Tuesday, June 16, 2009


Credit Card Processors Fail To Ensure Security For Consumers

Banks and other financial firms that deal with consumer credit card information are lacking proper security measures despite meeting industry standards, according to an investigative report from the Associated Press on Monday.
When it comes to credit card security details, it is up to the banks and other financial firms to ensure that proper precautions are being taken. However, an AP investigation of security breaches dating to 2005 found that rules are “cursory at best and all but meaningless at worst.”
The group gained most of its data from the Open Security Foundation list-serve. What’s more, processors that comply with official Payment Card Industry (PCI) security standards are still susceptible to hacking activity resulting in credit fraud.

“Credit card providers don't appear to be in a rush to tighten the rules,” according to AP investigators. 

They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.”


Editor's Note: Low cost to whom?  Stricter security would take a huge bite out of the profits made from Interchange Fees.  I'd replace "low cost" with "fees."


Here's a Quick Interchange 101 Lesson:


The
less secure the payment is, the higher the Interchange Fees (higher fees =  higher profits)
The more secure the payment is, the lower the Interchange Rate, (lower fees = lower profits)


Do the math.   It doesn't take a rocket scientist to figure out why credit card providers consider  "fraud to be a cost of doing business."  That was one of my bullet points (5th paragraph) in yesterdays message (box on left)


Put it this way.  If the "gears of the payment system" were truly built on speed, convenience and low cost, then consider the following when it comes to paying online for eCommerce transactions) 


  • I would argue that it is 14-16 times "faster" to swipe your card "once" vs. "manually entering 14-16 digits" of a payment card, followed by a 6 digit expiration date, and finally, the 3 digit CVV code on the back of the card. (One swipe vs. THREE steps and 23-26 numbers is faster agreed?) 
  • Therefore, by definition, it would be at least 3, if not 23-26 times "more convenient" as well.  
  • It's may not be 23-26 times lower the cost, but it is about 100 basis points lower cost to the merchant.  So, I'm not buying the "sand on the gears" analogy.  The story continues:

The AP reported of a massive data breach that took place at a supermarket chain. Hackers installed software on Hannaford's servers that stole critical consumer data that was en route to the banks after making purchases. Two major breaches have taken place since then, both of which involved companies that met PCI standards – Heartland Payment Systems and RBS WorldPay Inc.  WorldPay lost more than 1 million Social Security numbers to hackers.

Avivah Litan, a Gartner Inc. analyst, told the AP that retailers and payment processors have invested more than $2 billion in order to meet PCI standards. The industry claims that about 93 percent of large firms and 88 percent of mid-sized firms in the US are compliant with PCI security standards.

Read the Entire Article


On the Net:
PCI Security Standards
Privacy Rights Clearinghouse
DataLossDB
PIN Payments Blog

Source: redOrbit Staff & Wire Reports





Reblog this post [with Zemanta]

Disqus for ePayment News