Retailers and the credit card industry are at odds as they try to restore consumer confidence after recent massive thefts of credit card information.
The National Retail Federation on Thursday urged a card industry organization to stop requiring retailers to keep customers' card numbers for up to 18 months.
The stored data helps track product returns and disputed or suspicious transactions. But retailers say the data would be more secure if only credit card companies and banks that issue the cards stored it.
"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the retail federation's chief information officer, said in a strongly worded letter.
He said he was putting "the credit card industry on notice."
The biggest recent retail data breach involved TJX Cos., the Framingham, Mass.-based discount retailer, which said early this year that information from at least 45 million customer credit and debit cards had been exposed to potential fraud. Last month, Canadian investigators concluded TJX had kept data with insufficient encryption — and for years after it should have been purged.
One credit card company said it doesn't require retailers to store the data.
Less than half the nation's biggest merchants appear to be complying with card industry security standards — which include encryption and other safeguards — despite a Sept. 30 deadline set by Visa USA, which plans to levy monthly fines up to $25,000 against merchant banks that noncompliant retailers rely on.
Visa, the nation's largest credit card network, said that, as of Aug. 31, 44 percent of big retailers had complied with the Payment Card Industry Data Security Standard. That's up from 40 percent compliance in July. Those retailers account for about half of nationwide Visa transactions.
Banks could try to pass along the fines, but noncompliant retailers' biggest burden is the higher fees they pay for each transaction if they don't comply with the standards, said Avivah Litan, a Gartner Inc. analyst.
"If they're not compliant, that can cost millions of dollars," Litan said.
Visa USA Vice President Rosetta Jones said the card network considers noncompliant merchants "delinquent," which will lead to fines for large banks starting this month and for medium-size retailers' banks in January.
Visa originally set a September 2004 compliance date for large merchants. But it wasn't until the latest deadline passed that banks faced fines.
The retail federation's Hogan said U.S. retailers are increasingly at odds with the card industry over the security standards, known as PCI.
Despite spending $1 billion on meeting the standards the past three years, their attempts to comply "are not enough to accomplish the ultimate goal of protecting the consumer," Hogan said. "Data breaches have continued to occur at an unacceptable rate."
"We believe the time has come to rethink the assumptions behind PCI," he said.
Hogan said in an interview that retailers routinely hold onto information because credit card companies ask them to produce data from transactions as old as 18 months to verify product returns and protect against fraud. If retailers can't produce data showing the product was legitimately purchased, they can end up reimbursing banks and card companies, Hogan said.
In a statement Thursday, MasterCard called the retail federation's claims "inaccurate and unjustified."
MasterCard said merchants that keep card data may store it in a "truncated format which minimizes risk. In addition, a merchant may choose to store no cardholder data at all based on their own risk assessments and individual approaches to managing data storage according to their own business needs."