Identity theft affects as many as 9 million Americans every year, according to the Federal Trade Commission. However, concern over how to safeguard consumers’ credit card information is quickly turning into a blame game between retailers and the payment card networks.
While retailers typically store customer credit card data, the Payment Card Industry (PCI) set forth a series of guidelines for how this data should be secured several years ago. Retailers that don’t comply by next year could potentially face higher processing fees.
However, some retailers have suggested that the credit card companies and banks should also shoulder some of the responsibility for data security.
Reportedly, TJX Cos., which owns store brands such as TJ Maxx and Marshalls, recently subpoenaed security details from MasterCard, claiming the credit card company was partially responsible for the damage from one of the most visible data breaches in recent history. A federal judge has also chimed in, denying the plantiff’s request to sue as a class and transferring the case out of federal jurisdiction last week. The decision was based on the difficulty in proving the source of any particular fraud loss.
“As an industry, retailers have already spent in excess of $1 billion on data security,” says Dave Hogan, SVP and CIO for the National Retail Federation.
As a complement to these efforts, the trade group would like to see credit cards issued with a personal identification number (PIN), thereby making identity theft more difficult. It also seeks the development of more secure payment methods, such as are currently used the UK, and merchants storing only transaction authorization numbers.
But, even as the retail community is looking to share some of the responsibility, the rate of adoption of the PCI guidelines is picking up, according to Chen Arbel, VP of strategic development at data security software provider Aladdin.
“Nobody wants to be second in line,” Arbel says, referring to the fact that TJX is the first retailer to face hefty fines as a result of its data breach. “Some retailers are now in the process of trying to meet PCI compliance as quickly as possible and my concern is this might not be the best way to do it,” she continues.
According to a new report on customer data security from RSR Research, only 32% of top-performing retailers (those with year-over-year same-store sales growth of more than 3%) are fully compliant with the PCI guidelines, while 50% of all other retailers are.
However, 43% of top-tier retailers report that they are working on reaching compliance while 21% say they don’t know if they are compliant, which most likely reflects just how difficult understanding what it takes to be compliant can be, according to RSR.
Possible government intervention is also motivating retailers to act.
“Retailers know they need to work with the payment card industry to solve this problem before it reaches a level that requires federal legislation,” says Steve Rowen, partner, RSR Research.
Vendors have also started stepping in to lend a hand. Last week, e-commerce platform provider MarketLive said it attained compliance with the PCI’s data security standard, thereby enabling clients to meet compliance standards for the e-commerce portion of their businesses.
“We’re hearing a loud and clear cry from merchants that they want guidance, leadership and help” when it comes to data security, says Tiffany Riley, SVP of marketing at MarketLive.