"Right now this standard is the best defense against having credit card data stolen," said Bob Russo, the general manager of the PCI Security Standards Council, which manages and promotes adoption of the standards. "If you look at the major breaches we've read about in the last four or five years — and there have been some pretty big ones — if those merchants had been compliant with the standards we have now, you would not have been reading about it in the paper." (PCI standards have been available for just two years.)
In October, as reported, the NRF sent a proposal to the PCI Council, suggesting retailers jettison customer data so there is nothing for thieves to steal. In theory, merchants could keep only an authorization code and a physical receipt with the truncated credit card number, date, store location, dollar amount and customer signature. In the event of a disputed charge, the bank that issued the credit card would provide the card number and customer name. Hogan championed the idea on "60 Minutes," and said credit card companies are to blame for requiring retailers to keep unnecessary information. He also speculated that card companies back PCI security standards instead of the NRF proposal so they can earn revenue from fining retailers that don't comply.
Russo of PCI wholeheartedly agreed retailers should retain as little customer information as possible. Credit card member associations and the PCI Council do not require retailers to retain customer data, but some issuing banks might, he acknowledged.
A handful of retailers are already disposing of customer data, and a handful more plan to, according to Hogan, even if it means they may have to eat the cost of the transaction in the case of a disputed charge, he said.