Retail group takes a swipe at PCI, puts card companies 'on notice'

185466 Resource 183005 183122 183122 1191627386512 1191790172337 Controlled NRF Resists PCI Compliance Requirements

The National Retail Federation (NRF) resisting current PCI compliance requirements

The PCI compliance debate is heating up between the NRF (National Retail Federation) and the credit card companies.  In a letter to the PCI Security Standards Council, the <a title="Retail group takes a swipe at PCI, puts card companies 'on notice'" href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040958&pageNumber=1" target="_blank">CIO of the NRF, David Hogan, asked credit card companies to stop forcing retailers to store payment card data</a>.  According to Hogan, retailers must “jump through hoops to create an impenetrable fortress” to protect card data.  Hogan goes on to make some interesting arguments about credit card information and privacy, such as <a title="Retain lobby offers alternative to PCI standard" href="http://www.scmagazineus.com/Retail-lobby-offers-alternative-to-PCI-standard/article/35984/" target="_blank">“... if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store data in the first place."</a>   He is proposing a plan in which credit card companies would allow merchants to only store authorization codes and a truncated, or shortened, receipt of the sale. This would save them time and money associated with complex requirements such as encryption.   This is a great idea and one worthy of creating an entirely new market and/or business.  If I could store a digital authorization that would work only with a certain vendor for a certain period of time, I'd sign up immediately.  No longer would I need to provide my credit card or bank account number for recurring payments.  Instead, I could potentially create specific authorizations through my online banking account and use it for online transactions.   So, why are we not moving to such a model?  Even though the technology to do this is available, this requires, in Hogan's own words, "... <a title="Retain group takes a swipe at PCI, puts card companies 'on notice'" href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040958&pageNumber=1" target="_blank">a very fundamental shift</a>”.  I concur because training hundreds of millions of users to digital authorization codes instead of credit cards is not something that can be accomplished overnight.  Even if a large vendor like RSA decides to push this aggressively, we are still looking at a few years for such a vision to become reality.  So, David Hogan, how are you planning to protect my credit card information until then?   Please note: most regulatory initiatives are met with resistance from the affected parties.  Such a reaction is natural because of the high cost involved in becoming compliant and the fact becoming compliant does not contribute to any bottom line growth.  However, most regulatory initiatives have resulted in better governance and processes in the long-term and even though the results may not be tangible, they are by no means insignificant.  by Raj Rajamani, Product Management <a href="mailto:Raj@solidcore.com">Raj@solidcore.com</a> 9 application/xml false NRF PCI compliance PCI compliance requirements Retail group takes a swipe at PCI, puts card companies 'on notice' Stop forcing retailers to store payment card data, it warns card companies http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9040958&pageNumber=1 Retail lobby offers alternative to PCI standard SC Magazine article on an alternative to the PCI standard from the retail lobby http://www.scmagazineus.com/Retail-lobby-offers-alternative-to-PCI-standard/article/35984/ Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 127.0.0.1 127.0.0.1 erinswanson false true false false true 183020 false false true false false false true 183005 blog blogsite/SolidCore/web