Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    The Retail Credit Card Addiction

    By
    Evan Schuman
    -
    October 8, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Major retailers, just like any large business, do not like being told by partners what they can and cant do. But when the credit cards told merchants that they must retain credit card information to deal with returns and chargebacks, they balked, but then agreed.

      Like any good business, they tried taking an unpleasant requirement and turning it into a business advantage. Consider suppliers being forced to use RFID (radio-frequency identification) who then use it to better track their own product movement or e-tailers who reluctantly comply with accessibility rules and then discover that it costs them less in programming and development and their pages load faster.

      Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM (customer relationship management) systems, especially for customers who werent using the traditional retailer-issued loyalty card.

      On the e-commerce front, some (relatively few, but some) online merchants were using the mandatory credit card retention to allow customers to make purchases more quickly.

      This has been going on for quite a few years. A relatively logical proposal floated by a major industry group is now threatening to rock the credit card boat, potentially exposing just how much retailers are now addicted to plastic numbers.

      Last week, the National Retail Federation formally launched its campaign to get credit card companies to permit retailers to not store credit card numbers.

      The move was masterminded by the NRFs CIO, Dave Hogan, who has floated this idea to the industry for months. (I remember him eloquently and passionately making his case for changing how credit cards are dealt with about two months ago, as I listened to him on a cell phone at a Toyota dealership, thinking this was one of the more surrealistic things to listen to while getting a car door rehinged.)

      Hogans idea, in its simplest form, is that retailers should stop being required to save credit card information. If the credit card firms want it saved, they are quite free to save it themselves. After all, Hogan argued, “it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”

      Indeed, it does make sense. But Hogans idea, while alluring and almost seductive (in an ultrageek-like data protection way), has several logistical roadblocks.

      For example, at best, the Hogan proposal could sharply minimize how long the sensitive credit card data is in the retailers system, but its not likely to eliminate it. For magstripe cards (contactless is a different situation), the numbers are going to be seen by the store employee (who is always the biggest security weakpoint) and will then be almost certainly entered into the retailers system, en route to a processor for approval.

      Even if the number is dumped the instant the verification number comes back, its still there long enough to be sniffed or captured by a Trojan Horse. Indeed, thats one of the things that TJX said happened to them.

      A contactless card could bypass the cashier, which helps a little. But to bypass the retailers network entirely would require either a third-party service or to have the processors or the card companies install their own devices at the point of sale.

      Thats clearly a dramatic—and incredibly expensive—move by quite a few players in the payment space. Less dramatic approaches would be upgrading security to protect that small window of vulnerability or to all but eliminate them.

      Page 2: The Retail Credit Card Addiction

      The Retail Credit Card


      Addiction”>

      That gets us into the other reality issues surrounding this kind of payment procedure change. Few retailers handle their own payment process. So even if a major retailer made a decision to not store card numbers any more, they would likely need their POS vendor and various other technology partners to upgrade to handle the change.

      Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI Security Vendor Alliance, estimated that it could take five years to make such a change with a large retail chain, at which point the move might be silly because of other unknown changes that will impact the payment world of early 2013.

      Even if Moghes five-year plan might be exaggerated, his point that these things take a lot of time is a fair one.

      Another strong Moghe point is that credit card data—while essential—is a very small part of the confidential consumer data that the average large retailer retains. His take is that, even if successful, this kind of a credit card process change wouldnt improve retail data protection as much as it may seem.

      Lets let get to what the proposal is. The proposal is that the card companies back off and stop requiring the retailers to retain the number. If the proposal went a step further and suggested that the PCI rules be changed to explicitly ban a retailer from retaining those numbers, that might change the issue.

      If the rule change merely permits retailers to do either, the huge headaches associated with this major a change—not to mention the costs—are likely going to cause very few retailers to take advantage of the change. Hence, it could result in a very modest improvement in credit card information security.

      But if the rules forbid such data retention, that would force action. Must importantly, it would get POS vendors to make the change, which would quickly migrate to all of retail. It could be similar to Y2K, where even companies who did nothing eventually became Y2K compliant as they upgrade to Y2K-complaint apps.

      What has been the reaction of the PCI Council and the major credit cards? Thus far, nothing meaningful, at least not publicly. Privately, PCI Council folk have said that this is really a credit card issue—as opposed to a council issue—which is true.

      Credit card companies have not yet reacted strongly, although some have “generously” pointed out that their rules do not technically mandate that a retailer retain these numbers. Thats technically true. If a retailer wants to forfeit the ability to challenge any customer who disputes a charge, theyre free to do so. Not surprisingly, retailers arent jumping at that offer.

      Retailers today say they do generally care about security, but when it comes to spending money or changing procedures, the get pragmatic. “Yes, we care about security, but were not fanatics,” they tend to say.

      /zimages/1/28571.gifRetail group lobbies to stop credit card data from being stored. Click here to read more.

      The PCI certification, which many retailers have yet to pass, is something that retailers are doing, but theyre pursuing it because they have to. That results in bare-minimum kind of attitudes, where merchants will do as little as they can to barely comply to the letter of the requirements.

      Consider, for example, the difference between the extensive review processes that surround a typical large software or supplier contract and the one that covers the hiring of a PCI auditor. The contract awards for software or a new line of merchandise to sell can take a year, dozens of meetings and extensive oversight, whereas retailers often select their auditors using evaluation sophistication thats not much more complicated than rock/paper/scissors.

      Theres no argument that security procedures surrounding credit card need to be improved, and Hogans proposal is a very positive step in the right direction. But whether its practical and politically palatable is a different issue. The bigger question, though, is whether retailers will make the effort.

      Any kind of meaningful change will require some pain, both in terms of investment dollars and a lot of procedural changes. How much will the retail CFO put up with for something that has very little chance to bring in any profits?

      Retail Center Editor Evan Schuman has tracked high-tech issues since 1987, has been opinionated long before that and doesnt plan to stop any time soon. He can be reached at [email protected]prise.com.

      To read earlier retail technology opinion columns from Evan Schuman, please click here.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

      Evan Schuman
      Evan Schuman is the editor of CIOInsight.com's Retail industry center. He has covered retail technology issues since 1988 for Ziff-Davis, CMP Media, IDG, Penton, Lebhar-Friedman, VNU, BusinessWeek, Business 2.0 and United Press International, among others. He can be reached by e-mail at [email protected]

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×