State asks stores to detail data security

Massachusetts' new top business regulator yesterday called on retailers to start disclosing how well they protect customer credit-card and debit-card data, an idea gaining traction after a data breach at retailer TJX Cos. last month.

"Consumers have a right to know if stores are adhering to the best practices of the industry," said Daniel Crane, director of the office of consumer affairs and business regulation.

"If you have a choice between shopping somewhere that is protecting the information and somewhere that is not, you might make the obvious choice," Crane said.

Payments industry executives said they know of no other state or federal official who has gone as far as Crane in seeking to publicize whether specific merchants meet security rules set by card companies including Visa International and MasterCard Inc.

Consumer groups and some security consultants also are voicing more support for the idea, however, as a way to maintain shoppers' confidence when they use plastic. "I think retailers should be increasingly obligated to show what they're doing by way of information security," said Frank Liddy, manager in the enterprise security division of Unisys Corp. in Pennsylvania.

Mallory Duncan, general counsel for the National Retail Federation, a trade group in Washington, called the suggestion "a really bad idea" since the card firms often change the standards and can keep merchants waiting months to learn whether they pass their audits. Also, he said, many companies have had trouble melding their proprietary charge-card systems to the rules known as the Payment Card Industry standard, or PCI.

"Anyone who's proposing PCI be used as a surrogate doesn't know PCI very well," he said.

As data thefts increase, low compliance with payments standards is emerging as a hot issue. Visa says only 31 percent of large merchants meet the rules, which spell out details like how much data stores and restaurants can collect on consumers and for how long they can keep it on file. Visa and MasterCard have been increasing fines against banks that handle these payments as well, and some say banks themselves bear responsibility for not insisting on tougher standards.

Crane said he plans to encourage retailers to develop some way to inform shoppers if they meet the standards. Some stores might see it as an advantage to be known for security, but Crane's idea won't likely meet much enthusiasm.

In a half-dozen calls to some of the country's largest merchants, only a spokesman for retailer Wal-Mart Stores of Arkansas would say that it complied with the standards. Others either did not return messages or said, like a spokeswoman for Sears, Roebuck & Co., that they would not discuss it.

TJX, the Framingham retailing giant whose stores include T.J. Maxx and Marshalls, also has declined to say whether it met the standard, though financial services executives have said it is among the laggards. A spokeswoman said yesterday that the company would not comment.

TJX has been at the center of a controversy since Jan. 17, when it revealed that a hacker had broken into its computers, compromising potentially millions of credit- and debit-card numbers and drivers license data from as far back as 2003. Thieves have used the numbers to make fraudulent purchases from Florida to Hong Kong.

TJX says it was victimized in the case, but criticism has come from banks who have to bear the cost of reissuing cards and notifying customers. Some smaller credit unions have gone further. In a letter Wednesday to Visa, James Blake, chairman of the Massachusetts Credit Union League, suggested disclosure as the solution, calling on the firm to say which of the country's top 200 merchants don't meet the standards.

He wrote TJX "appears to be another case" of a failure to meet the security guidelines.

A Visa representative said executives weren't available to comment yesterday. MasterCard said that it has "tracked, progressed, and driven compliance with merchants" and issued fines where needed. "We do not, however, publicly disclose information related to fines, compliance rates, or other disciplinary measures with respect to specific merchants. Our primary goal is to encourage industrywide compliance."

Reach Ross Kerber at kerber@globe.com, and Jenn Abelson at abelson@globe.com.