Retailers, creditors clash on security

October 2007Retailers and the credit card industry are at odds as they try to restore consumer confidence after recent massive thefts of credit card information. The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers’ card numbers for up to 18 months. The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it. The biggest recent retail data breach involved TJX Cos., the Framingham, Mass.-based discount retailer, which said early this year that information from at least 45 million customer credit and debit cards had been exposed to potential fraud. Last month, Canadian investigators concluded TJX had kept data with insufficient encryption — and for years after it should have been purged. Less than half the nation’s biggest merchants appear to be complying with card industry security standards — which include encryption and other safeguards — despite a Sept. 30 deadline set by Visa USA, which plans to levy monthly fines up to $25,000 against merchant banks that noncompliant retailers rely on. The retail federation said U.S. retailers are increasingly at odds with the card industry over the security standards, known as PCI. Despite spending $1 billion on meeting the standards the past three years, their attempts to comply “are not enough to accomplish the ultimate goal of protecting the consumer,” the letter read. “Data breaches have continued to occur at an unacceptable rate.”