Subscribe to the "NRF Resists PCI Compliance Requirements" web feed.Subscription options
Excerpt from:  IT Compliance
.
October 05, 2007

NRF Resists PCI Compliance Requirements

The National Retail Federation (NRF) resisting current PCI compliance requirements

The PCI compliance debate is heating up between the NRF (National Retail Federation) and the credit card companies.  In a letter to the PCI Security Standards Council, the CIO of the NRF, David Hogan, asked credit card companies to stop forcing retailers to store payment card data.  According to Hogan, retailers must “jump through hoops to create an impenetrable fortress” to protect card data. 

Hogan goes on to make some interesting arguments about credit card information and privacy, such as “... if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store data in the first place."  

He is proposing a plan in which credit card companies would allow merchants to only store authorization codes and a truncated, or shortened, receipt of the sale. This would save them time and money associated with complex requirements such as encryption.
 
This is a great idea and one worthy of creating an entirely new market and/or business.  If I could store a digital authorization that would work only with a certain vendor for a certain period of time, I'd sign up immediately.  No longer would I need to provide my credit card or bank account number for recurring payments.  Instead, I could potentially create specific authorizations through my online banking account and use it for online transactions.
 
So, why are we not moving to such a model?  Even though the technology to do this is available, this requires, in Hogan's own words, "... a very fundamental shift”. 

I concur because training hundreds of millions of users to digital authorization codes instead of credit cards is not something that can be accomplished overnight.  Even if a large vendor like RSA decides to push this aggressively, we are still looking at a few years for such a vision to become reality. 

So, David Hogan, how are you planning to protect my credit card information until then?
 
Please note: most regulatory initiatives are met with resistance from the affected parties.  Such a reaction is natural because of the high cost involved in becoming compliant and the fact becoming compliant does not contribute to any bottom line growth.  However, most regulatory initiatives have resulted in better governance and processes in the long-term and even though the results may not be tangible, they are by no means insignificant. 

by
Raj Rajamani, Product Management
Raj@solidcore.com

.
PermalinkRetail group takes a swipe at PCI, puts card companies 'on notice'
.Stop forcing retailers to store payment card data, it warns card companies
.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040958&pageNumber=1
.
PermalinkRetail lobby offers alternative to PCI standard
.SC Magazine article on an alternative to the PCI standard from the retail lobby
.http://www.scmagazineus.com/Retail-lobby-offers-alternative-to-PCI-standard/article/35984/
Topic Tags:  , ,
by Erin Swanson | ↑top | link to this#
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription