NRF Proposes Ideas for Fighting Credit Card Fraud
Security standards imposed by the credit card industry would better protect consumers against fraud if they didn’t require retailers to store card numbers, the National Retail Federation (Washington) testified before a congressional panel investigating cybercrime.
“All of us—merchants, banks, credit card companies and our customers—want to eliminate credit card fraud,” said David Hogan, senior vice president and chief information officer for the NRF. “But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place.”
Data security standards are mandated by the Payment Card Industry Security Standards Council run by Visa, MasterCard and other major credit card companies.
PCI standards include more than 200 requirements intended to protect consumers against credit card fraud committed by criminals who hack into computer systems.
“While PCI can reduce some fraud—at extraordinary cost—it is not nearly as effective as a redesign of the card processes themselves,” Hogan said. “Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software.”
Hogan said retailers keep credit card information because they are required to produce a card receipt when purchases are disputed. If the retailer can’t produce the receipt, the card companies issue a “chargeback” and the amount of money in question is deducted from the retailer’s account, even if the transaction was legitimate.
“The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them,” said Hogan. [July 2009 PET AGE]
 |
