Neither Banks Nor Retailers Want To Spend Money On Credit Card Security

from the it's-not-our-money dept

Banks and retailers continue their back-and-forth argument (via Payments News) over who should bear the burden of implementing new security guidelines handed down by credit-card companies. Retailers complain that they’re having to shell out, while banks fire back that they’re not the ones whose lack of compliance with security standards are contributing to breaches and data leaks. The incompetence of some retailers, in terms of security, is pretty astounding, and it seems fairly clear that they should implement better protections, particularly since it’s the banks that get left holding the bag after breaches and fraud. Collectively, it sounds like both sides are trying to pass the buck, and get away with doing as little as possible under the standards the credit-card companies set. Those standards, then, don’t sound like they’re enforced particularly stringently, and they’re backed up with meaningless fines. For instance, an AT&T exec says Visa has threatened the company with paltry fines of $25,000 per month for not complying with new standards. The problem here seems to be a focus on compliance, though, rather than security. The issue doesn’t seem to be creating secure systems to reduce risk, but rather spending as little money as possible to get in compliance with a set of standards, with little regard for the efficacy of the standards themselves.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Neither Banks Nor Retailers Want To Spend Money On Credit Card Security”

Subscribe: RSS Leave a comment
Anonymous of Course says:

Re:Cash only

Often the contact with the card company forbids
merchants from offering reduced prices for cash

As long as the consumer pays for the losses, why
should they care? They just pass the expense on
down the line.

I think the card companies and banks will only
care about security when customers start taking
their business to those of them who provide

Fidelity lost a laptop with my retirement data
on it a while ago. As compensation I received
free credit monitoring for a year. BFD. So
I went to my local bank and discovered they really
don’t have much in the way of security and the
best I could do was request they password protect
my accounts. I find the tellers rarely ask for
the password even though they should.

Michael Kohne says:

Security Standards & Why compliance...

Some of the security standards are at

The reason there is a big focus on compliance is that retailers actually understand compliance (big companies all understand, for instance, compliance with Sarbanes-Oxley).

Getting a large corporation to actually care about protecting account data is generally impossible from the outside. So the best the card companies can do is to come up with a set of rules (most of which should have been obvious to anyone with a brain) and then shove them down the retailer’s and processor’s throats.

Any retailer that already cared about protecting account numbers already had most of this in place. And the ones that didn’t just have to be beaten until they do the right thing, even if they don’t care.

Most of the stuff in the standards are NOT that hard (heck, half of the standard boils down to ‘do not store data you don’t need, and if you need it, encrypt it’ and ‘oh yea, don’t run your cards unencrypted over the public wi-fi network’).

Anonymous Coward says:

Re: Security Standards & Why compliance...

Our internal security guy keeps telling us that encryption is not considered a “compensating control” – in other words, encryption may make us (a MAJOR US merchant – around a million transactions per day on a slow day) feel good, but it isn’t truly contributing to whether or not we are compliant with the PCI standards.

Andy says:

The banks are not responsible for fraud, the merchants are, especially when it comes to on-line retailers, who are not able to collect signatures and other means of verification that the credit card companies require in cases of fraud resolution. Fraud cases are usually dealt with through arbitration between the credit card companies and the merchant, and the cost to recover fraud costs can often outweight the fraud amount to begin with. Many retailers only go after really big fraudulent orders attempting to recover funds from the credit card companies who authorized the sale to begin with.

Additionally, the industry standard security practices for retailers to follow, as outlined by the credit card companies, are a joke. They are composed of a series of yes/no questions, and if you answer no to any one of them, you are not compliant. But the questions are ambiguous, so retailers end up taking an defensible position on their “yes” answer rather than actually implementing good security policies. The compliance statements are really just a CYA measure by the credit card companies to make it look like they are doing something.

Andy says:

Agreed, Michael, the security standards are not that hard to comply with, as the two examples you point out demonstrate. However, what these standards fail to realize is that technical limitations rarely have anything to do with fraud or breaches. One of the requirements, if I remember correctly, is “make sure no one who shouldn’t have access to credit card data doesn’t”. This fails to recognize that much fraud is perpetrated as inside jobs — effectively, an entire call center is allowed to have access to credit card data as they are taking orders. In many cases, this is the majority of the company. Stealing customer info is much easier by getting a job in a call center than it is to break into a network.

Lawrence D'Oliveiro says:

PCI compliance

I recently had to go through the PCI compliance exercise with a client. A few of the questions didn’t make sense, and for these I put “N/A” answers with an explanation of why they didn’t make sense, e.g.

Is the firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)?

to which I replied

N/A — NAT is not a security mechanism.

They were happy enough to accept that.

Steve R. (profile) says:

Fraud is not Costing them Enough Yet

Given the ubiquitousness of keypad devices for entering a pin number I am surprised that the credit card companies don’t implement this at the point-of-sale for purchases. It would reduce casual theft resulting from lost cards. The only reason that I can come-up with is that the credit card companies must believe that it would cost them more than the theft involved.

Shafted says:

Consumers will pay for it...again

The consumer will ultimately pay the price for security. They always have and always will. It doesn’t matter if the retailer, banks or the card issuers end up writing out the check for security measures, ultimately, that check will be paid for via increased prices, fees or interest. Get used to it….anything that is an expense for any of the three gets paid for by the consumer.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...