Despite the hundreds of millions of dollars spent every year to fight credit card theft and improve security, retailers and consumers still fall victim to breaches.
In a conference call organized by the National Retail Federation titled “The Real Cost of Security Data,” NRF executives discussed the challenges retailers face when dealing with banks on credit card theft. One problem lies in the confusion about what it means to be compliant with the Payment Card Industry Data Security Standards.
“There is a lot of frustration from retailers because PCI compliance has always been a moving target and the metrics are always changing,” said Mallory Duncan, senior vice president and general counsel of the NRF, Washington, DC. “There is a lot of confusion [over] what the guidelines mean, and specific milestones seem to change indeterminately.”
Retailers must follow 12 major requirements and more than 200 requirements. They include installing firewalls, not using vendor-supplied passwords, protecting stored data, encrypting transmission of cardholder and sensitive information across public networks, and regularly updating anti-virus software.
According to the callers, only 40 percent of the largest retailers in the U.S. have achieved this compliance. The NRF attributes this to poor communication and unclear measurements.
Another issue facing retailers has to do with legislation being proposed in Massachusetts, Connecticut and Rhode Island. The legislation would require retailers to pay for all costs of fraud.
“The measure is being pushed by community banks who don’t always monitor accounts,” said Liz Oesterle, senior director and government relations counsel at the NRF. “Our position is that interference by Congress in this complex issue should be very carefully monitored.”