Neither Banks Nor Retailers Want To Spend Money On Credit Card Security
from the it's-not-our-money dept
Banks and retailers continue their back-and-forth argument (via Payments News) over who should bear the burden of implementing new security guidelines handed down by credit-card companies. Retailers complain that they’re having to shell out, while banks fire back that they’re not the ones whose lack of compliance with security standards are contributing to breaches and data leaks. The incompetence of some retailers, in terms of security, is pretty astounding, and it seems fairly clear that they should implement better protections, particularly since it’s the banks that get left holding the bag after breaches and fraud. Collectively, it sounds like both sides are trying to pass the buck, and get away with doing as little as possible under the standards the credit-card companies set. Those standards, then, don’t sound like they’re enforced particularly stringently, and they’re backed up with meaningless fines. For instance, an AT&T exec says Visa has threatened the company with paltry fines of $25,000 per month for not complying with new standards. The problem here seems to be a focus on compliance, though, rather than security. The issue doesn’t seem to be creating secure systems to reduce risk, but rather spending as little money as possible to get in compliance with a set of standards, with little regard for the efficacy of the standards themselves.
Comments on “Neither Banks Nor Retailers Want To Spend Money On Credit Card Security”
Customers are not shopping at the bank!
They’re shopping at retailers and it is those retailers that want the customers to shop that need to take steps to secure data.
Cash only
Let this be a lesson to us all about why it is a good idea to pay with cash. What ever happened to differential pricing for cash and credit purchases, by the way?
Part of the problem...
… and I’ve been told this by a bunch of bank executives, is that the banks don’t care about credit card theft as accounts are insured and there is ZERO impact on them.
Chris.
Re:Cash only
Often the contact with the card company forbids
merchants from offering reduced prices for cash
purchases.
As long as the consumer pays for the losses, why
should they care? They just pass the expense on
down the line.
I think the card companies and banks will only
care about security when customers start taking
their business to those of them who provide
security.
Fidelity lost a laptop with my retirement data
on it a while ago. As compensation I received
free credit monitoring for a year. BFD. So
I went to my local bank and discovered they really
don’t have much in the way of security and the
best I could do was request they password protect
my accounts. I find the tellers rarely ask for
the password even though they should.
Security Standards & Why compliance...
Some of the security standards are at https://www.pcisecuritystandards.org/
The reason there is a big focus on compliance is that retailers actually understand compliance (big companies all understand, for instance, compliance with Sarbanes-Oxley).
Getting a large corporation to actually care about protecting account data is generally impossible from the outside. So the best the card companies can do is to come up with a set of rules (most of which should have been obvious to anyone with a brain) and then shove them down the retailer’s and processor’s throats.
Any retailer that already cared about protecting account numbers already had most of this in place. And the ones that didn’t just have to be beaten until they do the right thing, even if they don’t care.
Most of the stuff in the standards are NOT that hard (heck, half of the standard boils down to ‘do not store data you don’t need, and if you need it, encrypt it’ and ‘oh yea, don’t run your cards unencrypted over the public wi-fi network’).
Re: Security Standards & Why compliance...
Our internal security guy keeps telling us that encryption is not considered a “compensating control” – in other words, encryption may make us (a MAJOR US merchant – around a million transactions per day on a slow day) feel good, but it isn’t truly contributing to whether or not we are compliant with the PCI standards.
The banks are not responsible for fraud, the merchants are, especially when it comes to on-line retailers, who are not able to collect signatures and other means of verification that the credit card companies require in cases of fraud resolution. Fraud cases are usually dealt with through arbitration between the credit card companies and the merchant, and the cost to recover fraud costs can often outweight the fraud amount to begin with. Many retailers only go after really big fraudulent orders attempting to recover funds from the credit card companies who authorized the sale to begin with.
Additionally, the industry standard security practices for retailers to follow, as outlined by the credit card companies, are a joke. They are composed of a series of yes/no questions, and if you answer no to any one of them, you are not compliant. But the questions are ambiguous, so retailers end up taking an defensible position on their “yes” answer rather than actually implementing good security policies. The compliance statements are really just a CYA measure by the credit card companies to make it look like they are doing something.
Agreed, Michael, the security standards are not that hard to comply with, as the two examples you point out demonstrate. However, what these standards fail to realize is that technical limitations rarely have anything to do with fraud or breaches. One of the requirements, if I remember correctly, is “make sure no one who shouldn’t have access to credit card data doesn’t”. This fails to recognize that much fraud is perpetrated as inside jobs — effectively, an entire call center is allowed to have access to credit card data as they are taking orders. In many cases, this is the majority of the company. Stealing customer info is much easier by getting a job in a call center than it is to break into a network.
WTF
Am I crazy to think that the CC Companies should shoulder the responsibility of implementing the added security? After all, aren’t they the ones benefiting from use of their system?
I think anyone who has a databreach on their part is the one who needs to pay for it. Everyone needs to keep their part of the pipe in good condition and then we don’t have these issues.
Perhaps people should just quit using them?
Not too many seem to recall the ‘sales’ pitches of the 70’s and 80’s – about ‘how secure’ credit cards ‘are’.
Compare it to cash… how secure is it?
I have cash in my wallet – try to take it…. 🙂
PCI compliance
I recently had to go through the PCI compliance exercise with a client. A few of the questions didn’t make sense, and for these I put “N/A” answers with an explanation of why they didn’t make sense, e.g.
to which I replied
They were happy enough to accept that.
Fraud is not Costing them Enough Yet
Given the ubiquitousness of keypad devices for entering a pin number I am surprised that the credit card companies don’t implement this at the point-of-sale for purchases. It would reduce casual theft resulting from lost cards. The only reason that I can come-up with is that the credit card companies must believe that it would cost them more than the theft involved.
Consumers will pay for it...again
The consumer will ultimately pay the price for security. They always have and always will. It doesn’t matter if the retailer, banks or the card issuers end up writing out the check for security measures, ultimately, that check will be paid for via increased prices, fees or interest. Get used to it….anything that is an expense for any of the three gets paid for by the consumer.