The National Retail Federation recently told a congressional panel that security standards imposed on merchants by the credit card industry are only “an elaborate patch,” and that a system in which retailers would not be required to store card numbers would do a better job of protecting consumers against credit card fraud.
“All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud,” NRF Senior Vice President and Chief Information Officer David Hogan said. “But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”
Hogan’s comments came late last month as he testified at a hearing held by the House Homeland Security Committee’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The PCI standards include more than 200 requirements intended to protect consumers against credit card fraud committed by criminals who hack into computer systems. But Hogan said the guidelines are “onerous, confusing and constantly changing,” and have required retailers to replace previous security programs with new programs that are different but not necessarily better.