Yesterday, the Associated Press released its finding of an investigation into data breaches since 2006 and Payment Card Industry (PCI) compliance by retailers. The key findings:
"The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst...More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers... many others likely have been breached and didn't detect it."
I've written previously about data breaches at debit/credit card payment processors that were audited and supposed to be PCI compliant. Too many retail companies are still not compliant with PCI standards:
"... one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves."
Combine this with the fact that 20% of information technology professionals lie on data security audits, and you have a culture focused on making money and not protecting consumers sensitive personal data. Perhaps the damning part:
"Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost."
The consequences tor consumers:
"It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud."
many of us have already experienced large increases in our credit card interest rates to cover higher expenses by banks and credit card issuers. I'm sure part of these higher expenses are the costs to re-issue credit cards after huge data breaches and to pay for the fraud.
The Associated Press article mentioned one example where it took a consumer four months to fix two credit cards that were hacked as part of the Hannaford grocery chain breach. And that didn't include the time spent to adjust online bill payment arrangements with those credit cards -- the work consumers must do and credit card companies don't help with after a data breach.
This means that retailers are more interested in making money and profits than a sincere effort to protect your sensitive personal data. Is this acceptable? Of course not. Can the retail and credit card industries do a better job? They should and must.
If this infuriates you (and I truly hope that this does make you mad), I encourage you to write to your credit card company and demand better data security, and not just fines of payment processors and retailers who are not PCI compliant. The address is on the back of your monthly credit card paper statement.
Then, write to your elected officials in Congress and demand both strong legislation to send to jail company executives who continue to ignore data security, stronger PCI standards, and an FTC policy that is stronger and more effective than the current self-monitoring policy.