The Retail Credit Card Addiction

Written by Evan Schuman
October 7th, 2007

Are retailers locked into a credit card number habit? A recent proposal to allow merchants to not have to save those numbers is bringing to light how those numbers are being used in many ways beyond charging products.

Major retailers, just like any large business, do not like being told by partners what they can and can’t do. But when the credit cards told merchants that they must retain credit card information to deal with returns and chargebacks and the like, they balked, but agreed.

Like any good business, they tried taking an unpleasant requirement and turning it into a business advantage. Consider suppliers being forced to use RFID who then use it to better track their own product movement or E-tailers who reluctantly comply with accessibility rules and then discover that it costs them less in programming and development and their pages load faster.

Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM systems, especially for customers who weren’t using the traditional retailer-issued loyalty card.

On the E-Commerce front, some (relatively few, but some) online merchants were using the mandatory credit card retention to allow customers to make purchases more quickly.

This has been going on for quite a few years. A relatively logical proposal floated by a major industry group is now threatening to rock the credit card boat, potentially exposing just how much retailers are now addicted to plastic numbers.

Last week, the National Retail Federation formally launched its campaign to get credit card companies to permit retailers to not store credit card numbers.

The move was masterminded by NRF’s CIO, Dave Hogan, who has floated this idea to the industry for months. (I remember him eloquently and passionately making his case for changing how credit cards are dealt with about two months ago, as I listened to him on a cellphone at a Toyota dealership, thinking this was one of the more surrealistic things to listen to while getting a cardoor rehinged.)

Hogan’s idea, in its simplest form, is that retailers stop being required to save credit card information. If the credit card firms want it saved, they are quite free to save it themselves. After all, Hogan argued, "it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them."

Indeed, it does make sense. But Hogan’s idea, while alluring and almost seductive (in an ultrageek-like data protection way), has several logistical roadblocks.

For example, at best, the Hogan proposal could sharply minimize how long the sensitive credit card data is in the retailer’s system, but it’s not likely to eliminate it. For magstripe cards (contactless is a different situation), the numbers are going to be seen by the store employee (who is always the biggest security weakpoint) and will then be almost certainly entered into the retailer’s system, enroute to a processor for approval.

Even if the number is dumped the instant the verification number comes back, it’s still there long enough to be sniffed or captured by a Trojan Horse. Indeed, that’s one of the things that TJX said happened to them.

A contactless card could bypass the cashier, which helps a little. But to bypass the retailer’s network entirely would require either a third-party service or to have the processors or the card companies install their own devices at the Point of Sale.

That’s clearly a dramatic—and incredibly expensive—move by quite a few players in the payment space. Less dramatic approaches would upgrading security to protect that small window of vulnerability or to all-but-eliminate them.

That gets us into the other reality issues surrounding this kind of payment procedure change. Few retailers handle their own payment process. So even if a major retailer made a decision to not store card numbers any more, they would likely need their POS vendor and various other technology partners to upgrade to handle the change.

Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI Security Vendor Alliance, estimated that it could take five years to make such a change with a large retail chain, at which the move might be silly because of other unknown changes that will impact the payment world of early 2013.

Even if Moghe’s five-year might be exaggerated, his point that these things take a lot of time is a fair one.

Another strong Moghe point is that credit card data—while essential—is a very small part of the confidential consumer data that the average large retailer retains. His take is that, even if successful, this kind of a credit card process change wouldn’t improve retail data protection as much it might initially seem.

Let’s let get to what the proposal is. The proposal is that the card companies back off and stop requiring the retailers to retain the number. If the proposal went a step further and suggested that the PCI rules be changed to explicitly ban a retailer from retaining those numbers, that might change the issue.

If the rule change is merely permitting retailers to do either, the huge headaches associated with this major a change—not to mention the costs—is likely going to cause very few retailers to take advantage of the change. Hence, it could result in a very modest improvement in credit card information security.

But if the rules forbid such data retention, that would force action. Must importantly, it would get POS vendors to make the change, which would quickly migrate to all of retail. It could be similar to Y2K, where even companies who did nothing eventually became Y2K compliant as they upgrade to Y2K-complaint apps.

What has been the reaction of the PCI Council and the major credit cards? Thus far, nothing meaningful, at least not publicly. Privately, PCI Council folk have said that this is really a credit card issue—as opposed to a council issue—which is true.

Credit card companies have not yet reacted strongly, although some have "generously" pointed out that their rules do not technically mandate that a retailer retain these numbers. That’s technically true. If a retailer wants to forfeit the ability to challenge any customer who disputes a charge, they’re free to do so. Surprise, surprise, but retailers aren’t jumping at that offer.

Retailers today say they do generally care about security, but when it comes to spending money or changing procedures, the get pragmatic. "Yes, we care about security, but we’re not fanatics."

The PCI certification—which many retailers have yet to pass—is something that retailers are doing, but they’re pursuing it because they have to. That regrettably results in bare-minimum kind of attitudes, where merchants will do as little as they can to just barely comply to the letter of the requirements.

Consider, for example, the difference between the extensive review processes that surround a typical large software or supplier contract and the one that covers the hiring of a PCI auditor. The contract awards for software or a new line of merchandise to sell can take a year, dozens of meetings and extensive oversight, whereas retailer often select their auditors using evaluation sophistication that’s hardly beyond rock/paper/scissors.

There’s no argument that security procedures surrounding credit card need to be improved and Hogan’s proposal is a very positive step in the right direction. But whether it’s practical and politically palatable is a different issue. The bigger question, though, is whether retailers will make the effort.

Any kind of meaningful change will require some pain, both in terms of investment dollars and a lot of procedural changes. How much will the retail CFO put up with for something that has very little chance to bring in any profits?


One Comment | Read The Retail Credit Card Addiction

  1. vacher Says:

    Hi, I find your article very interesting, because it is a different vision. I made a post about it on my own blog but it is in French.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.