Retailers do not need to store credit card data
October 11th, 2007 Posted in Merchant, PCI DSS, PCI SSC
There has been a lot of conversation about what David Hogan, CIO of the National Retail Federation (NRF), has said in his letter to the PCI SSC. The famous quote people have been carrying is (copy of letter):
All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place.
First off, there is a fine line of data storage we are talking about here. Stating that credit card numbers must be retained by the merchant is a nuance really because they should only br needed for chargeback purposes, which still can be minimized.
The card brands are not responsible for the fact that most merchants store full track data, at every point of sale machine, for a period ranging from 2 weeks to 3+ years. They are not responsible for the weak security controls that many merchants have on their environments. And the card brands are definitely not responsible for the fraud that is perpetrated against merchants.
I’m glad that Martin McKeay stepped in to point out that the PCI SSC is independent of the card brands and thus directing the letter to them was more of a PR thing than an actual intent to change the rules of engagement.
If a merchant decided to retain the primary account number (PAN) they need only keep it in one location (instead of throughout the entire enterprise) and they can secure it (encrypting, hashing, truncating, tokens). It’s not a complex process and something every merchant should be doing as an act of good faith for their customers.
The good thing is that most major merchants have completed the PCI DSS compliance process and have secured their data. More and more every day submit validation documents showing that they are keeping the consumer’s data safe.
Update: Bruce Schneier has blogged about this topic and there’s a link in the comments back to ours. I would recommend reading the comments to his post as the conversation on this topic has just begun…
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
14 Responses to “Retailers do not need to store credit card data”
By tx on Oct 12, 2007
I’m in the exact troublesome position right now where my customer is changing their POS environment and makes all step not to save any cardinfo BUT their requiring bank demands them to store complete transactioninfo (encrypted PANs etc) for 30-days to be able to request them again for processing and additional 24 month for refund/investigative purposes.. My customer doesn’t want to store anything, not even encrypted info since it would req much less security controls for them but their aquirer makes this impossible..
By PG on Oct 12, 2007
If I understand David Hogans point correctly, he’s basically suggesting that instead of storing a card number (that is reuseable and therefore has value to hackers) we have a system whereby the value stored cannot be reused, but still allows the acquirers to know that at some point the card number was verified.
By analogy, with the sytem we have now you’re effectively giving every retailer you visit a copy of your house key and asking them to keep the key safe. With the best will in the world its far too easy for one rogue employee to abuse that key.
By Walter on Oct 12, 2007
With respect to TX’s comment on the acquirer mandating the merchant keep the PAN… My first thought was to get a new acquirer! On reflection, though, are you sure your merchant is speaking to the compliance (and not the sales) people at the acquirer? My experience is that sometimes the sales folks block such direct (and critical) contact, leading to all sorts of confusion.
By Michael Dahn on Oct 12, 2007
I agree with Dave, PG, and others about not storing the PAN. It *is* a problem that needs to be addressed but is something the acwuirers, gateways, and agents need to address, not the card brands.
What the card brands are trying to do is reduce the bleeding - aka. the large and massive loss of track data, CVV2, and PIN block informaiton. If a merchant does nothing else, they should first make sure they are not storing this informaiton.
Secondarily they should work to eliminate the PAN or secure it. I agree that the system could be better, but Walter is right that it can be changed by merchants spending their dollars at places who support these changes.
Vote with your money - be it cash or credit card.
By tx on Oct 14, 2007
Walter, it’s not that easy all times just to change your aquirer and yes we do talk to the right people at the aquirer. Compliance and business do collide at more then a few occasions and at the end compliance seems to draw the short straw when doing business with the banks.
Anyway, I can’t understand why all talk about “it is okey to store PAN’s if you do it encrypted” when it would be so much easier if the banks/aquirers took their responibility not demanding the merchant to do so and instead had systemes that didn’t reqire the merchant to stor complete PANs.
I think I have sad it 1000 times, Not storing sensitive information = minimal risk in a point of what PCI DSS aims at achieve.
We work hard to get there but it seems like all those aquiring systems built in the 80’s do not allow for changes made to them.. or the banks just don’t want to invest any just keep making billions in profit.. *irony*
By kilauea on Oct 15, 2007
I have recently completed a level 1 on a very large retail outlet and their acquirer mandates keeping full PAN data for 4 years for investitgation / charge back etc.
I also know that one of the card brands emails PAN’s to the retailer in unencrypted emails for investigation.
And this sort of “do as I say, not as I do” attitude does nothing to foster good relations with the retailers - who lest we forget generate all the revenue that this eco-system survives on.
By Walter on Oct 15, 2007
What these comments are reinforcing is that there are inconsistent messages coming from acquirers. A couple of thoughts…
Fact: The Associations (MasterCard and Visa) are Issuer-driven. Interchange is based on cost recovery, and it flows to the Issuer. The Issuing side also gets the cardholder fees, interest, etc. Take it from one who has worked on the merchant side, it can get lonely.
Fact: Acquirers, too, are struggling with PCI. I have had the uncomfortable experience of moderating a PCI workshop where a panelist from a major bank completely contradicted a statement made earlier by equally senior person from the same bank. This is why I am saddened but not particularly surprised to hear one acquirer wants their merchants to keep PANs for 4 years. I work with clients who purge PANs after 90 days since they don’t get exception items after that time. Their acquirer is overjoyed.
Thought: Could/should the associations (or the PCI Council?) spend a little more time on training for acquirers? At the PCI Community Meeting in Toronto I saw lots of merchants and QSAs, but precious few acquirers. A lot of the stuff there would be useful to them.
Note to Michael and Chris: I hate to be a PITA, but do you think there is interest in the Associations for more acquirer staff training? I know acquirers are the ‘orphans’ in this mix, but they are pretty important to us all. Just a thought…
By Michael Dahn on Oct 15, 2007
Walter, to your point about training and education, over the past year Visa has contracted with us to train over 3000+ merchants, acquirers, and processors. If you know of an acquirer who is not getting the PCI training and education they want have them contact Visa or me directly, because they are missing out.
By Walter on Oct 15, 2007
Michael,
Exactly! And as one of the 3000, I can confirm the training is outstanding and very practical. I guess the message is: when your acquirer says something suspect, have them get to one of the training sessions!
By DAG on Oct 16, 2007
This topic has hit Schneier’s blog and is drawing some interesting comments …
http://www.schneier.com/blog/archives/2007/10/merchants_not_s.html
By Michael Dahn on Oct 16, 2007
@DAG thank you for the note, and you’ve made some good points in the comments on Schneier’s blog as well. I’ve updated the post to include a link to his site.
By Bryan Johnson on Oct 25, 2007
I come from the payment processing side of the equation and am interested if learning if someone could shed some light on what the time and cost would be for both retailers and the processing networks (acquirers, issuers, etc.) to implement the necessary changes to accommodate the NRF proposal. While the accommodation of the NRF proposal would require that retailers spend time and money updating their systems, I would imaging the ROI would be substantial for them in the long run. At the same time, the acquirers and issuing banks would be incurring a lot of additional costs and risk.
By Kaye on Mar 3, 2008
To Bryan Johnson: what risk exactly? If it’s a question of the merchant finding the transaction, surely the date, last 4 or 5 digits of PAN, exp date, auth code, and sometimes a “transaction ID” are sufficient for the merchant to find the transaction. Excuse my lack of knowledge on this, but is there other risk? Perhaps the transaction is not proved up to the card holder unless the whole card # is present?