The Retail Credit Card
Addiction"> That gets us into the other reality issues surrounding this kind of payment procedure change. Few retailers handle their own payment process. So even if a major retailer made a decision to not store card numbers any more, they would likely need their POS vendor and various other technology partners to upgrade to handle the change. Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI Security Vendor Alliance, estimated that it could take five years to make such a change with a large retail chain, at which point the move might be silly because of other unknown changes that will impact the payment world of early 2013.Even if Moghes five-year plan might be exaggerated, his point that these things take a lot of time is a fair one.Another strong Moghe point is that credit card data—while essential—is a very small part of the confidential consumer data that the average large retailer retains. His take is that, even if successful, this kind of a credit card process change wouldnt improve retail data protection as much as it may seem. Lets let get to what the proposal is. The proposal is that the card companies back off and stop requiring the retailers to retain the number. If the proposal went a step further and suggested that the PCI rules be changed to explicitly ban a retailer from retaining those numbers, that might change the issue. If the rule change merely permits retailers to do either, the huge headaches associated with this major a changenot to mention the costsare likely going to cause very few retailers to take advantage of the change. Hence, it could result in a very modest improvement in credit card information security. But if the rules forbid such data retention, that would force action. Must importantly, it would get POS vendors to make the change, which would quickly migrate to all of retail. It could be similar to Y2K, where even companies who did nothing eventually became Y2K compliant as they upgrade to Y2K-complaint apps. What has been the reaction of the PCI Council and the major credit cards? Thus far, nothing meaningful, at least not publicly. Privately, PCI Council folk have said that this is really a credit card issue—as opposed to a council issue—which is true. Credit card companies have not yet reacted strongly, although some have "generously" pointed out that their rules do not technically mandate that a retailer retain these numbers. Thats technically true. If a retailer wants to forfeit the ability to challenge any customer who disputes a charge, theyre free to do so. Not surprisingly, retailers arent jumping at that offer. Retailers today say they do generally care about security, but when it comes to spending money or changing procedures, the get pragmatic. "Yes, we care about security, but were not fanatics," they tend to say. Retail group lobbies to stop credit card data from being stored. Click here to read more. The PCI certification, which many retailers have yet to pass, is something that retailers are doing, but theyre pursuing it because they have to. That results in bare-minimum kind of attitudes, where merchants will do as little as they can to barely comply to the letter of the requirements. Consider, for example, the difference between the extensive review processes that surround a typical large software or supplier contract and the one that covers the hiring of a PCI auditor. The contract awards for software or a new line of merchandise to sell can take a year, dozens of meetings and extensive oversight, whereas retailers often select their auditors using evaluation sophistication thats not much more complicated than rock/paper/scissors. Theres no argument that security procedures surrounding credit card need to be improved, and Hogans proposal is a very positive step in the right direction. But whether its practical and politically palatable is a different issue. The bigger question, though, is whether retailers will make the effort. Any kind of meaningful change will require some pain, both in terms of investment dollars and a lot of procedural changes. How much will the retail CFO put up with for something that has very little chance to bring in any profits? Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at Evan.Schuman@ziffdavisenterprise.com. To read earlier retail technology opinion columns from Evan Schuman, please click here. Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.