This is page 2 of:
GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?
Fourth, the entire card brand fee structure includes fraud-loss components. The fees the merchants pay to process payments include this component and the issuer shares in this revenue stream along with the acquirer and the card brand.
OK, so that’s four paragraphs on just the first line of the post. Let’s move on. I’ll try to be more succinct.
Near the end of the second paragraph, the story touches on “asking Congress to step in and hold breached retailers and processors accountable when their lax security practices result in the leakage of card data.” The blind leading the blind comes to mind here (or maybe the blind asking the blind).
The credit unions here are making the same misassumption that the card brands make in regard to a breach and this is my biggest beef with how PCI is enforced. There is no such thing as 100 percent security. A breach in and of itself does not “lax security practices” make.
In fact, I would wager that many of the headline-making breach victims in recent memory had better security in place than many of the credit unions pushing for this legislation.
In the fifth paragraph we read, “Retailers need to take on more responsibility for the breaches they suffer.” Honestly, what world are these comments coming from? Are issuers so blind as to not have any clue what merchants are responsible and liable for? Let’s list a few applicable costs and liabilities that merchants face each day:
- Merchants pay discount rates that include fraud loss factors
- Merchants must be PCI compliant
- Merchants must purchase and properly configure routers and firewalls
- Merchants must only use properly configured, PA-DSS compliant and/or certified compliant point-of-sale software (and while PCI has been around for quite a few years, many POS providers still surcharge for this compliance in the form of “updates”)
- Merchants must train their staff on secure handling of payment data
- Merchants must take the time for annual SAQ preparation and submittal (time burner), and/or PCI scans (somewhat costly), and/or PCI assessments (costly)
- And heaven forbid, if a merchant is breached: Merchant receives the black eye, not the issuer; merchant has to reimburse the fines originally assessed from each card brand; merchant receives fines and penalties from local, state, and federal governments; merchant is open to lawsuits from cardholders looking to profit.
A (Flawed) 5-Point Plan
NAFCU is proposing a five-point plan for regulatory relief. The fifth point of this plan “21st Century Data Security Standards”is, frankly, ridiculous. It appears to have completely forgotten about PCI.
Point five calls for Congress to:
- Establish national standards for safekeeping of all financial information. Pretty sure PCI DSS has that covered.
- Establish enforcement standards for data security that prohibit merchants from retaining financial data, and require merchants to disclose their data security policies to customers. Again, PCI. While I’m not aware of any requirement for merchants to post their security policies, they do need to comply with PCI DSS 100% of the time (which is an impossibility, but that’s a post for another day) and PCI’s standards are publicly available.
- Hold merchants accountable for the costs of a data breach, especially when it was due to their own negligence; shift the burden of proof in data breach cases to the party that incurred a breach and require timely disclosures in the event of a breach. Once more, PCI’s got this covered. Oh, and the card brands go one step further and take negligence out of the equation. That’s right, NAFCU: they’ve already given you more than you even dreamed to ask for. If a merchant is breached, they are liable, negligent or not.
Now I’ll admit, I am confused by the “shift the burden of proof in data breach cases to the party that incurred a breach” part of this request. Proof of what? And what burden? Are they asking for the breached party that likely does not even know they were breached, to come forward and blindly admit they were breached? That needs some rethinking.
In the fourth paragraph of this section, the story says: “the PCI-DSS clearly prohibits the storing of card data.” No, they don’t. PCI DSS clearly prohibits the storing of unencrypted card data. Small change, but there’s a major difference there.
-Marc
June 17th, 2013 at 12:17 pm
As the foremost global organization that fully supports and promotes operational excellence for fraud, security, risk and payment professionals within eCommerce, we agree with the majority of your editorial. However, to clarify, issuers are NOT the only players who detect fraud or breaches. Many eCommerce/CNP merchants have made a significant investment, not just in data security but also in fraud recognition and prevention tools to detect fraudulent activity and purchases prior to delivery of goods or settlement of the transaction. I do not want to down play the role of issuers and instead would characterize the environment as collaborative between both parties. Happy to provide you with additional information at your leisure.
Karisse Hendrick
Merchant Risk Council
June 17th, 2013 at 1:21 pm
Good point. My mindset was focused on breach and breach prevention costs. I knew I was missing additional merchant costs but I was experiencing writers block in that section of the post. I briefly touched on this topic with my reference to “little or no liability for these fraudulent card-not-present transactions,” but I did not specify the additional costs to the merchants beyond chargebacks and service/merchandise loss.