Thus far, we've seen legislation introduced to hold retailers responsible and calls for PCI data security standards. Legislation has been passed in Minnesota and is awaiting Governor Schwarzenegger's signature in California.
In any disagreement, there are two sides to a story -- and now the National Retail Federation (NRF) is bringing up what I consider is a valid point -- which is if they weren't required to store all this information, it would be harder to steal.
Under current rules, they are required to maintain too much information for 18 months, or face what are known as chargebacks.
Chargebacks are when a customer requests a refund from their card issuer, normally because of fraud. Please note that some dishonest customers claim fraud, when it never occurred. Additionally, the payment card industry sets the due diligence standards when accepting their cards and actively promotes their use.
The bottom line is -- merchants can accept payments, follow all the rules, and if they can't provide the required information -- they get charged for it, anyway.
With all the fraud that results from payment cards, this could get pretty expensive for a retailer, if they fail to control it.
Saying all this, we need to consider the bigger picture, which is the best way to protect data is to limit how many places it is being stored. This principle should be considered in a lot of other places besides retailers, also.
Mark Jewell of the AP is reporting:
The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers' card numbers for up to 18 months.In the article, Mr. Hogan brings up the very reason that retailers have been holding on to what some consider, too much information:
The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it.
"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the retail federation's chief information officer, said in a strongly worded letter.
Hogan said in an interview that retailers routinely hold onto information because credit card companies ask them to produce data from transactions as old as 18 months to verify product returns and protect against fraud. If retailers can't produce data showing the product was legitimately purchased, they can end up reimbursing banks and card companies, Hogan said.Only 44 percent of large retailers are now PCI compliant. This month, the larger retailer's banks will start facing fines for failing to become compliant. Banks that service medium size retailers will start facing fines in January.
This doesn't even take into account smaller merchants, who often are victimized the most by fraud, and chargebacks.
In case you don't understand how chargebacks can be a burden to a merchant, I've included a YouTube video at the bottom of this post, where a small merchant rants about chargebacks from PayPal.
The frustration expressed in this video is the same one felt by a lot of merchants (retailers).
The basic issue in all this is who will end up paying for it. Since no business remains solvent if they are losing money, the costs are going to end up being passed on to the consumer.
So far as the NRF's point, I think it is entirely valid. If retailers didn't have to store all this data, it would be one less place, where criminals could access it.
After all, while data breaches at retailers have gotten a lot of attention recently, they are not the only place they are occurring.
If you are interested in seeing what I mean by this the Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all try to keep track of as many of them as they can.
All of them will tell you that their efforts only document the known breaches. There are probably many more that no one knows about -- and the last I heard -- the criminals behind them keep this a closely guarded secret.
After all, disclosure of a data breach impacts their bottom lines, also.
My personal solution is for everyone to get together and go after the real people behind this problem, or the criminals. Everyone would benefit from this!
My guess is they (the criminals) could care less, who ends up paying for all the damage they are causing.
AP story, here.
National Retail Federation (NRF) press release, here.
Here is the YouTube video (mentioned above), which reflects a small merchant's frustrations with the chargeback process. Please note that smaller merchants are bound to have a stake in what becomes of this controversy, also.
(YouTube video courtesy of Terry)