Washington, D.C., In a major security change intended to make retailers not liable when customer data is stolen, the National Retail Federation (NRF) on Thursday urged credit-card companies to change the way they process transactions.
The NRF proposed that instead of retailers keeping a customer’s credit-card number as part of its sales records, the bank would hold it. The retailer would keep only a truncated receipt and an authorization number linking back to the banked date.
"It makes more sense for credit-card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the retail federation's CIO, said in a strongly worded letter.
The NRF proposal comes amid growing industry concern over data security. The biggest recent retail data breach involved TJX Cos., which said early this year that information from at least 45 million customer credit and debit cards had been exposed to potential fraud. Last month, Canadian investigators concluded TJX had kept data with insufficient encryption for years after it should have been purged.
Credit-card companies require retailers to comply with security standards known as Payment Card Industry Data Security Standards, or PCI. Less than half the nation's biggest merchants appear to be complying with the standards, which include encryption and other safeguards, despite a Sept. 30 deadline set by Visa USA, which plans to levy monthly fines up to $25,000 against merchant banks that noncompliant retailers rely on.
Visa, the nation's largest credit-card network, said as of Aug. 31, 44% of big retailers were in compliance with PCI. Those retailers account for about half of nationwide Visa transactions.
The NRF sent its proposed change to the PCI Security Standards Council Wednesday. Members of the council were reported to be reviewing the proposal, but had no immediate comment.