The largest retail lobby in the world, the National Retail Federation, recently sent notice to the PCI Security Standards Council that they disagree with the standards put forth by Visa International, American Express, Discover Financial Services, JCB, and MasterCard Worldwide. In which they made their own suggestions on how to better protect credit card data.

The letter, from the SVP and CIO David Hogan, from National Retail Federation to Bob Russo the General Manager of PCI Security Standards Council makes the claim that PCI DSS places much of the burden of protecting credit card data onto the retailers themselves. Which, in my own personal understanding of the 12 step PCI DSS Standard I would have to say is true. I would even go so far as to say the retailers are being unfairly targeted to front the costs and forced to hold onto the data for a specified period.

Even more interesting is the fact that many of the credit card companies themselves are not yet compliant with the standards themselves, and are placing extremely high fines onto retailers that are yet to become complaint in the time frame set forth in their terms.

David Hogan suggests that if the retailers did not have to retain the data for such long periods, at times which can be up to 18 months, they would be less susceptible to crimes and fraud that occurs even with these standards in place.

I also agree with David Hogan, and hope others will join with him in saying so. I do think that overall PCI should be implemented but the credit card companies must share the burden and should reduce the time that retailers have to retain such data. In other words, to put a twist on another saying, and I quote, "If it's not there, they wont come."

For more on this please check out the following:

PCI Security Standards Council

David Hogans' Letter