PCI And The Circle Of Blame

Who's responsible for the security of credit card data? From retailers to auditors to card brands, the first order of business is self preservation--and that costs all of us.

Andrew Conry Murray, Director of Content & Community, Interop

February 21, 2008

2 Min Read


There's no question that concrete steps must be taken to protect credit card account data, and at the moment PCI is the best effort, despite its flaws. Here are some ways those concerned with security can work to improve the system.

Press for a federal breach disclosure law. At present, 40 of 50 states have laws that define how organizations must report a breach of sensitive data. A uniform federal law that includes rules regarding improper disclosure of credit card account information will reduce the hassle and expense of addressing the issue state by state--and give retailers no excuse if they get it wrong.

Provide more uniform Level 1 audit guidelines, including sample sizes for assessing individual retail stores. Individual store audits should be based on a total percentage of stores in addition to store configurations. To offset the cost of additional store audits, the card brands should provide incentives, such as lower transaction rates or rebates, to acquiring banks. The banks can pass these savings on to retailers.

Finally, make card brands share the cost of credit card fraud. At present, the card brands don't incur any of this financial burden. Issuing banks--the banks that provide credit cards to consumers--shoulder as much as 70% of the cost of fraud, including swallowing bogus transactions, canceling accounts, and issuing new cards. The remaining 30% is absorbed by merchants and acquiring banks. If the card brands have a financial stake in fraud costs, they will have a clear economic incentive to vigorously enforce credit card security measures.

PCIs Cast Of Characters

(click image for larger view) Continue to the sidebar:
Can You Buy PCI Compliance?

About the Author(s)

Andrew Conry Murray

Director of Content & Community, Interop

Drew is formerly editor of Network Computing and currently director of content and community for Interop.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights