PCI And The Circle Of BlamePCI And The Circle Of Blame
Who's responsible for the security of credit card data? From retailers to auditors to card brands, the first order of business is self preservation--and that costs all of us.
February 21, 2008
There's no question that concrete steps must be taken to protect credit card account data, and at the moment PCI is the best effort, despite its flaws. Here are some ways those concerned with security can work to improve the system.
• Press for a federal breach disclosure law. At present, 40 of 50 states have laws that define how organizations must report a breach of sensitive data. A uniform federal law that includes rules regarding improper disclosure of credit card account information will reduce the hassle and expense of addressing the issue state by state--and give retailers no excuse if they get it wrong.
• Provide more uniform Level 1 audit guidelines, including sample sizes for assessing individual retail stores. Individual store audits should be based on a total percentage of stores in addition to store configurations. To offset the cost of additional store audits, the card brands should provide incentives, such as lower transaction rates or rebates, to acquiring banks. The banks can pass these savings on to retailers.
• Finally, make card brands share the cost of credit card fraud. At present, the card brands don't incur any of this financial burden. Issuing banks--the banks that provide credit cards to consumers--shoulder as much as 70% of the cost of fraud, including swallowing bogus transactions, canceling accounts, and issuing new cards. The remaining 30% is absorbed by merchants and acquiring banks. If the card brands have a financial stake in fraud costs, they will have a clear economic incentive to vigorously enforce credit card security measures.
(click image for larger view) Continue to the sidebar:
Can You Buy PCI Compliance?
About the Author(s)
You May Also Like
KVM Switch High Performance Applications with Dominion KX III
The Forrester Wave™: Vulnerability Risk Management, Q3 2023
Responsible data use: Navigating privacy in the information lifecycle
Implementing Privacy by Design into Information Systems
Three Ways Fortinet Hybrid Mesh Firewalls Secure Edge Networks