Retailers or Creditors? Who Should Be Responsible for Storing Customer Data?
There is a dispute erupting now between retailers and credit card companies over who should store customer data. As Tech Watch reports:
Yesterday the National Retail Federation publicly blasted the Payment Card Industry Data Security Standard, issuing a statement that pushes the responsibility for the storage of sensitive customer data back on the card issuers themselves, the very same authors and enforcers of the mandate.
For those of you unfamiliar with PCI, it’s the data-handling regulation cooked-up by the financial institutions that issue credit and debit cards (AMEX, Visa and MasterCard for starters) that requires anyone who processes their plastic to get their IT security systems up-to-snuff to prevent more leakage incidents like the one experienced by TJX Companies.
“With this letter, we are officially putting the credit card industry on notice,” said NRF CIO David Hogan in the missive. “Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”
According to NRF, credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy ‘card company retrieval requests.”
If retailers were given the choice to end the process of storing such customer data, they could lower their own risk and ensure greater consumer security, according to Hogan.
Strong words, but one has to wonder why the NRF hasn’t been making noise about PCI sooner.
