Retailers Shouldn’t Keep Card Data, NRF Tells Congress

National Retail Federation executive David Hogan told a congressional panel yesterday that security standards imposed on merchants by the credit card industry— known as Payment Card Industry (PCI) Data Security Standards — are only “an elaborate patch.”

WASHINGTON — National Retail Federation executive David Hogan told a congressional panel yesterday that security standards imposed on merchants by the credit card industry— known as Payment Card Industry (PCI) Data Security Standards — are only “an elaborate patch.”

Hogan, NRF’s senior vice president and chief information officer, added that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud.

“If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,” he said. “The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”

Visa and MasterCard claim retailers aren’t required to keep card information, but Hogan said retailers are required to produce a card receipt when purchases are disputed.

Hogan’s comments came as he testified at a hearing on whether data security standards mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit card companies reduce “cybercrime.” The hearing was held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

Read More of Today's Headlines [2]