Credit card firms need to change policies

When it comes to IT security, good technology can’t protect an organization against bad policy. Judging from the way the banking industry handled the recent theft of more than 8 million credit card account numbers, that’s a lesson that major U.S. credit card associations and issuers have yet to learn.

The situation is unlikely to improve in the near term because the financial services firms that control most credit cards see little economic incentive to change their ways. Those most at risk of incurring losses include consumers (through identity theft), and merchants that accept “card-not-present” transactions.

The card associations’ policies, as demonstrated, could be described thusly: don’t publicize credit card thefts in any way; don’t require card issuers to notify affected card owners unless they ask; don’t share the list of compromised account numbers with merchants; and don’t require banks to reissue stolen cards. And don’t worry – banks will monitor accounts for “unusual activity” with automated, high-tech monitoring tools.

Card-not-present transactions aren’t protected by the same zero-liability policy given to consumers and merchants at brick-and-mortar stores, where clerks can physically check the credit card and obtain a signature. This puts online vendors at a competitive disadvantage.

If accounts are used fraudulently, how much damage will online merchants suffer before the monitoring systems catch on and defuse the situation? Probably nothing will happen. But merchants won’t know for sure until cardholders receive their statements.

To their credit, some card issuers are moving to protect online transactions with new authentication programs. For example, MasterCard SecureCode and Verified by Visa require the buyer to use a password before making a purchase. Merchants who obtain passwords from buyers are protected from chargebacks. But most buyers don’t have one yet. MasterCard and others should follow Visa’s lead and protect e-commerce providers that request passwords from buyers.

This shifts the cost of stolen data away from merchants but doesn’t solve the problem. Credit card companies should also question whether having dozens of processing companies handling customer data makes sense in a Web-connected world. Or whether security measures that address the way card transaction processors, issuers and merchants handle and protect account data should be more strictly dictated and policed. Or whether it makes better business sense to assume a policy of more open disclosure with cardholders.

The industry worries about the expense of reissuing cards.Yet banks have spent a lifetime building trust, and serious erosion of consumer confidence could cost far more than simply replacing those cards. It could cost billions in lost sales to e-commerce merchants that are dependent on credit card payment systems.

The current policies are bad for e-commerce, bad for consumers and, ultimately, bad for business. The industry should make changes now, before consumers finally wake up to what’s going on and legislators step into the breach.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now