Retailers propose overhaul of card-processing protocols

Much of the recent media coverage of Visa’s Sept. 30 data security deadline focused on the substantial number of major retailers that had not yet complied with the rules for protecting cardholder data set by Visa, MasterCard and other networks. Now retailers are launching a public relations counterattack, saying the credit card networks should not be requiring merchants to store cardholder data to begin with.

“If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,” wrote David Hogan, chief information officer of the National Retail Federation in a letter to the Payment Card Industry Security Standards Council, which oversees the PCI data-security rules. The federation’s proposal is that merchants be allowed to keep only the authorization code they receive for each transaction and a truncated version of the account number in case of disputes.

MasterCard Inc. responded by issuing a statement saying that the retailers’ claims that they are required to store sensitive transaction data are “inaccurate and unjustified. MasterCard has no rule or other requirement that a merchant retain any transaction data.”

IRCE 2008 Conference Multi-Media CD-ROM

So do retailers have to keep credit card numbers? They have to have access to the account number, and the expiration date, in the event of any dispute, including a fraud claim or a chargeback, says Avivah Litan, an analyst for research and consulting firm Gartner Inc. That means, under today’s rules, either a retailer or its payments processor must keep the cardholder data that is covered by PCI rules, generally for 12 to 18 months.

What the retailers are proposing is a major change to the way payment card transactions are processed, which would require a new processing protocol and extensive testing of networks, payment terminals and software, Litan says. She says the change, while time-consuming, makes sense, because it would take the burden for protecting cardholder data off of the 6 million U.S. merchants that accept credit cards, and the 20 million worldwide.

However, Litan is not optimistic the retailers’ proposal will be adopted. In the mean time, she advises merchants to work with their processors so that the retailer need only keep a transaction code that will map to the cardholder data stored by the processor. And she encourages retailers to keep up the pressure on the card industry “to develop more secure standards and processes for the handling and storage of customers’ data.”

Visa’s Sept. 30 deadline for PCI compliance covered the largest merchants—327 of them by Gartner’s count. In its latest public statement, issued in July, Visa reported that 40% of those retailers had satisfied the PCI requirements and that another 50% had submitted reports and were working to complete the certification process. The next-largest merchants face a Dec. 31 Visa deadline. Merchants that do not comply face fines of $5,000 to $25,000 per month. MasterCard has not announced deadlines or fines.