NRF and Other Retail Groups Gang Up On PCI, Demand More Reasonable Rules

Representatives of seven of the largest retailer organizations sent a strongly-worded letter to the PCI Council on Tuesday (June 9), asking officially for several major changes to PCI to make compliance an easier goal. The PCI council issued a response, which pretty much amounted to "we like feedback. Have a nice day."

The letter to the council supported an end-to-end-encryption standard, sought more input from retailers at an earlier stage, asked for larger chains to be given more time to implement new PCI requirements, wanted there to be a list of the most important elements that really need to be done (rather than insisting on compliance with every one of the "more than two hundred detailed requirements of the PCI DSS") and called for allowing retailers to store fewer pieces of sensitive data.

The letter was written to Bob Russo, general manager of the PCI Security Standards Council, and was signed by National Retail Federation CIO Dave Hogan, National Restaurant Association CEO Dawn Sweeney, Merchant Advisory Group CEO Dodd Roberts, American Hotel & Lodging Association CEO Joe McInerney, International Franchise Association CEO Matthew Shay, National Council of Chain Restaurants President Jack Whipple and the Association for Convenience & Petroleum Retailing CEO Henry Ogden Armour. The letter was cc'ed to American Express CEO Kenneth Chenault, Discover Financial Services CEO David Nelms, Visa CEO Joseph Saunders, MasterCard CEO Robert Selander and JCB CEO Tamio Takakura.

"It is becoming increasingly difficult for our members to comply with the program’s requirements in a cost effective and timely manner, especially in this difficult economic climate," the letter said. "Today, most of the risk and financial burden for operating in compliance with PCI DSS is borne by the merchants, our members. Yet, the credit card companies and banks realize significant revenue from the credit card transactions from our members’ businesses."

  • Seek Retail Input Earlier
    "Incorporate a formal review and comment phase on revisions to the PCI DSS by participating membership before they are issued. We suggest that the PCI SSC adopt a similar process for writing standards in an open environment as is used by Accredited Standards Committee X9 (ASC X9)," the letter said. "As ASC X9 also maintains data security standards, we recommend the PCI SSC partner with them in an effort to create a single standard that could be used by all."

  • Give Retailers More Time To Implement
    The request for more time pointed to the needs of both large merchants—who have a lot more to change—and smaller chains, which have far fewer dollars.

    "Ensure the amount of time from issuance of a revision to the PCI DSS and the effective date is appropriate for all merchants, including Level-1 merchants making enterprise-wide changes, based on the revisions that are being implemented, as well as small operators without the resources to readily comply," the letter said. "Along with this, we request that the sunset date of version 1.1 of the PCI DSS be extended to December 31, 2009."

  • End To End Encryption Rules?
    As security debates continue between the end-to-end encryption and the tokenization gangs, the group asked that PCI finally get into the issue and declare some explicit guidelines.

    "Follow, and adopt, the ASC X9 announcement of its plan to develop a new standard to protect cardholder data that may include end to end data encryption," the letter said. "By leveraging end to end encryption of credit card transactions, the industry could implement broad and consistent protections for consumers, businesses and the global electronic payment system by rendering card information useless to thieves."

  • Streamline PCI, Deliver A Shorter Must-Do List
    Pointing out the latest rev of PCI is quite long and that compliance is today dependent on complete compliance (the PCI Council is one of the few places where a 99 percent test score is failing), the letter asked for more of a triage approach.

    "Utilize the concepts of key controls and controls rationalization to restructure the more than two hundred detailed requirements of the PCI DSS. These concepts are similar to what the U.S. Government enacted for publicly traded companies as part of the Sarbanes-Oxley Act," the letter said. "This would reduce the reporting and maintenance burden on companies by ensuring they place a focus on the key controls that reduce overall risk for their particular business model."

  • Stop Forcing Retail Execs To Store More Than They Need
    This is one of the older requests being made, as the NRF's Hogan has been arguing for years that to make retailers less susceptible to data breaches, stop forcing them to keep so much unnecessary data in their servers.

    To paraphrase famed bank robber Willie Sutton, why do cyber thieves target retailers so often? Because that's where the data is. Hogan's argument has been that if the credit card companies are so intent on protecting the data, let them share the burden of housing those files, much of which the retailers would rather not have lying around.

    "Require credit card companies and their banks to provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to store credit card information for dispute resolution, putting customers at unnecessary risk," the letter said.

    A day after the letter was sent and released publicly, PCI's Russo issued a statement that the council "actively seeks and encourages collaborative input on the PCI DSS from all interested parties" and it then touted that its current board "has significant merchant, restaurant and petroleum industry representation including Wal-mart, Tesco, McDonalds and Exxon Mobil."

    Other than a brief comment on end-to-end encryption—namely that the PCI Council "recently issued an RFP on emerging technologies, including further research into end-to-end encryption, and anticipates a detailed analysis and position paper presented to us by the end of the summer"—Russo's statement didn't agree or disagree with any of the five proposals.

    At the end of Russo's statement, he seemed to dismiss the group's suggestion that the council bends its rules to allow for more retail feedback at an earlier, instead suggesting that the group is the one that should come to PCI, rather than the other way around.

    "We appreciate the input from these industry associations and we do encourage those that are not formal Council stakeholders to join up and become active participants, lending practical security expertise – along with their ideas - to evolve payment data security standards," Russo's statement said.