Friday, 2 March 2007

The PCI DSS (Payment Card Industry - Data Security Standard) defines who wears the loss when someone misuses your credit card. Essentially the blame rests with the merchant who will bear the cost of a fraudulent transaction.

Some bloggers have suggested that this is the appropriate spot to place the blame, suggesting that as the merchants are on the pointy of maintaining the security of the card information that they should be responsible for the breach - however this is entirely the wrong approach to take.

There is nothing that merchants can do to stop themselves from being defrauded & this is due to the fundamentally insecure way in which the transaction occurs. There are few, if any, solutions in place that would allow a merchant to validate whether or not the credit card number they've been provided actually belongs to the customer - all they can do is accept the risk of fraud & pass the costs of this on to the consumer. So under this model, no processes are improved & ultimately the consumer ends up paying for the cost of fraud anyway through increased prices.

The credit card companies, who are the only ones who can actually change the system, are left with no responsibility or financial penalties at all - and if they don't suffer then they won't change anything. If they were responsible to make good fraudulent transactions, you'd be sure that we'd have a more secure payment system in a short time.

You see while a particular merchant may be responsible for the leak of the credit card data - it likely will not be the merchant, or at least not alone, who will feel the pain of that leak. The stolen credit card data will be used to defraud other merchants, who may have protected their data quite well. So what incentive is there for a merchant to tightly protect the data when they'll still be impacted no matter how much they spend.

Consumers and merchants are both users of the credit card system - it is the credit card companies who are selling a service to these users & they alone are the ones responsible for fixing the insecurities in it.

No comments:

Recent Geocaching Logs

Stuff I"ve read lately