Evan Schuman's StorefrontBacktalk

For decades, major retail chains have always used payment card data for various purposes beyond processing transactions, often as a practical customer identification means, typically for CRM and purchase history purposes. Although it has never been considered ideal, retailers did it as a matter of pragmatism, in the same way that universities and many businesses have historically used Social Security numbers to identify customers, even though they were never supposed to.

But in recent years, PCI advocates—especially the card brand executives—have discouraged the practice, arguing that the safest process is to use payment card numbers to process a payment and to then delete it as quickly as possible. Having those numbers lying around—especially spread into marketing and sales departments—was simply increasing the chance that someone unauthorized could access the data.

This week, Lord & Taylor officials, describing a new CRM program, said that they’ve been using card data for CRM purposes and still do. Lord & Taylor is far from alone. But is the practice banned by PCI? Not quite.

Even though numerous discussion panels and speeches have been used to discourage the approach, there’s nothing in the current PCI 1.2 that even addresses—let alone bans—using card data for efforts beyond card processing. Section 7.1 comes closest, but it’s not very close at all: “Limit access to system components and cardholder data to only those individuals whose job requires such access.”

If a chain is using the card numbers for CRM, that’s a legitimate business need and marketing people would in fact be “individuals whose job requires such access.”

When pushed for a clarification, the PCI Council issued the following comment: “The PCI SSC encourages any retailer to evaluate their environment and use the motto, ‘If you don’t need it, don’t store it.’ The decision to retain is beyond the scope of both the Standard as well as the SSC, although we discourage unnecessary storage.” Fair enough, but it doesn’t define unnecessary storage, leaving the CRM usage unclear.

Upon request for further clarification, PCI spokesperson Melissa Zandman took a half-inch step: “The Council does discourage the retention of cardholder data. The issue of retention falls to the card brands, though, because the Council cannot monitor this, and this practice falls under the rules and regulations of payment brands (compliance issues), which is a card brand issue. If a merchant does decide to store card data, the Council sees this as a responsibility that the merchant should recognize.”

Visa on Friday (Aug. 18) issued its own statement explaining its position, which seems to explicitly forbid using Visa card data for anything other than transactions.

“Visa allows the use of the card account number for card transactions and fraud management. Account numbers should not be used for purposes other than card acceptance, which also includes returns and disputes,” the Visa statement said.

It also said that all of the data “stored, processed or transmitted must be protected according to PCI DSS requirements,” seems confusing given that PCI itself said it was a brand—and not a PCI—issue.

But Visa did take the opportunity to plug one form of tokenization. “Consistent with its encouragement of eliminating card data wherever possible, Visa’s processing supports the use of transaction IDs in place account numbers.”

MasterCard did not respond to a request for a clarification of its policies.

Avivah Litan, the security guru for Gartner, said the choice of retailers to retain this data is often more of a financial budget issue than a security concern.

“The PCI standard does not prohibit any use of PANs. It just enforces their protection, which seems like a reasonable approach in an often unreasonable process,” Litan said. “Some two to three years ago, many Level 1 retailers undertook a cost/benefit analysis that compared the continuation of using card numbers (i.e., PANs) as the key to their loyalty systems and encrypting that data vs. replacing the card numbers with another identifier for the loyalty system. At that time, many concluded that it’s less expensive to encrypt the data then replace it.”

But today’s economy is changing that analysis, she said. “In the past year, most Level 1 retailers (and others) have concluded that PCI compliance is a never-ending moving target and that it’s therefore much more cost effective to limit the scope of the compliance audit by limiting the use and storage of card numbers as much as possible,” Litan said. “So it’s a little hard to understand why Lord and Taylor is continuing to proliferate card numbers throughout its systems and processes by keeping them as a key (datapoint) for their customer loyalty systems. It must be that they are very short on security-related budget and just can’t undertake a major rework of their loyalty system at this time. Frankly, I can understand that, especially in light of today’s retail climate.”

Even if there was an explicit edict made tomorrow, the data today is so extensively intermixed with so many databases in so many departments, that it would likely take years to have it all removed. And with card expiration dates being extended farther, that’s going to mean a lot of risky—and active–numbers sitting around in relatively unsecured databases for a very long time.