Neither Banks Nor Retailers Want To Spend Money On Credit Card Security
from the it's-not-our-money dept
Banks and retailers continue their back-and-forth argument (via Payments News) over who should bear the burden of implementing new security guidelines handed down by credit-card companies. Retailers complain that they're having to shell out, while banks fire back that they're not the ones whose lack of compliance with security standards are contributing to breaches and data leaks. The incompetence of some retailers, in terms of security, is pretty astounding, and it seems fairly clear that they should implement better protections, particularly since it's the banks that get left holding the bag after breaches and fraud. Collectively, it sounds like both sides are trying to pass the buck, and get away with doing as little as possible under the standards the credit-card companies set. Those standards, then, don't sound like they're enforced particularly stringently, and they're backed up with meaningless fines. For instance, an AT&T exec says Visa has threatened the company with paltry fines of $25,000 per month for not complying with new standards. The problem here seems to be a focus on compliance, though, rather than security. The issue doesn't seem to be creating secure systems to reduce risk, but rather spending as little money as possible to get in compliance with a set of standards, with little regard for the efficacy of the standards themselves.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Customers are not shopping at the bank!
[ link to this | view in chronology ]
Cash only
[ link to this | view in chronology ]
Part of the problem...
Chris.
[ link to this | view in chronology ]
Re:Cash only
merchants from offering reduced prices for cash
purchases.
As long as the consumer pays for the losses, why
should they care? They just pass the expense on
down the line.
I think the card companies and banks will only
care about security when customers start taking
their business to those of them who provide
security.
Fidelity lost a laptop with my retirement data
on it a while ago. As compensation I received
free credit monitoring for a year. BFD. So
I went to my local bank and discovered they really
don't have much in the way of security and the
best I could do was request they password protect
my accounts. I find the tellers rarely ask for
the password even though they should.
[ link to this | view in chronology ]
Security Standards & Why compliance...
The reason there is a big focus on compliance is that retailers actually understand compliance (big companies all understand, for instance, compliance with Sarbanes-Oxley).
Getting a large corporation to actually care about protecting account data is generally impossible from the outside. So the best the card companies can do is to come up with a set of rules (most of which should have been obvious to anyone with a brain) and then shove them down the retailer's and processor's throats.
Any retailer that already cared about protecting account numbers already had most of this in place. And the ones that didn't just have to be beaten until they do the right thing, even if they don't care.
Most of the stuff in the standards are NOT that hard (heck, half of the standard boils down to 'do not store data you don't need, and if you need it, encrypt it' and 'oh yea, don't run your cards unencrypted over the public wi-fi network').
[ link to this | view in chronology ]
Re: Security Standards & Why compliance...
[ link to this | view in chronology ]
Additionally, the industry standard security practices for retailers to follow, as outlined by the credit card companies, are a joke. They are composed of a series of yes/no questions, and if you answer no to any one of them, you are not compliant. But the questions are ambiguous, so retailers end up taking an defensible position on their "yes" answer rather than actually implementing good security policies. The compliance statements are really just a CYA measure by the credit card companies to make it look like they are doing something.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
WTF
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not too many seem to recall the 'sales' pitches of the 70's and 80's - about 'how secure' credit cards 'are'.
Compare it to cash... how secure is it?
I have cash in my wallet - try to take it.... :)
[ link to this | view in chronology ]
PCI compliance
I recently had to go through the PCI compliance exercise with a client. A few of the questions didn't make sense, and for these I put "N/A" answers with an explanation of why they didn't make sense, e.g.
to which I replied
They were happy enough to accept that.
[ link to this | view in chronology ]
Fraud is not Costing them Enough Yet
[ link to this | view in chronology ]
Consumers will pay for it...again
[ link to this | view in chronology ]