NRF: Credit Card Industry is ‘On Notice’

Citing concern over data breaches, the National Retail Federation Thursday, in a letter to Payment Card Industry Security Standards Council, requested changes in how the credit card industry requires merchants to store credit card data.

“All of us—merchants, banks, credit card companies and our customers—want to eliminate credit card fraud,” said NRF chief information officer David Hogan in the letter. “But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place.”

The letter outlines the retail industry’s commitment to Payment Card Industry compliance while addressing the issue that Payment Card Industry itself does not discourage hackers from attempting breaches of retailers’ systems.

“With this letter, we are officially putting the credit card industry on notice,” Hogan said. “Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”

Credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months in order to satisfy card company retrieval requests. NRF says retailers should have a choice as to whether they want to store credit card numbers at all.

Hogan outlined NRF’s approach in the letter, stating that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring that merchants keep reams of data for an extended period of time, putting retail customers at unnecessary risk.

A full version of the letter can be found at