Jun 22 2009
The representatives of the National Retail Federation and other associations sent a letter to Bob Russo of the PCI Council on June 8th. While the letter makes a couple of interesting points, it’s mostly smoke and mirrors meant to draw attention away from the fact that many merchants don’t want to spend the time and money to become PCI compliant. Request number five really bothers me because the NRF is asking the PCI Council to quit requiring merchants to retain credit card information for potential charge backs. There’s only one problem with that: the PCI Council has no control over what data a merchant has to keep for charge backs, it’s entirely between the acquiring bank and the merchant. The rest of the requests by the NRF are also have logical weaknesses that I just don’t have the time to chew up and spit out properly.
Update: Anton had the time and guts to do what I didn’t, which is tear apart the letter to the PCI Council. I do like how he questions the mention of Sarbanes-Oxley as a positive example of how regulation should work.