The state of credit card security is important for businesses for a number of reasons. This release, hyping a report from Javelin Strategy, contains a surprising amount of information that is valuable both to retailers that accept this type of payment (i.e., virtually all of them) and companies that issue cards to their employees. Indeed, the amount of information in the release leads us to believe that either it's a tremendously rich report or the marketing department got a bit carried away.
In any case, it's a good document. The first of three sections defines what constitutes a "dream card." This section itself is divided into lists of that facilitate theft prevention, theft detection and fraud resolution, which is how to make sure that fraud doesn't inconvenience or alienate victims.
The second section names the five cards that best fulfill various priorities. The final section details findings from the report and suggests areas where the industry can improve and things that consumers need to know.
Credit card security concerns are increasing as data breaches and theft grow. The main vehicle for credit card security is the Payment Card Industry Data Security Standard (PCI DSS), which was introduced in 2005. Version 1.1, this PC World story says, was finalized in September 2006. As its anniversary approaches, some say that the additional requirements -- which deal with what the story terms "compensating controls" -- are hamstringing the efforts of large retailers to follow the rules. The story describes the new standards and the problems. The bottom line is that the incremental standards appear aimed at smaller companies and can make it difficult for big players to follow.
The good news is that the biggest retailers in the country -- those who are said to be having trouble with the newer elements of the standard -- are taking the rules seriously. This Hack Report piece says that 96 percent of Level 1 and Level 2 merchants have told Visa that they are complying with rules and not storing information, such as personal identification numbers (PIN) and credit card security codes. Ninety-six percent is a high number but, as the writer points out, that means that about 42 of the 1,057 retailers in Level 1 and Level 2 are not compliant. There are probably about 13 non-complying companies in Level 1 (the largest retailers) and 29 in Level 2 (big, but not the largest), the writer estimates.
Another unsettling figure -- also based on Visa numbers -- is provided in this SecurityPark story. The writer says that the firm ExaProtect says that more than $200 billion in transactions worldwide will not meet PCI SCC security standards.
Those percentages, of course, represent the macro picture. At the company level, it is imperative to protect credit cards to the extent of the PCI standards and beyond, if possible. There may be some disagreement about who pays for breaches. The reality is that far more costly commodities -- the reputations of both the retailers the card company -- are lost whenever a breach occurs.