According to an interview on 60 Minutes, the National Retail Federation’s position (says Dave Hogan, NRF’s CIO) is that the Card Associations are at fault for credit card fraud because the card associations require retailers to store consumer’s CC data. I can’t believe how wrong these guys are and that they are taking the national spotlight to try and scare consumers into believing this lie.

He also says he is not sure how vested the credit card companies are in securing customer data. The funny thing is the whole PCI Standard “thing” came BECAUSE the card associations are interested in securing customer data, not the other way around.

And the notion of fines being a revenue stream are absurd. Look at the amount of cash that issuers and the members of Visa & MC are charged in fraud losses each year. We all hope that these fines go to promoting securing credit card data and lessening the impact of compromises to issuers. Is it? I certainly hope it is not another “Let’s get a state lottery to fund public education” bit.

Visa & MasterCard DO NOT require retailers to store customer data. Retailers sometimes do this as a convenience due to some failure in the process, such as a missed transaction. But the real problem comes in the lack of data cleaning and disposal by those collecting it.

There is absolutely no reason to keep a full credit card past settlement.

Stop and think about that.

NO REASON to keep the data past settlement. Yet millions of retailers do! Why? Convenience? Cause the “man” is out to get them and withhold revenue?

Nah, more likely, “Because that’s the way we have always done it.” In fact, we’ve had customers who have decided that they will just take chargebacks as an acceptable loss because the cost of securing and holding data is too expensive.

Acquirers can and have offered to store data on a retailers behalf, but of course for added cost. Big surprise, security costs! Because so many retailers drive cost through the floor, they accept risk they cannot afford. Did TJX think they would spend over a half billion dollars this year cleaning up after a horrible breach? Probably not.

Mark Rasch is also seen in this piece and is absolutely correct in that retailers do not do enough to help secure data. Why not? Because it is not in their nature!

Retailers are good at retailing, not information security. Identity Theft is forcing retailers to grow security brains and start to implement good controls to protect customers data. Does your company? Is your company taking the “I’m compliant until I’m compromised” stance?

Will it take a TJX like event happening to your company to get the fire started?

This post originally appeared on

Possibly Related Posts: