Retailers Battle Persistent Data Security Lapses

Retailers just can't seem to put the scandal over safeguarding customer data behind them.

By and
Appeared In
Special Issue
WWD Year In Fashion issue 2007/12/11
In the retail world, executives said there is plenty of blame to go around. Many retailers are not yet compliant with security standards established by the credit card companies, known as PCI, said Dave Hogan, chief information officer for the National Retail Federation. As of October, 65 percent of the largest merchants are compliant, up from 36 percent in December 2006. Among medium-size retailers, compliance grew from 15 percent in December 2006 to 43 percent as of the end of September this year, according to the most recent report from Visa.

"Right now this standard is the best defense against having credit card data stolen," said Bob Russo, the general manager of the PCI Security Standards Council, which manages and promotes adoption of the standards. "If you look at the major breaches we've read about in the last four or five years — and there have been some pretty big ones — if those merchants had been compliant with the standards we have now, you would not have been reading about it in the paper." (PCI standards have been available for just two years.)

In October, as reported, the NRF sent a proposal to the PCI Council, suggesting retailers jettison customer data so there is nothing for thieves to steal. In theory, merchants could keep only an authorization code and a physical receipt with the truncated credit card number, date, store location, dollar amount and customer signature. In the event of a disputed charge, the bank that issued the credit card would provide the card number and customer name. Hogan championed the idea on "60 Minutes," and said credit card companies are to blame for requiring retailers to keep unnecessary information. He also speculated that card companies back PCI security standards instead of the NRF proposal so they can earn revenue from fining retailers that don't comply.

Russo of PCI wholeheartedly agreed retailers should retain as little customer information as possible. Credit card member associations and the PCI Council do not require retailers to retain customer data, but some issuing banks might, he acknowledged.

A handful of retailers are already disposing of customer data, and a handful more plan to, according to Hogan, even if it means they may have to eat the cost of the transaction in the case of a disputed charge, he said.
Page:  « Previous Next »
load comments


Sign in using your Facebook or Twitter account, or simply type your comment below as a guest by entering your email and name. Your email address will not be shared. Please note that WWD reserves the right to remove profane, distasteful or otherwise inappropriate language.
News from WWD

Sign upSign up for WWD and FN newsletters to receive daily headlines, breaking news alerts and weekly industry wrap-ups.

getIsArchiveOnly= hasAccess=false hasArchiveAccess=false