Making Credit-Card Payments More Secure By Making Breaches More Expensive
from the aligning-incentives dept
It seems that hardly a month goes by without news of yet another credit-card data breach. Based on this, it seems fairly clear that the industry largely sees these breaches and the fallout from them as a cost of doing business, and one that's preferable to the cost of securing and monitoring their systems effectively. The industry has come up with a security compliance framework, but such rules have a history of being ignored. Even if they aren't ignored, though, they're so full of loopholes that they're fairly worthless. As the original poster, Andrew Conry-Murray, puts it, "It's not about security. It's about an industry covering its ass." Basically, the compliance system exists not to truly protect data, but rather to ward off government intervention.Conry-Murray's contention is that the compliance system is far too easy to game, particularly because it only checks companies' systems once per year. His suggestion is to force all merchants and processors to comply, and check their systems regularly. Companies could opt out, but by doing so, they would be agreeing to significantly higher fees and penalties in the case of a breach. As he notes, these fees would have to be high enough to where they would make devoting more resources to security a more desirable option. This idea, and indeed any that dramatically increases the cost of breaches, is worth mulling over as a way to encourage companies to increase their security. As long as the fallout from data breaches isn't enough to make companies sit up and take notice -- and change their behavior -- there won't be any real change.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit cards, security breach
Reader Comments
Subscribe: RSS
View by: Time | Thread
Who actually pays?
I am suspicious that if the current cost of breaches was higher than the cost to prevent the breaches (if this is even possible) then companies would probably spend more for prevention. Thus you want costs to go up and thus our costs for using credit to go up. There is no free lunch.
And lastly, large companies can more easily afford the cost to secure their systems, so I assume the affect of your proposal would be to destroy lots of small businesses.
[ link to this | view in chronology ]
Re: Who actually pays?
[ link to this | view in chronology ]
Another fee
Make them personally responsible for the costs, starting at the top.
[ link to this | view in chronology ]
the companies only loose Pr when it looses its data its there customers that are at risk, so they don't really care.
[ link to this | view in chronology ]
But that's not saying merchants are evil. It's just that our representatives haven't gotten the risk-reward set right.
[ link to this | view in chronology ]
Even more so,if PIN was required on all transactions and the signature based authorization was eliminated then fraudulent transactions could be eliminated.
The risk to a merchant is high, fines upto 500,000 and non compliance fees upto 125,000 per year.
The PCI DSS compliance is as good as anyother security standard. If done it helps.
The evil here is the VISA and Master Cards of the world. Encrypt, it is VISA and MC fault that the transaction is not encrypted.
[ link to this | view in chronology ]
Already being done
If we did not we would have been faced with higher processing fees.
The lame thing about this, is that it is a self reported very basic 10 question online quiz which you can take as many times as you need to to pass.
I wonder how many people are going to get the correct answers in spite of their actual policies in order to avoid the higher fee?
[ link to this | view in chronology ]
Credit card problems
If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).
Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.
Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?
[ link to this | view in chronology ]
Credit card problems
If a foodstuff poses a hazard, even a very long possible risk, such as "it might cause cancer", we have the FDA proactively checking them out, visiting, taking samples, etc. (well, before Bush savaged their budget, anyway).
Losing all your money, etc., is a FAR greater health risk, in many cases, but we talk about relatively weak, ineffectual methods, even "voluntary" compliance.
Why not an FDA-like agency to put some teeth in this (after we undo the damage to the FDA done by Bush and Cheney)?
[ link to this | view in chronology ]
Re: Credit card problems
[ link to this | view in chronology ]