The Retail Credit Card Addiction

R.A. Hettinga rah at
Thu Oct 11 06:17:01 PDT 2007



The Retail Credit Card Addiction

October 8, 2007

By  Evan Schuman

Major retailers, just like any large business, do not like being told by
partners what they can and can't do. But when the credit cards told
merchants that they must retain credit card information to deal with
returns and chargebacks, they balked, but then agreed.

Like any good business, they tried taking an unpleasant requirement and
turning it into a business advantage. Consider suppliers being forced to
use RFID (radio-frequency identification) who then use it to better track
their own product movement or e-tailers who reluctantly comply with
accessibility rules and then discover that it costs them less in
programming and development and their pages load faster.

Retailers started using the credit card numbers to identify purchases with
specific consumers, given that they had to store them anyway. It turned out
to be a convenient link into CRM (customer relationship management)
systems, especially for customers who weren't using the traditional
retailer-issued loyalty card.

On the e-commerce front, some (relatively few, but some) online merchants
were using the mandatory credit card retention to allow customers to make
purchases more quickly.

This has been going on for quite a few years. A relatively logical proposal
floated by a major industry group is now threatening to rock the credit
card boat, potentially exposing just how much retailers are now addicted to
plastic numbers.

Last week, the National Retail Federation formally launched its campaign to
get credit card companies to permit retailers to not store credit card

The move was masterminded by the NRF's CIO, Dave Hogan, who has floated
this idea to the industry for months. (I remember him eloquently and
passionately making his case for changing how credit cards are dealt with
about two months ago, as I listened to him on a cell phone at a Toyota
dealership, thinking this was one of the more surrealistic things to listen
to while getting a car door rehinged.)

Hogan's idea, in its simplest form, is that retailers should stop being
required to save credit card information. If the credit card firms want it
saved, they are quite free to save it themselves. After all, Hogan argued,
"it makes more sense for credit card companies to protect their data from
thieves by keeping it in a relatively few secure locations than to expect
millions of merchants scattered across the nation to lock up their data for

Indeed, it does make sense. But Hogan's idea, while alluring and almost
seductive (in an ultrageek-like data protection way), has several
logistical roadblocks.

For example, at best, the Hogan proposal could sharply minimize how long
the sensitive credit card data is in the retailer's system, but it's not
likely to eliminate it. For magstripe cards (contactless is a different
situation), the numbers are going to be seen by the store employee (who is
always the biggest security weakpoint) and will then be almost certainly
entered into the retailer's system, en route to a processor for approval.

Even if the number is dumped the instant the verification number comes
back, it's still there long enough to be sniffed or captured by a Trojan
Horse. Indeed, that's one of the things that TJX said happened to them.

A contactless card could bypass the cashier, which helps a little. But to
bypass the retailer's network entirely would require either a third-party
service or to have the processors or the card companies install their own
devices at the point of sale.

That's clearly a dramatic-and incredibly expensive-move by quite a few
players in the payment space. Less dramatic approaches would be upgrading
security to protect that small window of vulnerability or to all but
eliminate them.

Page 2: The Retail Credit Card Addiction

That gets us into the other reality issues surrounding this kind of payment
procedure change. Few retailers handle their own payment process. So even
if a major retailer made a decision to not store card numbers any more,
they would likely need their POS vendor and various other technology
partners to upgrade to handle the change.

Prat Moghe, founder of data auditing vendor Tizor and a member of the PCI
Security Vendor Alliance, estimated that it could take five years to make
such a change with a large retail chain, at which point the move might be
silly because of other unknown changes that will impact the payment world
of early 2013.

Even if Moghe's five-year plan might be exaggerated, his point that these
things take a lot of time is a fair one.

Another strong Moghe point is that credit card data-while essential-is a
very small part of the confidential consumer data that the average large
retailer retains. His take is that, even if successful, this kind of a
credit card process change wouldn't improve retail data protection as much
as it may seem.

Let's let get to what the proposal is. The proposal is that the card
companies back off and stop requiring the retailers to retain the number.
If the proposal went a step further and suggested that the PCI rules be
changed to explicitly ban a retailer from retaining those numbers, that
might change the issue.

If the rule change merely permits retailers to do either, the huge
headaches associated with this major a change-not to mention the costs-are
likely going to cause very few retailers to take advantage of the change.
Hence, it could result in a very modest improvement in credit card
information security.

But if the rules forbid such data retention, that would force action. Must
importantly, it would get POS vendors to make the change, which would
quickly migrate to all of retail. It could be similar to Y2K, where even
companies who did nothing eventually became Y2K compliant as they upgrade
to Y2K-complaint apps.

What has been the reaction of the PCI Council and the major credit cards?
Thus far, nothing meaningful, at least not publicly. Privately, PCI Council
folk have said that this is really a credit card issue-as opposed to a
council issue-which is true.

Credit card companies have not yet reacted strongly, although some have
"generously" pointed out that their rules do not technically mandate that a
retailer retain these numbers. That's technically true. If a retailer wants
to forfeit the ability to challenge any customer who disputes a charge,
they're free to do so. Not surprisingly, retailers aren't jumping at that

Retailers today say they do generally care about security, but when it
comes to spending money or changing procedures, the get pragmatic. "Yes, we
care about security, but we're not fanatics," they tend to say.

Retail group lobbies to stop credit card data from being stored. Click here
to read more.

The PCI certification, which many retailers have yet to pass, is something
that retailers are doing, but they're pursuing it because they have to.
That results in bare-minimum kind of attitudes, where merchants will do as
little as they can to barely comply to the letter of the requirements.

Consider, for example, the difference between the extensive review
processes that surround a typical large software or supplier contract and
the one that covers the hiring of a PCI auditor. The contract awards for
software or a new line of merchandise to sell can take a year, dozens of
meetings and extensive oversight, whereas retailers often select their
auditors using evaluation sophistication that's not much more complicated
than rock/paper/scissors.

There's no argument that security procedures surrounding credit card need
to be improved, and Hogan's proposal is a very positive step in the right
direction. But whether it's practical and politically palatable is a
different issue. The bigger question, though, is whether retailers will
make the effort.

Any kind of meaningful change will require some pain, both in terms of
investment dollars and a lot of procedural changes. How much will the
retail CFO put up with for something that has very little chance to bring
in any profits?

Retail Center Editor Evan Schuman has tracked high-tech issues since 1987,
has been opinionated long before that and doesn't plan to stop any time

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list