Judge Ignores Supreme Court Patent Instructions While Making WiFi Devices A Lot More Expensive

Neither Banks Nor Retailers Want To Spend Money On Credit Card Security

from the it's-not-our-money dept

Thu, Jun 21st 2007 9:48am — Carlo Longino

Banks and retailers continue their back-and-forth argument (via Payments News) over who should bear the burden of implementing new security guidelines handed down by credit-card companies. Retailers complain that they're having to shell out, while banks fire back that they're not the ones whose lack of compliance with security standards are contributing to breaches and data leaks. The incompetence of some retailers, in terms of security, is pretty astounding, and it seems fairly clear that they should implement better protections, particularly since it's the banks that get left holding the bag after breaches and fraud. Collectively, it sounds like both sides are trying to pass the buck, and get away with doing as little as possible under the standards the credit-card companies set. Those standards, then, don't sound like they're enforced particularly stringently, and they're backed up with meaningless fines. For instance, an AT&T exec says Visa has threatened the company with paltry fines of $25,000 per month for not complying with new standards. The problem here seems to be a focus on compliance, though, rather than security. The issue doesn't seem to be creating secure systems to reduce risk, but rather spending as little money as possible to get in compliance with a set of standards, with little regard for the efficacy of the standards themselves.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

No Brainer, 21 Jun 2007 @ 10:19am

Customers are not shopping at the bank!
They're shopping at retailers and it is those retailers that want the customers to shop that need to take steps to secure data.
[ link to this | view in chronology ]
Peter, 21 Jun 2007 @ 10:19am

Cash only
Let this be a lesson to us all about why it is a good idea to pay with cash. What ever happened to differential pricing for cash and credit purchases, by the way?
[ link to this | view in chronology ]
Chris Maresca, 21 Jun 2007 @ 10:24am

Part of the problem...
... and I've been told this by a bunch of bank executives, is that the banks don't care about credit card theft as accounts are insured and there is ZERO impact on them.

Chris.
[ link to this | view in chronology ]
Anonymous of Course, 21 Jun 2007 @ 11:00am

Re:Cash only
Often the contact with the card company forbids
merchants from offering reduced prices for cash
purchases.

As long as the consumer pays for the losses, why
should they care? They just pass the expense on
down the line.

I think the card companies and banks will only
care about security when customers start taking
their business to those of them who provide
security.

Fidelity lost a laptop with my retirement data
on it a while ago. As compensation I received
free credit monitoring for a year. BFD. So
I went to my local bank and discovered they really
don't have much in the way of security and the
best I could do was request they password protect
my accounts. I find the tellers rarely ask for
the password even though they should.
[ link to this | view in chronology ]
Michael Kohne, 21 Jun 2007 @ 11:18am

Security Standards & Why compliance...
Some of the security standards are at https://www.pcisecuritystandards.org/

The reason there is a big focus on compliance is that retailers actually understand compliance (big companies all understand, for instance, compliance with Sarbanes-Oxley).

Getting a large corporation to actually care about protecting account data is generally impossible from the outside. So the best the card companies can do is to come up with a set of rules (most of which should have been obvious to anyone with a brain) and then shove them down the retailer's and processor's throats.

Any retailer that already cared about protecting account numbers already had most of this in place. And the ones that didn't just have to be beaten until they do the right thing, even if they don't care.

Most of the stuff in the standards are NOT that hard (heck, half of the standard boils down to 'do not store data you don't need, and if you need it, encrypt it' and 'oh yea, don't run your cards unencrypted over the public wi-fi network').
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2007 @ 7:11pm
  
  Re: Security Standards & Why compliance...
  Our internal security guy keeps telling us that encryption is not considered a "compensating control" - in other words, encryption may make us (a MAJOR US merchant - around a million transactions per day on a slow day) feel good, but it isn't truly contributing to whether or not we are compliant with the PCI standards.
  [ link to this | view in chronology ]
Andy, 21 Jun 2007 @ 11:25am

The banks are not responsible for fraud, the merchants are, especially when it comes to on-line retailers, who are not able to collect signatures and other means of verification that the credit card companies require in cases of fraud resolution. Fraud cases are usually dealt with through arbitration between the credit card companies and the merchant, and the cost to recover fraud costs can often outweight the fraud amount to begin with. Many retailers only go after really big fraudulent orders attempting to recover funds from the credit card companies who authorized the sale to begin with.

Additionally, the industry standard security practices for retailers to follow, as outlined by the credit card companies, are a joke. They are composed of a series of yes/no questions, and if you answer no to any one of them, you are not compliant. But the questions are ambiguous, so retailers end up taking an defensible position on their "yes" answer rather than actually implementing good security policies. The compliance statements are really just a CYA measure by the credit card companies to make it look like they are doing something.
[ link to this | view in chronology ]
Andy, 21 Jun 2007 @ 11:31am

Agreed, Michael, the security standards are not that hard to comply with, as the two examples you point out demonstrate. However, what these standards fail to realize is that technical limitations rarely have anything to do with fraud or breaches. One of the requirements, if I remember correctly, is "make sure no one who shouldn't have access to credit card data doesn't". This fails to recognize that much fraud is perpetrated as inside jobs -- effectively, an entire call center is allowed to have access to credit card data as they are taking orders. In many cases, this is the majority of the company. Stealing customer info is much easier by getting a job in a call center than it is to break into a network.
[ link to this | view in chronology ]
Mathias, 21 Jun 2007 @ 11:32am

WTF
Am I crazy to think that the CC Companies should shoulder the responsibility of implementing the added security? After all, aren't they the ones benefiting from use of their system?
[ link to this | view in chronology ]
Kyros, 21 Jun 2007 @ 1:18pm

I think anyone who has a databreach on their part is the one who needs to pay for it. Everyone needs to keep their part of the pipe in good condition and then we don't have these issues.
[ link to this | view in chronology ]
Overcast, 21 Jun 2007 @ 2:03pm

Perhaps people should just quit using them?

Not too many seem to recall the 'sales' pitches of the 70's and 80's - about 'how secure' credit cards 'are'.

Compare it to cash... how secure is it?
I have cash in my wallet - try to take it.... :)
[ link to this | view in chronology ]
Lawrence D'Oliveiro, 21 Jun 2007 @ 8:42pm

PCI compliance
I recently had to go through the PCI compliance exercise with a client. A few of the questions didn't make sense, and for these I put "N/A" answers with an explanation of why they didn't make sense, e.g.
Is the firewall configured to translate (hide) internal IP addresses, using network address translation (NAT)?

to which I replied
N/A -- NAT is not a security mechanism.

They were happy enough to accept that.
[ link to this | view in chronology ]
Steve R. (profile), 22 Jun 2007 @ 6:13am

Fraud is not Costing them Enough Yet
Given the ubiquitousness of keypad devices for entering a pin number I am surprised that the credit card companies don't implement this at the point-of-sale for purchases. It would reduce casual theft resulting from lost cards. The only reason that I can come-up with is that the credit card companies must believe that it would cost them more than the theft involved.
[ link to this | view in chronology ]
Shafted, 25 Jun 2007 @ 10:55am

Consumers will pay for it...again
The consumer will ultimately pay the price for security. They always have and always will. It doesn't matter if the retailer, banks or the card issuers end up writing out the check for security measures, ultimately, that check will be paid for via increased prices, fees or interest. Get used to it....anything that is an expense for any of the three gets paid for by the consumer.
[ link to this | view in chronology ]