The Retail Credit Card Addiction

Opinion: A proposal to allow merchants to not have to save credit card numbers is bringing to light how those numbers are being used beyond just charging products.

Major retailers, just like any large business, do not like being told by partners what they can and cant do. But when the credit cards told merchants that they must retain credit card information to deal with returns and chargebacks, they balked, but then agreed.

Like any good business, they tried taking an unpleasant requirement and turning it into a business advantage. Consider suppliers being forced to use RFID (radio-frequency identification) who then use it to better track their own product movement or e-tailers who reluctantly comply with accessibility rules and then discover that it costs them less in programming and development and their pages load faster.

Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM (customer relationship management) systems, especially for customers who werent using the traditional retailer-issued loyalty card.

On the e-commerce front, some (relatively few, but some) online merchants were using the mandatory credit card retention to allow customers to make purchases more quickly.

This has been going on for quite a few years. A relatively logical proposal floated by a major industry group is now threatening to rock the credit card boat, potentially exposing just how much retailers are now addicted to plastic numbers.

Last week, the National Retail Federation formally launched its campaign to get credit card companies to permit retailers to not store credit card numbers.

The move was masterminded by the NRFs CIO, Dave Hogan, who has floated this idea to the industry for months. (I remember him eloquently and passionately making his case for changing how credit cards are dealt with about two months ago, as I listened to him on a cell phone at a Toyota dealership, thinking this was one of the more surrealistic things to listen to while getting a car door rehinged.)

Hogans idea, in its simplest form, is that retailers should stop being required to save credit card information. If the credit card firms want it saved, they are quite free to save it themselves. After all, Hogan argued, "it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

Indeed, it does make sense. But Hogans idea, while alluring and almost seductive (in an ultrageek-like data protection way), has several logistical roadblocks.

For example, at best, the Hogan proposal could sharply minimize how long the sensitive credit card data is in the retailers system, but its not likely to eliminate it. For magstripe cards (contactless is a different situation), the numbers are going to be seen by the store employee (who is always the biggest security weakpoint) and will then be almost certainly entered into the retailers system, en route to a processor for approval.

Even if the number is dumped the instant the verification number comes back, its still there long enough to be sniffed or captured by a Trojan Horse. Indeed, thats one of the things that TJX said happened to them.

A contactless card could bypass the cashier, which helps a little. But to bypass the retailers network entirely would require either a third-party service or to have the processors or the card companies install their own devices at the point of sale.

Thats clearly a dramatic—and incredibly expensive—move by quite a few players in the payment space. Less dramatic approaches would be upgrading security to protect that small window of vulnerability or to all but eliminate them.

Page 2: The Retail Credit Card Addiction