Major retailers, just like any large business, do not like being told by partners what they can and cant do. But when the credit cards told merchants that they must retain credit card information to deal with returns and chargebacks, they balked, but then agreed.
Like any good business, they tried taking an unpleasant requirement and turning it into a business advantage. Consider suppliers being forced to use RFID (radio-frequency identification) who then use it to better track their own product movement or e-tailers who reluctantly comply with accessibility rules and then discover that it costs them less in programming and development and their pages load faster.
Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM (customer relationship management) systems, especially for customers who werent using the traditional retailer-issued loyalty card.
On the e-commerce front, some (relatively few, but some) online merchants were using the mandatory credit card retention to allow customers to make purchases more quickly.
This has been going on for quite a few years. A relatively logical proposal floated by a major industry group is now threatening to rock the credit card boat, potentially exposing just how much retailers are now addicted to plastic numbers.
Last week, the National Retail Federation formally launched its campaign to get credit card companies to permit retailers to not store credit card numbers.
The move was masterminded by the NRFs CIO, Dave Hogan, who has floated this idea to the industry for months. (I remember him eloquently and passionately making his case for changing how credit cards are dealt with about two months ago, as I listened to him on a cell phone at a Toyota dealership, thinking this was one of the more surrealistic things to listen to while getting a car door rehinged.)
Hogans idea, in its simplest form, is that retailers should stop being required to save credit card information. If the credit card firms want it saved, they are quite free to save it themselves. After all, Hogan argued, “it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”
Indeed, it does make sense. But Hogans idea, while alluring and almost seductive (in an ultrageek-like data protection way), has several logistical roadblocks.
For example, at best, the Hogan proposal could sharply minimize how long the sensitive credit card data is in the retailers system, but its not likely to eliminate it. For magstripe cards (contactless is a different situation), the numbers are going to be seen by the store employee (who is always the biggest security weakpoint) and will then be almost certainly entered into the retailers system, en route to a processor for approval.
Even if the number is dumped the instant the verification number comes back, its still there long enough to be sniffed or captured by a Trojan Horse. Indeed, thats one of the things that TJX said happened to them.
A contactless card could bypass the cashier, which helps a little. But to bypass the retailers network entirely would require either a third-party service or to have the processors or the card companies install their own devices at the point of sale.
Thats clearly a dramatic—and incredibly expensive—move by quite a few players in the payment space. Less dramatic approaches would be upgrading security to protect that small window of vulnerability or to all but eliminate them.
Page 2: The Retail Credit Card Addiction
The Retail Credit Card
That gets us into the other reality issues surrounding this kind of payment procedure change. Few retailers handle their own payment process. So even if a major retailer made a decision to not store card numbers any more, they would likely need their POS vendor and various other technology partners to upgrade to handle the change.
Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI Security Vendor Alliance, estimated that it could take five years to make such a change with a large retail chain, at which point the move might be silly because of other unknown changes that will impact the payment world of early 2013.
Even if Moghes five-year plan might be exaggerated, his point that these things take a lot of time is a fair one.
Another strong Moghe point is that credit card data—while essential—is a very small part of the confidential consumer data that the average large retailer retains. His take is that, even if successful, this kind of a credit card process change wouldnt improve retail data protection as much as it may seem.
Lets let get to what the proposal is. The proposal is that the card companies back off and stop requiring the retailers to retain the number. If the proposal went a step further and suggested that the PCI rules be changed to explicitly ban a retailer from retaining those numbers, that might change the issue.
If the rule change merely permits retailers to do either, the huge headaches associated with this major a change—not to mention the costs—are likely going to cause very few retailers to take advantage of the change. Hence, it could result in a very modest improvement in credit card information security.
But if the rules forbid such data retention, that would force action. Must importantly, it would get POS vendors to make the change, which would quickly migrate to all of retail. It could be similar to Y2K, where even companies who did nothing eventually became Y2K compliant as they upgrade to Y2K-complaint apps.
What has been the reaction of the PCI Council and the major credit cards? Thus far, nothing meaningful, at least not publicly. Privately, PCI Council folk have said that this is really a credit card issue—as opposed to a council issue—which is true.
Credit card companies have not yet reacted strongly, although some have “generously” pointed out that their rules do not technically mandate that a retailer retain these numbers. Thats technically true. If a retailer wants to forfeit the ability to challenge any customer who disputes a charge, theyre free to do so. Not surprisingly, retailers arent jumping at that offer.
Retailers today say they do generally care about security, but when it comes to spending money or changing procedures, the get pragmatic. “Yes, we care about security, but were not fanatics,” they tend to say.
The PCI certification, which many retailers have yet to pass, is something that retailers are doing, but theyre pursuing it because they have to. That results in bare-minimum kind of attitudes, where merchants will do as little as they can to barely comply to the letter of the requirements.
Consider, for example, the difference between the extensive review processes that surround a typical large software or supplier contract and the one that covers the hiring of a PCI auditor. The contract awards for software or a new line of merchandise to sell can take a year, dozens of meetings and extensive oversight, whereas retailers often select their auditors using evaluation sophistication thats not much more complicated than rock/paper/scissors.
Theres no argument that security procedures surrounding credit card need to be improved, and Hogans proposal is a very positive step in the right direction. But whether its practical and politically palatable is a different issue. The bigger question, though, is whether retailers will make the effort.
Any kind of meaningful change will require some pain, both in terms of investment dollars and a lot of procedural changes. How much will the retail CFO put up with for something that has very little chance to bring in any profits?
Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected]prise.com.
To read earlier retail technology opinion columns from Evan Schuman, please click here.