Making Credit-Card Payments More Secure By Making Breaches More Expensive
from the aligning-incentives dept
It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that’s preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren’t ignored, though, they’re so full of loopholes that they’re fairly worthless. As the original poster, Andrew Conry-Murray, puts it, “It’s not about security. It’s about an industry covering its ass.” Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.
Conry-Murray’s contention is that the compliance system is far too easy to game, particularly because it only checks companies’ systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn’t enough to make companies sit up and take notice — and change their behavior — there won’t be any real change.
Filed Under: credit cards, security breach
Comments on “Making Credit-Card Payments More Secure By Making Breaches More Expensive”
Who actually pays?
Just remember, if you force companies to spend more either for enhanced security or fines, they will just pass it along…
I am suspicious that if the current cost of breaches was higher than the cost to prevent the breaches (if this is even possible) then companies would probably spend more for prevention. Thus you want costs to go up and thus our costs for using credit to go up. There is no free lunch.
And lastly, large companies can more easily afford the cost to secure their systems, so I assume the affect of your proposal would be to destroy lots of small businesses.
Re: Who actually pays?
agreed. No matter what the costs are, even when those costs get passed to consumers…breaches will still happen. I think the focus should be in giving consumers more tools once their info is out there.
Another fee
Fees? That would not do much.
Make them personally responsible for the costs, starting at the top.
the problem is:
the companies only loose Pr when it looses its data its there customers that are at risk, so they don’t really care.
My experience with the credit card companies (Visa/MC) was that they were dead serious about compliance. They put us through the ringer. I think that saying merchants are only warding off trouble and aren’t serious about preventing breaches is more to the point.
But that’s not saying merchants are evil. It’s just that our representatives haven’t gotten the risk-reward set right.
If the card companies would spend the effort to insure transactions are encrypted from swipe to their processes then card numbers would not be at risk.
Even more so,if PIN was required on all transactions and the signature based authorization was eliminated then fraudulent transactions could be eliminated.
The risk to a merchant is high, fines upto 500,000 and non compliance fees upto 125,000 per year.
The PCI DSS compliance is as good as anyother security standard. If done it helps.
The evil here is the VISA and Master Cards of the world. Encrypt, it is VISA and MC fault that the transaction is not encrypted.
Already being done
My company was contacted by a third party which was contracted by our cc processor. We were required to go to a website and answer a bunch of questions about our policies.
If we did not we would have been faced with higher processing fees.
The lame thing about this, is that it is a self reported very basic 10 question online quiz which you can take as many times as you need to to pass.
I wonder how many people are going to get the correct answers in spite of their actual policies in order to avoid the higher fee?
Credit card problems
While I basically agree, I don’t agree.
If a foodstuff poses a hazard, even a very long possible risk, such as “it might cause cancer”, we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).
Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even “voluntary” compliance.
Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?
Credit card problems
While I basically agree, I don’t agree.
If a foodstuff poses a hazard, even a very long possible risk, such as “it might cause cancer”, we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).
Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even “voluntary” compliance.
Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?
Re: Credit card problems
Peanuts