The Wall Street Journal ran an article yesterday, “Security-Software Industry’s Miniboom,” talking about data privacy and security spending. See:
The focus of the article is around the Payment Card Industry (PCI) and the so called Data Security Standards (DSS). The credit card industry (primarily driven by Visa) has been steadily and systematically shifting more of the responsibilities and liabilities for credit card losses to merchants.
Now this actually makes good sense. Insiders have known for a long time that the losses due to fraud, privacy issues and increasing identity theft have been huge, in absolute terms for many years. (“Huge” means single digit percentage losses multiplied by trillions of dollars moving through the system).
The tension around this is simple really, and we should all care. On the one hand the credit card “brands” are encouraging us to continue to use our cards, and actively promote “don’t worry Mr. Consumer – if you have losses, we have your back.” That is the public position. Slowing down the flow of transactions due to consumer fear is not really a good option for them J
But the brands have been quietly working hard to reduce losses in the system, as they have been picking up (from their perspective) more than their fair share of the consumer loss charges and blame.
So the focus goes to the transaction chain. The PCI regs, which are being ratcheted up and broadened, are really seeking to enforce better practices for all participants in the system. In December 2006, Visa announced the “compliance acceleration program” which potentially fines the largest banks and merchants for non-compliance with fines beginning at $25,000 a month. The deadline for compliance came into force on September 30, 2007. The next tier of bank and merchants face a similar situation effective December 31, 2007.
Simply put, Visa (and other brands) are simply not willing to pick up the tab for sloppy transactions controls by the credit supply chain. And we should ALL care because at the end of the day WE pay for the losses with higher fees and interest rates.
These are real data management best practices and security issues. We should make sure all of our “negative controls” are working. The firewalls should be in place, intrusion and anti-virus stuff should be set up correctly, etc.
For the most part, the “physical risk” of losses in the system is yesterday’s news. The bulk of the transactions are handled by the “big banks” and they are pretty darn good at all of this security stuff. And I don’t believe for a minute that we lose as many laptops and servers as the media reports.
The problem with all of this CISP/PCI DSS stuff is that it focuses largely on reactive and negative controls and has traditionally been based on “honor system” compliance with draconian implications if they “catch you.”
There is a better way for all parties. Wouldn’t it be better to deploy “positive” IT controls? (i.e. “I know that all of the software on my IT-based transaction systems are in compliance — and I can prove it over their usage lifetime.”
All sides win with affirmative and positive IT controls based on software and standard image measurement/management.
With IT controls the brands can move away from the honor system and the web services used to connect and pass transactions can exchange positive platform “trust tokens,” assuring a new level of transparent compliance. The banks and merchants can produce higher levels of demonstrated compliance, with a lower cost to implement.
And maybe then consumers will get some break on costs and interest rates. That, or the brands, banks and merchants will see their profits increase nicely….Okay, so I lapsed into cynical….I digress.
Parallel-process, check and balance IT controls to demonstrate affirmative system compliance is just common sense. And the IT world needs a bit more common sense from time to time.