Two serious security breaches within the state government that led to thousands of residents having their personal information compromised have retailers concerned about their own data.
“It’s become a much bigger issue with advanced technology,” said Timothy Phelan, president of the Connecticut Retail Merchants Association. “It’s gone beyond just [information technology] staff. It now involves loss prevention because there are organized groups out there mining to steal information.”
The issue is likely to come to the forefront, retailers predict, as a result of two breaches in the past several months.
A Department of Revenue Services employee had a laptop stolen in August that contained the names and social security numbers of 106,000 state residents. A computer tape stolen in Ohio included information on nearly every bank account held by state agencies.
Those breaches, in part, have led to scrutiny of retailers because they are required to compile and store data on credit card transactions for at least a year.
Retailers are wary, according to Phelan, because they take measures to protect the data but are penalized when those measures fail.
Invitation To Thieves
The storing of credit card data for a lengthy period of time has been questioned by the National Retail Federation as it argues that storing the data is inviting a security breach.
In a letter to the Payment Card Industry earlier this month, NRF Chief Information Officer David Hogan wrote that all retailers want to eliminate credit card fraud.
“If the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store card data in the first place,” he wrote.
The NRF’s position is that retailers should have the choice on whether or not to store data and eliminate the incentive for hackers to attack their systems.
“The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few, secure locations than to expect millions of merchants scattered across the nation to lock their data for them,” wrote Hogan.
Currently, credit card companies like Visa and MasterCard require stores to hold data from a year to 18 months to satisfy retrieval requests from the companies. The NRF would like to see the amount of data stored reduced to just the authorization code provided at the time of sale and a truncated receipt.
The issue the state legislature will face during the upcoming session is what to do regarding retailers’ data, because different retailers hold on to different information.
“There is certain information that retailers are forced to store because of the credit card companies,” said Phelan. “But retailers want to continue to communicate with their customers, with their name and address, to let them know about sales and other things going on.”
