Visa clashes with retailers over standards for credit card safety

The credit card security debate is coming to a head.

According to the most recent data, fewer than half of major retailers were on track to meet a Sept. 30 deadline set by Visa USA to tighten the security on their data systems, increasingly targeted by hackers and scam artists.

The low rate means many merchants face higher fees from Visa, the largest credit card network, and potentially fines from banks that handle payments when customers use plastic at the cash register.

In response, the National Retail Federation, a trade group representing the largest merchants, yesterday called on credit card security officials to change procedures under which they store some data, which they said creates many of the vulnerabilities.

Card companies and banks reacted coolly to the idea when retailers floated it in the past. But the proposal is likely to renew debate on credit card security, as well as on how the financial companies price access to the nation's credit card networks, a $40 billion-a-year service that has drawn increasing complaints from stores.

Just who should be responsible for protecting customer card numbers has become a hot issue this year in the wake of large breaches that have struck companies like TJX Cos., the Framingham parent of stores including TJ Maxx and Marshalls.

Earlier this year it disclosed how hackers had stolen at least 45.7 million credit and debit card numbers in the largest breach to date, though about 75 percent of the cards were expired or had data in the magnetic strip masked. Last week Canadian regulators faulted the company's security protocols and said TJX believes the intruder may have gained access via wireless local area networks at two Marshalls stores in Miami.

Card network operators including Visa and MasterCard Inc. generally waive losses for customers, but for years have been pressing merchants to meet what is now called the Payment Card Industry Data Security Standard. It outlines 12 technical areas in which big store chains, restaurants, and others who accept credit cards must take steps such as encrypting cardholder data, assigning ID numbers to each employee with computer access, and running regular security tests.

Most of the 327 merchants that handle more than 6 million Visa transactions a year were supposed to meet the new standard by Sept. 30, but only 40 percent did so according to the retail federation. (Visa put the figure at 44 percent as of Aug. 31.) Only a few large companies such as Wal-Mart will publicly disclose their status: The world's largest retailer says it has met the requirements.

Hiring consultants to meet the standard can cost companies millions. Bob Russo, general manager of a Wakefield security group set up by the card companies, said one problem is that many companies have trouble retrofitting new security technologies on their older systems. "It's like putting an airbag and seat belt into an old Thunderbird" automobile, he said.

Russo said he needed more time to study the letter the National Retail Federation sent him yesterday before commenting on it.

The federation said the best solution would be for merchants to no longer be required to store certain data they now keep to manage payment disputes.

"The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," David Hogan, the federation's chief information officer, wrote.

Compliance matters because Visa said in August it would start raising so-called interchange fees on customers that don't meet the standard, which already can account for 3 percent of every purchase. That can translate to millions of dollars for larger chains. Fees are already rising as banks introduce more credit and debit cards that pay customers rewards. Banks that handle transactions for noncompliant merchants could also face fines of up to $25,000 per month.

"It's the dirty little secret of money, if you think about how the interchange fees work," said Hogan. He and others say large banks also share blame for demanding big fees to process consumer payments without reinvesting enough in security.

A Visa spokeswoman, Rosetta Jones, wrote in an e-mail in August, "Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data." Yesterday, Jones said Visa did not yet have a more recent compliance number, but noted that Visa has issued $3.3 million in fines against merchants' banks since last year and that the August compliance rate was higher than in previous months. "We're seeing steady progress," she said.

In an Aug. 27 notice to merchants, Visa reiterated rules that prohibit merchants from storing data such as the three-digit number typically found on cards' signature panels, often targeted by hackers.

A MasterCard spokesman said the company wouldn't discuss compliance or what actions it might take.

An issue is whether Visa will follow through on its previous threats, said Holly Ludwig, a consultant for the Jefferson Wells audit and accounting firm. For Visa, "now the question is, how true are they to their word?" Ludwig said.

Ross Kerber can be reached at kerber@globe.com.