer."

At press time, The Green Sheet had been unable to reach Mr. Russo for comment. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing