Evan Schuman's StorefrontBacktalk

Are retailers locked into a credit card number habit? A recent proposal to allow merchants to not have to save those numbers is bringing to light how those numbers are being used in many ways beyond charging products.

Major retailers, just like any large business, do not like being told by partners what they can and can’t do. But when the credit cards told merchants that they must retain credit card information to deal with returns and chargebacks and the like, they balked, but agreed.

Like any good business, they tried taking an unpleasant requirement and turning it into a business advantage. Consider suppliers being forced to use RFID who then use it to better track their own product movement or E-tailers who reluctantly comply with accessibility rules and then discover that it costs them less in programming and development and their pages load faster.

Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM systems, especially for customers who weren’t using the traditional retailer-issued loyalty card.

On the E-Commerce front, some (relatively few, but some) online merchants were using the mandatory credit card retention to allow customers to make purchases more quickly.

This has been going on for quite a few years. A relatively logical proposal floated by a major industry group is now threatening to rock the credit card boat, potentially exposing just how much retailers are now addicted to plastic numbers.

Last week, the National Retail Federation formally launched its campaign to get credit card companies to permit retailers to not store credit card numbers.

The move was masterminded by NRF’s CIO, Dave Hogan, who has floated this idea to the industry for months. (I remember him eloquently and passionately making his case for changing how credit cards are dealt with about two months ago, as I listened to him on a cellphone at a Toyota dealership, thinking this was one of the more surrealistic things to listen to while getting a cardoor rehinged.)

Hogan’s idea, in its simplest form, is that retailers stop being required to save credit card information. If the credit card firms want it saved, they are quite free to save it themselves. After all, Hogan argued, "it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

Indeed, it does make sense. But Hogan’s idea, while alluring and almost seductive (in an ultrageek-like data protection way), has several logistical roadblocks.

For example, at best, the Hogan proposal could sharply minimize how long the sensitive credit card data is in the retailer’s system, but it’s not likely to eliminate it. For magstripe cards (contactless is a different situation), the numbers are going to be seen by the store employee (who is always the biggest security weakpoint) and will then be almost certainly entered into the retailer’s system, enroute to a processor for approval.

Even if the number is dumped the instant the verification number comes back, it’s still there long enough to be sniffed or captured by a Trojan Horse. Indeed, that’s one of the things that TJX said happened to them.

A contactless card could bypass the cashier, which helps a little. But to bypass the retailer’s network entirely would require either a third-party service or to have the processors or the card companies install their own devices at the Point of Sale.

That’s clearly a dramatic—and incredibly expensive—move by quite a few players in the payment space. Less dramatic approaches would upgrading security to protect that small window of vulnerability or to all-but-eliminate them.

That gets us into the other reality issues surrounding this kind of payment procedure change. Few retailers handle their own payment process. So even if a major retailer made a decision to not store card numbers any more, they would likely need their POS vendor and various other technology partners to upgrade to handle the change.

Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI Security Vendor Alliance, estimated that it could take five years to make such a change with a large retail chain, at which the move might be silly because of other unknown changes that will impact the payment world of early 2013.

Even if Moghe’s five-year might be exaggerated, his point that these things take a lot of time is a fair one.

Another strong Moghe point is that credit card data—while essential—is a very small part of the confidential consumer data that the average large retailer retains. His take is that, even if successful, this kind of a credit card process change wouldn’t improve retail data protection as much it might initially seem.

Let’s let get to what the proposal is. The proposal is that the card companies back off and stop requiring the retailers to retain the number. If the proposal went a step further and suggested that the PCI rules be changed to explicitly ban a retailer from retaining those numbers, that might change the issue.

If the rule change is merely permitting retailers to do either, the huge headaches associated with this major a change—not to mention the costs—is likely going to cause very few retailers to take advantage of the change. Hence, it could result in a very modest improvement in credit card information security.

But if the rules forbid such data retention, that would force action. Must importantly, it would get POS vendors to make the change, which would quickly migrate to all of retail. It could be similar to Y2K, where even companies who did nothing eventually became Y2K compliant as they upgrade to Y2K-complaint apps.

What has been the reaction of the PCI Council and the major credit cards? Thus far, nothing meaningful, at least not publicly. Privately, PCI Council folk have said that this is really a credit card issue—as opposed to a council issue—which is true.

Credit card companies have not yet reacted strongly, although some have "generously" pointed out that their rules do not technically mandate that a retailer retain these numbers. That’s technically true. If a retailer wants to forfeit the ability to challenge any customer who disputes a charge, they’re free to do so. Surprise, surprise, but retailers aren’t jumping at that offer.

Retailers today say they do generally care about security, but when it comes to spending money or changing procedures, the get pragmatic. "Yes, we care about security, but we’re not fanatics."

The PCI certification—which many retailers have yet to pass—is something that retailers are doing, but they’re pursuing it because they have to. That regrettably results in bare-minimum kind of attitudes, where merchants will do as little as they can to just barely comply to the letter of the requirements.

Consider, for example, the difference between the extensive review processes that surround a typical large software or supplier contract and the one that covers the hiring of a PCI auditor. The contract awards for software or a new line of merchandise to sell can take a year, dozens of meetings and extensive oversight, whereas retailer often select their auditors using evaluation sophistication that’s hardly beyond rock/paper/scissors.

There’s no argument that security procedures surrounding credit card need to be improved and Hogan’s proposal is a very positive step in the right direction. But whether it’s practical and politically palatable is a different issue. The bigger question, though, is whether retailers will make the effort.

Any kind of meaningful change will require some pain, both in terms of investment dollars and a lot of procedural changes. How much will the retail CFO put up with for something that has very little chance to bring in any profits?