Should Chains Still Use Payment Card Data For CRM?

Written by Evan Schuman
September 16th, 2009

For decades, major retail chains have always used payment card data for various purposes beyond processing transactions, often as a practical customer identification means, typically for CRM and purchase history purposes. Although it has never been considered ideal, retailers did it as a matter of pragmatism, in the same way that universities and many businesses have historically used Social Security numbers to identify customers, even though they were never supposed to.

But in recent years, PCI advocates—especially the card brand executives—have discouraged the practice, arguing that the safest process is to use payment card numbers to process a payment and to then delete it as quickly as possible. Having those numbers lying around—especially spread into marketing and sales departments—was simply increasing the chance that someone unauthorized could access the data.

This week, Lord & Taylor officials, describing a new CRM program, said that they’ve been using card data for CRM purposes and still do. Lord & Taylor is far from alone. But is the practice banned by PCI? Not quite.

Even though numerous discussion panels and speeches have been used to discourage the approach, there’s nothing in the current PCI 1.2 that even addresses—let alone bans—using card data for efforts beyond card processing. Section 7.1 comes closest, but it’s not very close at all: “Limit access to system components and cardholder data to only those individuals whose job requires such access.”

If a chain is using the card numbers for CRM, that’s a legitimate business need and marketing people would in fact be “individuals whose job requires such access.”

When pushed for a clarification, the PCI Council issued the following comment: “The PCI SSC encourages any retailer to evaluate their environment and use the motto, ‘If you don’t need it, don’t store it.’ The decision to retain is beyond the scope of both the Standard as well as the SSC, although we discourage unnecessary storage.” Fair enough, but it doesn’t define unnecessary storage, leaving the CRM usage unclear.

Upon request for further clarification, PCI spokesperson Melissa Zandman took a half-inch step: “The Council does discourage the retention of cardholder data. The issue of retention falls to the card brands, though, because the Council cannot monitor this, and this practice falls under the rules and regulations of payment brands (compliance issues), which is a card brand issue. If a merchant does decide to store card data, the Council sees this as a responsibility that the merchant should recognize.”

Visa on Friday (Aug. 18) issued its own statement explaining its position, which seems to explicitly forbid using Visa card data for anything other than transactions.

“Visa allows the use of the card account number for card transactions and fraud management. Account numbers should not be used for purposes other than card acceptance, which also includes returns and disputes,” the Visa statement said.

It also said that all of the data “stored, processed or transmitted must be protected according to PCI DSS requirements,” seems confusing given that PCI itself said it was a brand—and not a PCI—issue.

But Visa did take the opportunity to plug one form of tokenization. “Consistent with its encouragement of eliminating card data wherever possible, Visa’s processing supports the use of transaction IDs in place account numbers.”

MasterCard did not respond to a request for a clarification of its policies.

Avivah Litan, the security guru for Gartner, said the choice of retailers to retain this data is often more of a financial budget issue than a security concern.

“The PCI standard does not prohibit any use of PANs. It just enforces their protection, which seems like a reasonable approach in an often unreasonable process,” Litan said. “Some two to three years ago, many Level 1 retailers undertook a cost/benefit analysis that compared the continuation of using card numbers (i.e., PANs) as the key to their loyalty systems and encrypting that data vs. replacing the card numbers with another identifier for the loyalty system. At that time, many concluded that it’s less expensive to encrypt the data then replace it.”

But today’s economy is changing that analysis, she said. “In the past year, most Level 1 retailers (and others) have concluded that PCI compliance is a never-ending moving target and that it’s therefore much more cost effective to limit the scope of the compliance audit by limiting the use and storage of card numbers as much as possible,” Litan said. “So it’s a little hard to understand why Lord and Taylor is continuing to proliferate card numbers throughout its systems and processes by keeping them as a key (datapoint) for their customer loyalty systems. It must be that they are very short on security-related budget and just can’t undertake a major rework of their loyalty system at this time. Frankly, I can understand that, especially in light of today’s retail climate.”

Even if there was an explicit edict made tomorrow, the data today is so extensively intermixed with so many databases in so many departments, that it would likely take years to have it all removed. And with card expiration dates being extended farther, that’s going to mean a lot of risky—and active–numbers sitting around in relatively unsecured databases for a very long time.


One Comment | Read Should Chains Still Use Payment Card Data For CRM?

  1. Brian Grafsgaard Says:

    All the more reason for businesses to strongly consider format-preserving tokenization of confidential data at time of capture. The token representation of the value is no longer considered confidential data and maintains a one-to-one relationship with the original value. Business units are then free to perform any analysis they wish on the data without the having the need to protect it. Protection and controls can be focused on the resulting “vault” environment where the encrypted original values are stored, referenced by the token, of course.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.