PCI And The Circle Of Blame

WHAT'S NEXT?

There's no question that concrete steps must be taken to protect credit card account data, and at the moment PCI is the best effort, despite its flaws. Here are some ways those concerned with security can work to improve the system.

• Press for a federal breach disclosure law. At present, 40 of 50 states have laws that define how organizations must report a breach of sensitive data. A uniform federal law that includes rules regarding improper disclosure of credit card account information will reduce the hassle and expense of addressing the issue state by state--and give retailers no excuse if they get it wrong.

• Provide more uniform Level 1 audit guidelines, including sample sizes for assessing individual retail stores. Individual store audits should be based on a total percentage of stores in addition to store configurations. To offset the cost of additional store audits, the card brands should provide incentives, such as lower transaction rates or rebates, to acquiring banks. The banks can pass these savings on to retailers.

• Finally, make card brands share the cost of credit card fraud. At present, the card brands don't incur any of this financial burden. Issuing banks--the banks that provide credit cards to consumers--shoulder as much as 70% of the cost of fraud, including swallowing bogus transactions, canceling accounts, and issuing new cards. The remaining 30% is absorbed by merchants and acquiring banks. If the card brands have a financial stake in fraud costs, they will have a clear economic incentive to vigorously enforce credit card security measures.

(click image for larger view) Continue to the sidebar:
Can You Buy PCI Compliance?