You are here: Home > Business & Finance > Article
Home
Business & Finance
Markets
Deals
Small Business
Green Business
Industries
Industry Summits
Stocks
Funds
ETFs
Currencies
Commodities
Options
Economy
Bonds
Analyst Research
Portfolio
News
Do More With Reuters
RSSRSS Feed
Widgets
Mobile
Podcasts
Newsletters
Your View
Partner Services
CareerBuilder
Affiliate Network
Professional Products
Support (Customer Zone)
Reuters Media
Financial Products
About Thomson Reuters

Who should store data, stores or credit card companies?

Fri Oct 5, 2007 3:59pm EDT
 
[-] Text [+]

By Aarthi Sivaraman

NEW YORK (Reuters) - A battle between U.S. retailers and credit card companies heated up this week when a retail trade group pushed to have card companies store consumers' sensitive credit card data, relieving merchants of the job.

The National Retail Federation said in a letter to the Payment Card Industry Security Standards Council that to thwart credit card fraud, "the ultimate solution is to stop requiring merchants to store card data in the first place."

The council, formed by five major credit card companies, sets and implements security standards to protect account data.

Retailers typically store consumers' credit card details for between one year and 18 months in case of product returns, refunds or transaction queries.

But theft of millions of U.S. consumers' data has opened a debate on who should take on responsibility for storing such sensitive details.

Retailers have poured millions of dollars into protecting credit card data but theft continues. "We build higher walls, and the criminals are building taller ladders," said David Hogan, NRF's Chief Information Officer.

NRF's letter comes in the wake of data thefts at retailers like TJX Cos Inc (TJX.N), which said in March that information from 45.7 million credit and debit cards was stolen over 18 months; shoe retailer DSW Inc (DSW.N), which reported data theft from more than a million cards in 2005; and BJ's Wholesale Club (BJ.N), which had a similar incident in 2004.

RESPONSIBILITY

American Express said it was necessary for retailers to retain a certain amount of transaction-related data to deal with charge disputes.

"American Express believes every business in the payment processing lifecycle has a responsibility for protecting account data," the company said in an e-mailed statement.

MasterCard said there was no rule that a retailer must retain transaction data, and called NRF's claims "inaccurate" and "unjustified."

"A merchant may choose to store no cardholder data at all based on their own risk assessments and individual approaches to managing data storage according to their own business needs," MasterCard said in a statement.

The Payment Card Industry security standards, which set requirements for secure storage, processing and transmission of credit card data, were partly the result of credit card companies trying to pass the buck to retailers, said Stacy Janiak, vice chairman of retail at Deloitte & Touche.

Still, it was a "no-brainer" that card companies should bear the onus of guarding consumers' credit data, said Randy Abrams, director of technical education at ESET, a security firm.

"They do have the resources to properly secure the data, whereas millions and millions of small merchants ... don't have that kind of expertise," Abrams said.  Continued...

 

Featured Broker sponsored link