News Stay informed about the latest enterprise technology news and product updates.

National Retail Federation takes aim at PCI DSS Council

Bill BrennerIn another sign that PCI DSS compliance isn’t going very well for everyone, the National Retail Federation has shipped a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data.

From the letter, written by NRF Chief Information Officer David Hogan:

“All of us — merchants, banks, credit card companies and our customers — want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place. With this letter, we are officially putting the credit card industry on notice. Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”Security Blog Log

The letter notes that credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy card company retrieval requests. According to NRF, retailers should have a choice as to whether or not they want to store credit card numbers at all.

We’ve written quite a bit lately on all the trouble some merchants had meeting the Sept. 30 deadline set by Visa USA for companies to be in full compliance with PCI DSS. A recent report from VeriSign, for example, suggested many companies are still struggling with the demands of PCI DSS. The company based its report on a review of 60 PCI audits it recently conducted for 50 large companies and measured the extent to which companies are meeting more than 230 data security requirements. The company determined that 53% failed to meet key elements of PCI DSS and that companies were coming up short in such areas as regular testing, securing applications, logging and protecting data. The chief point of failure for 48% of customers was that they weren’t regularly testing their controls to make sure they work.

Of course, companies that haven’t done what Visa wants will face higher fees from the credit card network, and that’s left the NRF pretty upset.

I find this interesting because I’ve interviewed many PCI DSS auditors and IT professionals and they all say the same thing: Companies have no business hanging on to credit card data after a transaction is made. I didn’t realize this year-to-18-month storage requirement existed.

Even so, I think the NRF may be overreacting to all the data breaches that seem to be piling up by the day. There’s a lot of panic about the fact that data breaches keep occurring despite all the work companies have been forced to undertake to comply with the likes of PCI DSS. Those who are struggling to meet the standard are looking for someone to blame.

I’m not going to go off on these companies because there are a lot of reputable merchants out there that want to make their networks as secure as possible but don’t always have the resources to do all that’s needed. When a merchant faces the possibility that someone will revoke their ability to take credit cards despite their best compliance efforts, a little anger is inevitable.

Nevertheless, I’ve talked to several IT shops who are finding ways to meet PCI DSS. Granted, it’s easier to succeed if you’re a bigger company with more money and manpower, but there’s a lot of perspective out there that merchants need to drink in. As any security pro worth his or her salt will tell you, the name of the game isn’t simply to meet a deadline. Compliance, be it PCI DSS, HIPAA or GLB, is an ongoing process that will frequently need tweaking in response to new hacker tactics and emerging security technologies.

A merchant may not have done all that is needed to meet that Sept. 30 PCI DSS deadline. But if the business knows where the weaknesses are and outlines a solid game plan to address it, it’s doubtful that they’ll lose the right to do credit card transactions. And if there is a requirement that credit card data be stored for a certain amount of time, the answer is to encrypt that data and keep it walled off from the rest of the network through segmentation.

In an effort to bring some sanity to the business community, I’ve scoured the blogosphere in search of some wisdom. It didn’t take me long to find some. And so here it is:

The PCI DSS Compliance Demystified blog is, as its keepers put it, “devoted to demystifying the PCI DSS compliance process and linking you with as many resources as we can. The goal is to decentralize the information and provide a better ROI to your company or your clients.”

The Realtime IT Compliance Community blog is a good source for information related to IT compliance, regulations, information security and data protection. It includes links to other blogs, articles, white papers, and podcasts as well as links to external resources.

Dr Anton Chuvakin’s blog frequently focuses on information security and PCI DSS.

The PCI DSS News and Information blog is a collaboration between NACUBO and the Treasury Institute and is a place where you can keep up to date on recent developments and ask questions.

The IT Toolbox community, which includes a ton of blogs, has a lot of handy links to PCI DSS information, including this “PCI Made Easy” whitepaper link.

The CSO Central blog often includes a lot of helpful advice on PCI DSS.

There are many more security blogs out there offering information on PCI DSS, but the blogs I’ve just listed show that there are plenty of voices of reason out there, and the first step to achieving compliance is to approach it without fear.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

If anything, PCI doesn't go far enough. For starters, security breach reporting isn't law at the Federal level (yet). The US is behind most of the civilized world in this respect. PCI is another attempt at self-regulation by the very companies that ignored the problem for years in the name of profit. PCI is better than nothing, but still not required by law. In the US, if the threat of fines or jail time aren't present, many will ignore such efforts. When consumer protections become law, business inevitably cries foul. Merchants will experience some pain and anger as a result of years of disregard for privacy & security. While it is true that Consumers frequently do not follow even basic identity theft guidelines, they place only themselves and their families at risk. Merchants, banks, transaction processors & card issuers who don't encrypt and/or follow good security practices endanger the trust required for the concept of credit cards to work in the first place. While I like profit as much as the next person, there are some issues that transcend our right to make money at all costs. Some states have introduced bills that go further, to extend requirements on merchants. For example, California has introduced: AB 779 – Data Breach Notification, Identification, and Restitution – As consumer data breaches and identity theft grow in scope and quantity, consumers need to know exactly who is failing to adequately protect their personal information. For example, TJ Maxx stores parent company allowed 45.6 million credit card numbers to be stolen electronically. AB 779 would enhance consumer protection by properly identifying the entity responsible for the data breach, require better data protection by retailers and allow for reimbursement of relevant costs to credit unions and community banks stemming from the data breach. AB 1298 – Omnibus Privacy Protection – AB 1298 would protect consumers’ medical records by extending the state’s existing medical privacy laws to the emerging electronic medical records industry. AB 1298 also requires businesses and state agencies that release a consumer’s medical information or health insurance information to an unauthorized person to notify the consumer of that data breach. If PCI requirements are recalled or softened, it is likely that the Feds would be pressed to finally take action - and that would make more of an impact (good and bad). Sorry to be blunt - but NRF Chief Information Officer David Hogan should tell his constituents to suck it up and work to improve their systems, and stop whining!