Making Credit-Card Payments More Secure By Making Breaches More Expensive

from the aligning-incentives dept

It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that's preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren't ignored, though, they're so full of loopholes that they're fairly worthless. As the original poster, Andrew Conry-Murray, puts it, "It's not about security. It's about an industry covering its ass." Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.

Conry-Murray's contention is that the compliance system is far too easy to game, particularly because it only checks companies' systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn't enough to make companies sit up and take notice -- and change their behavior -- there won't be any real change.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    NormD, Mar 4th, 2009 @ 6:02pm

    Who actually pays?

    Just remember, if you force companies to spend more either for enhanced security or fines, they will just pass it along...

    I am suspicious that if the current cost of breaches was higher than the cost to prevent the breaches (if this is even possible) then companies would probably spend more for prevention. Thus you want costs to go up and thus our costs for using credit to go up. There is no free lunch.

    And lastly, large companies can more easily afford the cost to secure their systems, so I assume the affect of your proposal would be to destroy lots of small businesses.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      AL, Mar 4th, 2009 @ 8:18pm

      Re: Who actually pays?

      agreed. No matter what the costs are, even when those costs get passed to consumers...breaches will still happen. I think the focus should be in giving consumers more tools once their info is out there.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Paying too much already, Mar 4th, 2009 @ 6:27pm

    Another fee

    Fees? That would not do much.
    Make them personally responsible for the costs, starting at the top.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 4th, 2009 @ 7:35pm

    the problem is:
    the companies only loose Pr when it looses its data its there customers that are at risk, so they don't really care.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Mar 5th, 2009 @ 4:32am

    My experience with the credit card companies (Visa/MC) was that they were dead serious about compliance. They put us through the ringer. I think that saying merchants are only warding off trouble and aren't serious about preventing breaches is more to the point.

    But that's not saying merchants are evil. It's just that our representatives haven't gotten the risk-reward set right.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    merchant, Mar 5th, 2009 @ 6:35am

    If the card companies would spend the effort to insure transactions are encrypted from swipe to their processes then card numbers would not be at risk.

    Even more so,if PIN was required on all transactions and the signature based authorization was eliminated then fraudulent transactions could be eliminated.

    The risk to a merchant is high, fines upto 500,000 and non compliance fees upto 125,000 per year.

    The PCI DSS compliance is as good as anyother security standard. If done it helps.

    The evil here is the VISA and Master Cards of the world. Encrypt, it is VISA and MC fault that the transaction is not encrypted.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Powertoaster, Mar 5th, 2009 @ 8:11am

    Already being done

    My company was contacted by a third party which was contracted by our cc processor. We were required to go to a website and answer a bunch of questions about our policies.

    If we did not we would have been faced with higher processing fees.

    The lame thing about this, is that it is a self reported very basic 10 question online quiz which you can take as many times as you need to to pass.

    I wonder how many people are going to get the correct answers in spite of their actual policies in order to avoid the higher fee?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Gene Cavanaugh, Mar 5th, 2009 @ 11:16am

    Credit card problems

    While I basically agree, I don't agree.

    If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).

    Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.

    Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Gene Cavanaugh, Mar 5th, 2009 @ 11:16am

    Credit card problems

    While I basically agree, I don't agree.

    If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).

    Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.

    Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This