he convenience store industry, along with many other retail segments, has had PCI compliance on the brain for a while now, and every time there is a breach somewhere, it sends shocks and fears into the heart of every organization -- especially when the company actually was PCI compliant at the time of the breach.
Now the National Retail Federation (NRF) is speaking out on behalf of retailers saying the standards set by the Payment Card Industry Standards Council are an “elaborate patch.”
"While PCI can reduce some fraud -- at extraordinary cost -- it is not nearly as effective as a redesign of the card processes themselves," David Hogan, CIO of NRF said. "Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software. However, what is ironic about this scenario is that the credit card companies’ rules require merchants to store for extended periods credit card data that many retailers do not want to keep."
Visa and MasterCard claim retailers aren’t required to keep card information, but Hogan said retailers are required to produce a card receipt when purchases are disputed. If the retailer can’t produce the receipt, the card companies issue a "chargeback" and the amount of money in question is deducted from the retailer’s account, even if the transaction was legitimate, the organization reported.
However, many retailers in the c-store industry already go by the mantra, “if you don’t need it, don’t store it,” and even the restaurant industry (which often takes payment via handheld devices tableside) is also choosing technology that does not store data.
I would think a retailer would rather risk a possible chargeback, and not store the data, then risk a breach where the consequences are a lot more detrimental to their business.
What are you doing with your data?
Comments