This is page 3 of:
GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?
Now we come to the seventh paragraph in this section and—surprise—I fully agree, although I would like to add some personal color to the last sentence. “But there’s no uniformity to PCI audits, nor is there uniformity to how the qualified security assessors who perform the audits carry out their reviews.” Here at Shift4, our Director of Information Security, Stephen Ames, affectionately refers to QSAs as “snowflakes.” Not because they are cold or light and fluffy but because no two are alike. As hard as PCI SSC attempts to standardize the assessments, assessors are people, too. Much of what they do is subjective. And if you think government involvement will help this, I’d like to call your attention to IRS auditors. Enough said? Unfortunately, I’m not sure you’ll ever eliminate this factor from the equation.
All right, and now for the doozy: “Card issuers have to ensure they detect compromises as quickly as possible to limit their losses. As it is, issuing institutions are typically the first to identify an attack and link it to a breach.” Well, I should hope so since that is part of their job. Can you say risk management? Now something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work.
One last point: “But merchants and processors should be investing in systems and technologies that help them better detect the attacks their networks suffer. The problem is, they have little incentive to do so.” The story called this one out as a key quote. I think they did it just to get me riled up. Honestly, I have no clue whatsoever where this came from. How can you claim merchants have little incentive to avoid breaches, the accompanying fines, and potentially damning tide of negative publicity and brand damage? I’m convinced it was either a massive oversight or a deliberate dig at merchants.
What are the banks and credit unions up to? If it’s so costly for them to offer these products, why do they continue offering them to their clients? Let me take a wild guess – because it’s profitable.
I frequent several forums that deal with payments and PCI. A recent post, made half in jest to an exasperated merchant, reminded us that “there is no law requiring merchants to accept credit or debit cards.” As much as I hate that advice, I guess it can apply here as well.
There is no law requiring banks or credit unions to offer credit and debit cards to their clients. But somehow, I don’t see that happening. They want to reap the financial benefits and allow someone else to shoulder the costs and the burdens of risk management. Keep dreaming, NAFCU.
June 17th, 2013 at 12:17 pm
As the foremost global organization that fully supports and promotes operational excellence for fraud, security, risk and payment professionals within eCommerce, we agree with the majority of your editorial. However, to clarify, issuers are NOT the only players who detect fraud or breaches. Many eCommerce/CNP merchants have made a significant investment, not just in data security but also in fraud recognition and prevention tools to detect fraudulent activity and purchases prior to delivery of goods or settlement of the transaction. I do not want to down play the role of issuers and instead would characterize the environment as collaborative between both parties. Happy to provide you with additional information at your leisure.
Karisse Hendrick
Merchant Risk Council
June 17th, 2013 at 1:21 pm
Good point. My mindset was focused on breach and breach prevention costs. I knew I was missing additional merchant costs but I was experiencing writers block in that section of the post. I briefly touched on this topic with my reference to “little or no liability for these fraudulent card-not-present transactions,” but I did not specify the additional costs to the merchants beyond chargebacks and service/merchandise loss.