Merchants have asked the group that oversees the credit card industry's data security standard to modify its requirements on account data that must be stored after a transaction.
The National Retail Federation submitted a letter Wednesday to the Payment Card Industry Security Standards Council, which manages the PCI data security standard, recommending that merchants store only the authorization codes for transactions, rather than the full account numbers that many store today in case they are needed for a customer chargeback.
The merchant trade group said card companies' rules require them to retain full number for transactions, which makes merchants a target for criminals.
However, the card companies said that storing the entire account number is not always necessary. In August, Visa Inc. published a memo that said "a merchant may mitigate their risk by storing only truncated account numbers," but also advised that "merchants should consult with their merchant bank before taking this action."
David Hogan, the National Retail Federation's senior vice president and chief information officer, said in his letter to the PCI council that it should be standard practice for merchants to keep data that is specific to the transaction, such as its authorization code, without needing to keep a full account number.
That practice alone would improve security, Mr. Hogan said in an interview.
"What this does is basically take away a lot of the incentive that a hacker might have," he said. If "there's not going to be large stores of credit card information, they might think twice about breaking in in the first place."
The key difference for hackers is that the authorization code cannot be used to make further purchases, but card account numbers can be.
"That card was swiped, it was validated, an authorization number came back, and as far as we're concerned, that is a valid transaction," Mr. Hogan said. After that, the account number "is just excess baggage that we're carrying along that really isn't necessary." And if merchants could reduce the amount of information they store, they may have a lighter burden under the PCI standard, he said.
"If you're not storing sensitive credit card information," he said, "then there's no reason to encrypt it, so I think all the guidelines around that would have to be reviewed."
Mr. Hogan said that his suggestion should be well received by merchants, and that updating their systems to store just authorization codes would require "from five days' to a couple of weeks' worth of work. It's not heavy lifting not to store something."
Though retailers store sensitive data besides card information, he said hackers would look elsewhere if merchants stopped storing account numbers. The problem "isn't that they're going after driver's license numbers" that some retailers store, he said. "They're going after credit card numbers."
He noted that if retailers no longer have account data, criminals could shift their attention to banks, but he said financial companies typically have stronger safeguards in place. "The banks already have the information anyway," he said, "so I think that whatever's going on is going on anyway and they're probably doing a very adequate job of securing it."
PCI council executive were not made available to comment.
Avivah Litan, a vice president and research director at the market research firm Gartner Inc., said the federation's letter echoes what she has heard from many merchants.
"The retailers I talk to, they honestly are looking for ways to get rid of keeping credit card numbers, and they're stuck because of the chargeback," Ms. Litan said.
She said some companies have considered less permissive refund policies, which could shorten the amount of time that retailers must retain transaction data.
She said that though she agreed it would be easy for retailers to stop storing data, if bank systems required it, such changes could entail much more work.
Still, shifting hacker attention away from retailers should bolster security overall, Ms. Litan said. "The banks, as a whole, have stronger security than the retailers."
