NRF to Credit Card Companies: Let Retailers Dump the Data

Citing concern over data breaches, the National Retail Federation today, in a letter to Payment Card Industry (PCI) Security Standards Council, requested changes in how the credit card industry requires merchants to store credit card data.

"All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud," says NRF Chief Information Officer David Hogan in the letter. "But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place."

Credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all.

Hogan's letter states that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring that merchants keep reams of data for an extended period of time, putting retail customers at unnecessary risk.

"If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished," says Hogan. "The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

The letter outlines the retail industry's commitment to PCI compliance while addressing the issue.

"We believe this is the most effective and efficient approach to protecting credit card data and preventing a continuation of the data breaches that have been seen in recent years. If the PCI Security Standards Council is willing to solve this problem, NRF and its members stand ready to work with you to help you protect the nation's consumers from the growing threat of credit card fraud," Hogan's letter concludes.

A full version of the letter is at