Dude.
Seriously.
Is anyone at the helm of the National Retail Federation? Did they forget to secure the dock lines on the U.S.S. NRF before they skipped into town for supplies, gleefully quoting Shel Silverstein’s Where the Sidewalk Ends along the way?
Let us leave this place where the smoke blows black
And the dark street winds and bends.
Past the pits where the asphalt flowers grow
We shall walk with a walk that is measured and slow,
And watch where the chalk-white arrows go
To the place where the sidewalk ends.
In this recent three question interview with Dave Hogan, CIO of the NRF (courtesy of RIS Executive News Brief), there was either a massive case of misquoting, or he still doesn’t get it.
We’ll skip the first of the three questions as once again, being compliant and having someone validate your compliance are two different things. The second question starts off great, but then he wanders off the path like a three year old who sees a shiny candy wrapper. From the interview:
Question: “Do credit card companies need to shoulder some of the responsibility behind storing and safeguarding credit card data?”
Answer: “The credit card companies have been brilliant about shifting the burden and the associated risk of credit cards onto the merchant. It is their system.”
Not too bad so far! The credit card system has been widely successful as our society continues to spend beyond our means, and/or move away from paper money to cashless payments. Then here comes that candy wrapper.
Shiny Object Answer: “The card associations should be promoting more secure forms of payment like Chip & Pin. This type of technology has been used in Europe and has significantly reduced credit card fraud. They should also provide (at no cost to the merchant) card readers that can accept these new types of cards.”
Uhh… what? Chip & PIN is the new Holy Grail of secure card acceptance? Last I checked, it slows down the bad guys, but does not stop them. There are flaws in that system as well. Besides, you have an issue with Chip & PIN in the US… acceptance! What good is a reader if no one carries the card to use them!
I seriously doubt that the card associations would pay for the terminals. Even if they did, retailers will likely have to do major alterations to their software to be able to handle both types of transactions in parallel. That’s definitely not free, and will likely cost extra with downtime and bugs that come out in production.
How about we just spend a little bit of time securing the data in flight? We can use the same technology to secure other types of data, like PII. It’s clear that the extension of retail networks harbors unique information security issues.
The final question and answer is priceless.
Question: “Should credit card companies stop forcing retailers to store data for years on end?”
Answer: “Visa and MasterCard may indicate that they do not directly force retailers to store credit card data. But indirectly, they do store it through the retrieval request process that is in place. Rather than requiring that merchants keep reams of data (currently required under card company rules as a means of managing charge backs and other internal processes) credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at time of sale and a truncated receipt. I would like them to go on record and state that ‘Retailers have the option to no longer store credit card data and they will not be penalized for not keeping credit card data.'”
. . .
Mr. Hogan, please read closely. If I can pound one message into your head, let it be this.
Ready? Here it comes.
CARD ASSOCIATIONS DO NOT REQUIRE MERCHANTS TO STORE CARD DATA. EVEN FOR CHARGEBACKS.
I have personally assisted numerous merchants of all levels handle this. Especially with respect to chargebacks! The most memorable hiccup was when one card association (name deleted to protect the misguided) informed one of my customers that it would take two years and several million dollars to allow a truncated PAN for chargeback purposes. It was not until we got to the right person over there and explained that a chargeback proof with a truncated number is sufficient did they realize the error in their ways. If there are banks out there requiring it, their PCI status should be clear to you… likely not compliant.
The best part of the article is actually at the beginning, where through a paraphrase Dave says that the “PCI mandate will never be an affective deterrent to professional hackers. ”
Wait a second. First you said PCI was too hard. Now you are saying it is not hard enough?
Is anyone else as confused as I am?
PCI is a polarizing issue for sure, but most reasonable people will agree that it does provide a decent baseline, and that it should not be the limit of your security program.
FUD like this only serves to further confuse major players in the market, and pollute the underlying message of the PCI-DSS; protect the data! Smart retailers have expanded upon their PCI efforts and invested in securing the business (and not doing the bare minimum). Securing the business will allow for secure growth–a skill that many of our consultants specialize in at VeriSign.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?