NRF and Other Retail Groups Gang Up On PCI, Demand More Reasonable Rules
Written by Evan SchumanRepresentatives of seven of the largest retailer organizations sent a strongly-worded letter to the PCI Council on Tuesday (June 9), asking officially for several major changes to PCI to make compliance an easier goal. The PCI council issued a response, which pretty much amounted to “we like feedback. Have a nice day.”
The letter to the council supported an end-to-end-encryption standard, sought more input from retailers at an earlier stage, asked for larger chains to be given more time to implement new PCI requirements, wanted there to be a list of the most important elements that really need to be done (rather than insisting on compliance with every one of the “more than two hundred detailed requirements of the PCI DSS”) and called for allowing retailers to store fewer pieces of sensitive data.
The letter was written to Bob Russo, general manager of the PCI Security Standards Council, and was signed by National Retail Federation CIO Dave Hogan, National Restaurant Association CEO Dawn Sweeney, Merchant Advisory Group CEO Dodd Roberts, American Hotel & Lodging Association CEO Joe McInerney, International Franchise Association CEO Matthew Shay, National Council of Chain Restaurants President Jack Whipple and the Association for Convenience & Petroleum Retailing CEO Henry Ogden Armour. The letter was cc’ed to American Express CEO Kenneth Chenault, Discover Financial Services CEO David Nelms, Visa CEO Joseph Saunders, MasterCard CEO Robert Selander and JCB CEO Tamio Takakura.
“It is becoming increasingly difficult for our members to comply with the program’s requirements in a cost effective and timely manner, especially in this difficult economic climate,” the letter said. “Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit card companies and banks realize significant revenue from the credit card transactions from our members’ businesses.”
“Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9 (ASC X9),” the letter said. “As ASC X9 also maintains data security standards, we recommend the PCI SSC partner with them in an effort to create a single standard that could be used by all.”
The request for more time pointed to the needs of both large merchants—who have a lot more to change—and smaller chains, which have far fewer dollars.
“Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants, including Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply,” the letter said. “Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to December 31, 2009.”
-Marc
June 11th, 2009 at 6:26 am
Is it just me, or does the fact that retailers are going through this compliance stuff with PCI give rise to the hope that they may be more understanding of their suppliers? When each retailer provides their suppliers with the equivalent of a quarter-sized PCI compliance requirement in their vendor compliance guides, how can they hope for success?
Imagine being a supplier who receives a vendor compliance guide from 20 different retailers – with about 5% of the compliance penalties being the same across all the retailers (which is accurate based on an RCC study from a couple years ago). Maybe retailers will consider more strategic supply chain-oriented metrics for, rather than tactical departmentally-based means of, driving supply chain success.
June 11th, 2009 at 8:44 am
I think this letter shows how out of touch the NRF really is with PCI. I just looked at the PCI web site and it clearly list that the feedback period starts July 1sy of this year and the new standard will not be released until October 2010. How much more feedback does NRF think that retailers need?
I also don’t find anything in the current PCI DSS v1.2 that says you can’t use end-to-end encryption. The PCI standard is a minimum baseline for information security. If retailers want to do more and implement end-to-end encryption I don’t see anything stopping them. Do they really want PCI to require every merchant and service provider to implement end-to-end encryption? Think of the cost and time to implement that!
Lastly, why does the NRF continue to say that PCI requires retailers to store cardholder data? The standard is very clear about not storing data that is not needed, having a defined retention period, and rendering data that you do store unreadable. I personally can’t find anything in the PCI DSS v1.2 that says they must store cardholder data.
I think this group should be more informed and read the PCI standard before they attack it.
June 11th, 2009 at 9:51 am
The sadness of this is that the standards are fair and somewhat basic to common sense. It just goes to prove that greed and laziness are the two most important things in American business today.
Peace
June 11th, 2009 at 10:16 am
PCIJeff says: “I think this group should be more informed and read the PCI standard before they attack it.”
You may want to reread the points and then dig a little further to understand the whole process before throwing this out. I think you will find that there is so much more to this whole mess than just the current version of PCI-DSS.
Their point about credit card retention is simple (by the way, if you read the article they never said that PCI requires the retention): credit card companies and banks require the merchants to keep the card number in a retrievable format *if* the company ever wants to win a payment dispute. This isn’t a PCI-point, it’s part of the agreement between the cc companies/banks and the merchant. Rather than insisting that the PAN and expiry date and name be stored, give the retailers the option of using other identifiers. In other words, they are suggesting that PCI build in a requirement that the banks/issuers have to live by as well. If they did this very few retailers would actually opt to keep the cc data at all. Most don’t do it for fun, they do it to protect themselves from chargebacks/disputes etc because they have no other option. I believe someone recently told congress that PCI-DSS was not much more than an elegant patch for a broken system. This is why.
June 11th, 2009 at 11:36 am
Sparky – Here is what the letter says…
Require credit card companies and their banks to provide merchants with the option of keeping
nothing more than the authorization code provided at the time of sale and a truncated receipt,
rather than requiring merchants to store credit card information for dispute resolution, putting
customers at unnecessary risk.
The PCI Council does not dictate to the credit card companies what there rules should be. This should have been in a letter to the credit card companies not the PCI Council.
June 11th, 2009 at 2:44 pm
Jeff,
The PCI council was assembled by and represents the Payment Card Industry, who is made up of the credit card companies, and who was put together to represent the credit card companies in matters of security. It certainly seems like a reasonable point of contact to me.
Would you rather the individual members of the NRF speak to each and every bank, and hope a solid standard emerges from the chaos? I should think that collective discussion in a single forum would be more productive.
June 11th, 2009 at 3:25 pm
The majority of the PCI program is no longer needed, not since the “Safe Harbor” provisions were eliminated. The card companies can simply replace PCI *requirements* with the following statement:
“Notice: You are responsible for any and all costs caused by a data security violation of your transaction processing systems. Merchants are required to obtain certification from a qualified data security professional stating that the merchant’s transaction processing systems provide adequate data security. Recommended data security guidelines and a list of data security professionals who have been trained in them can be found on the PCI SSC web site.”
The end result of the above approach would be identical to what we have today, but it would eliminate all the hysteria about “achieving” and “maintaining” the mythical and elusive “PCI compliance,” which is completely unnecessary since merchants who are breached will be held responsible for costs and fined anyway (just ask Heartland).