Making Credit-Card Payments More Secure By Making Breaches More Expensive

from the aligning-incentives dept

It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that's preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren't ignored, though, they're so full of loopholes that they're fairly worthless. As the original poster, Andrew Conry-Murray, puts it, "It's not about security. It's about an industry covering its ass." Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.

Conry-Murray's contention is that the compliance system is far too easy to game, particularly because it only checks companies' systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn't enough to make companies sit up and take notice -- and change their behavior -- there won't be any real change.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit cards, security breach


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    NormD, 4 Mar 2009 @ 6:02pm

    Who actually pays?

    Just remember, if you force companies to spend more either for enhanced security or fines, they will just pass it along...

    I am suspicious that if the current cost of breaches was higher than the cost to prevent the breaches (if this is even possible) then companies would probably spend more for prevention. Thus you want costs to go up and thus our costs for using credit to go up. There is no free lunch.

    And lastly, large companies can more easily afford the cost to secure their systems, so I assume the affect of your proposal would be to destroy lots of small businesses.

    link to this | view in chronology ]

    • identicon
      AL, 4 Mar 2009 @ 8:18pm

      Re: Who actually pays?

      agreed. No matter what the costs are, even when those costs get passed to consumers...breaches will still happen. I think the focus should be in giving consumers more tools once their info is out there.

      link to this | view in chronology ]

  • identicon
    Paying too much already, 4 Mar 2009 @ 6:27pm

    Another fee

    Fees? That would not do much.
    Make them personally responsible for the costs, starting at the top.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Mar 2009 @ 7:35pm

    the problem is:
    the companies only loose Pr when it looses its data its there customers that are at risk, so they don't really care.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Mar 2009 @ 4:32am

    My experience with the credit card companies (Visa/MC) was that they were dead serious about compliance. They put us through the ringer. I think that saying merchants are only warding off trouble and aren't serious about preventing breaches is more to the point.

    But that's not saying merchants are evil. It's just that our representatives haven't gotten the risk-reward set right.

    link to this | view in chronology ]

  • identicon
    merchant, 5 Mar 2009 @ 6:35am

    If the card companies would spend the effort to insure transactions are encrypted from swipe to their processes then card numbers would not be at risk.

    Even more so,if PIN was required on all transactions and the signature based authorization was eliminated then fraudulent transactions could be eliminated.

    The risk to a merchant is high, fines upto 500,000 and non compliance fees upto 125,000 per year.

    The PCI DSS compliance is as good as anyother security standard. If done it helps.

    The evil here is the VISA and Master Cards of the world. Encrypt, it is VISA and MC fault that the transaction is not encrypted.

    link to this | view in chronology ]

  • identicon
    Powertoaster, 5 Mar 2009 @ 8:11am

    Already being done

    My company was contacted by a third party which was contracted by our cc processor. We were required to go to a website and answer a bunch of questions about our policies.

    If we did not we would have been faced with higher processing fees.

    The lame thing about this, is that it is a self reported very basic 10 question online quiz which you can take as many times as you need to to pass.

    I wonder how many people are going to get the correct answers in spite of their actual policies in order to avoid the higher fee?

    link to this | view in chronology ]

  • identicon
    Gene Cavanaugh, 5 Mar 2009 @ 11:16am

    Credit card problems

    While I basically agree, I don't agree.

    If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).

    Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.

    Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?

    link to this | view in chronology ]

  • identicon
    Gene Cavanaugh, 5 Mar 2009 @ 11:16am

    Credit card problems

    While I basically agree, I don't agree.

    If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).

    Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.

    Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.