by Carlo Longino

Neither Banks Nor Retailers Want To Spend Money On Credit Card Security

from the it's-not-our-money dept

Banks and retailers continue their back-and-forth argument (via Payments News) over who should bear the burden of implementing new security guidelines handed down by credit-card companies. Retailers complain that they're having to shell out, while banks fire back that they're not the ones whose lack of compliance with security standards are contributing to breaches and data leaks. The incompetence of some retailers, in terms of security, is pretty astounding, and it seems fairly clear that they should implement better protections, particularly since it's the banks that get left holding the bag after breaches and fraud. Collectively, it sounds like both sides are trying to pass the buck, and get away with doing as little as possible under the standards the credit-card companies set. Those standards, then, don't sound like they're enforced particularly stringently, and they're backed up with meaningless fines. For instance, an AT&T exec says Visa has threatened the company with paltry fines of $25,000 per month for not complying with new standards. The problem here seems to be a focus on compliance, though, rather than security. The issue doesn't seem to be creating secure systems to reduce risk, but rather spending as little money as possible to get in compliance with a set of standards, with little regard for the efficacy of the standards themselves.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    No Brainer, 21 Jun 2007 @ 10:19am

    Customers are not shopping at the bank!

    They're shopping at retailers and it is those retailers that want the customers to shop that need to take steps to secure data.

    reply to this | link to this | view in chronology ]

  • identicon
    Peter, 21 Jun 2007 @ 10:19am

    Cash only

    Let this be a lesson to us all about why it is a good idea to pay with cash. What ever happened to differential pricing for cash and credit purchases, by the way?

    reply to this | link to this | view in chronology ]

  • identicon
    Chris Maresca, 21 Jun 2007 @ 10:24am

    Part of the problem...

    ... and I've been told this by a bunch of bank executives, is that the banks don't care about credit card theft as accounts are insured and there is ZERO impact on them.


    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous of Course, 21 Jun 2007 @ 11:00am

    Re:Cash only

    Often the contact with the card company forbids
    merchants from offering reduced prices for cash

    As long as the consumer pays for the losses, why
    should they care? They just pass the expense on
    down the line.

    I think the card companies and banks will only
    care about security when customers start taking
    their business to those of them who provide

    Fidelity lost a laptop with my retirement data
    on it a while ago. As compensation I received
    free credit monitoring for a year. BFD. So
    I went to my local bank and discovered they really
    don't have much in the way of security and the
    best I could do was request they password protect
    my accounts. I find the tellers rarely ask for
    the password even though they should.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael Kohne, 21 Jun 2007 @ 11:18am

    Security Standards & Why compliance...

    Some of the security standards are at https://www.pcisecuritystandards.org/

    The reason there is a big focus on compliance is that retailers actually understand compliance (big companies all understand, for instance, compliance with Sarbanes-Oxley).

    Getting a large corporation to actually care about protecting account data is generally impossible from the outside. So the best the card companies can do is to come up with a set of rules (most of which should have been obvious to anyone with a brain) and then shove them down the retailer's and processor's throats.

    Any retailer that already cared about protecting account numbers already had most of this in place. And the ones that didn't just have to be beaten until they do the right thing, even if they don't care.

    Most of the stuff in the standards are NOT that hard (heck, half of the standard boils down to 'do not store data you don't need, and if you need it, encrypt it' and 'oh yea, don't run your cards unencrypted over the public wi-fi network').

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jun 2007 @ 7:11pm

      Re: Security Standards & Why compliance...

      Our internal security guy keeps telling us that encryption is not considered a "compensating control" - in other words, encryption may make us (a MAJOR US merchant - around a million transactions per day on a slow day) feel good, but it isn't truly contributing to whether or not we are compliant with the PCI standards.

      reply to this | link to this | view in chronology ]

  • identicon
    Andy, 21 Jun 2007 @ 11:25am

    The banks are not responsible for fraud, the merchants are, especially when it comes to on-line retailers, who are not able to collect signatures and other means of verification that the credit card companies require in cases of fraud resolution. Fraud cases are usually dealt with through arbitration between the credit card companies and the merchant, and the cost to recover fraud costs can often outweight the fraud amount to begin with. Many retailers only go after really big fraudulent orders attempting to recover funds from the credit card companies who authorized the sale to begin with.

    Additionally, the industry standard security practices for retailers to follow, as outlined by the credit card companies, are a joke. They are composed of a series of yes/no questions, and if you answer no to any one of them, you are not compliant. But the questions are ambiguous, so retailers end up taking an defensible position on their "yes" answer rather than actually implementing good security policies. The compliance statements are really just a CYA measure by the credit card companies to make it look like they are doing something.

    reply to this | link to this | view in chronology ]

  • identicon
    Andy, 21 Jun 2007 @ 11:31am

    Agreed, Michael, the security standards are not that hard to comply with, as the two examples you point out demonstrate. However, what these standards fail to realize is that technical limitations rarely have anything to do with fraud or breaches. One of the requirements, if I remember correctly, is "make sure no one who shouldn't have access to credit card data doesn't". This fails to recognize that much fraud is perpetrated as inside jobs -- effectively, an entire call center is allowed to have access to credit card data as they are taking orders. In many cases, this is the majority of the company. Stealing customer info is much easier by getting a job in a call center than it is to break into a network.

    reply to this | link to this | view in chronology ]

  • identicon
    Mathias, 21 Jun 2007 @ 11:32am


    Am I crazy to think that the CC Companies should shoulder the responsibility of implementing the added security? After all, aren't they the ones benefiting from use of their system?

    reply to this | link to this | view in chronology ]

  • identicon
    Kyros, 21 Jun 2007 @ 1:18pm

    I think anyone who has a databreach on their part is the one who needs to pay for it. Everyone needs to keep their part of the pipe in good condition and then we don't have these issues.

    reply to this | link to this | view in chronology ]

  • identicon
    Overcast, 21 Jun 2007 @ 2:03pm

    Perhaps people should just quit using them?

    Not too many seem to recall the 'sales' pitches of the 70's and 80's - about 'how secure' credit cards 'are'.

    Compare it to cash... how secure is it?
    I have cash in my wallet - try to take it.... :)

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D'Oliveiro, 21 Jun 2007 @ 8:42pm

    PCI compliance

    I recently had to go through the PCI compliance exercise with a client. A few of the questions didn't make sense, and for these I put "N/A" answers with an explanation of why they didn't make sense, e.g.

    Is the firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)?

    to which I replied

    N/A -- NAT is not a security mechanism.

    They were happy enough to accept that.

    reply to this | link to this | view in chronology ]

  • icon
    Steve R. (profile), 22 Jun 2007 @ 6:13am

    Fraud is not Costing them Enough Yet

    Given the ubiquitousness of keypad devices for entering a pin number I am surprised that the credit card companies don't implement this at the point-of-sale for purchases. It would reduce casual theft resulting from lost cards. The only reason that I can come-up with is that the credit card companies must believe that it would cost them more than the theft involved.

    reply to this | link to this | view in chronology ]

  • identicon
    Shafted, 25 Jun 2007 @ 10:55am

    Consumers will pay for it...again

    The consumer will ultimately pay the price for security. They always have and always will. It doesn't matter if the retailer, banks or the card issuers end up writing out the check for security measures, ultimately, that check will be paid for via increased prices, fees or interest. Get used to it....anything that is an expense for any of the three gets paid for by the consumer.

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.