On the information freeway, the vast majority of the population is driving 90 miles per hour (144 KPH) without insurance; this includes business entities, too. In the United States, as in many other countries as well, the law dictates that a person possess a minimum level of automobile insurance to protect the financial stability of other drivers, their property and themselves in the event of a crash. Most people would not be able to afford the expense associated with a crash should it occur. We all tend to dislike insurance, but we are infinitely pleased when we have it in a time of catastrophe, right?
While I know of no policy that can be purchased to ensure information security, I also know that there are many ways information can be made more secure. Each participant in a commerce-based transaction – the retailer, the buyer, and the credit card company – plays a unique role in ensuring security.
When it comes to cyberspace crime, it is all about identities and intellectual property. The largest business segment for cyber-criminals to target identities is in the retail marketplace. You might be pondering right now, “Michael, no way! Banks are where the real money is!” But think about this for a moment; just one credit card is used at dozens, hundreds, maybe even thousands of retail establishments from every part of the world right? When is the last time you heard about a security breach at a credit card issuer like Visa or MasterCard? Citibank comes to mind, but no one else. When is the last time you heard about a security breach at a retailer? I’d run out of fingers and toes counting them off to you.
According to the U.S. Census Bureau, three quarters of all U.S. business firms are classified as small businesses (Source: U.S. Census Bureau). The likelihood of consumers like you, doing business with any one of these firms is significant. Now for the next big question I want you to consider. How many of these small businesses are required to comply with Payment Card Industry PCI security mandates?
Technically, all merchants are supposed to comply with these guidelines. However, anyone processing less than 1 million transactions a year must only claim compliance, which goes unverified. Do you think the honor system, wink-wink, is going to be effective at protecting your identity from criminals? I say “criminal” instead of “cyber-criminal” because without effective and fundamental information security controls in place, data theft of your credit card information and personally identifying information is ripe for the picking by dishonest employees, dishonest support vendors and cyber-criminals alike.
According to Visa Inc., small merchants account for over 80 percent of compromise events (Source: VISA Inc.). Hackers love small businesses because they are usually not well protected. Regardless of size, any organization that is not protected will be targeted by cyber-criminals.
The PCI Security Standards Council is an open global forum. The Council’s five founding global payment brands, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., all agreed to set security standards. So on the positive side, standards are consistent. On the negative side, some of these requirements are antiquated by technological standards and must be updated in my opinion. For example, encryption; 3DES encryption is still authorized by the PCI consortium. 3DES was defeated in 2005. For discussion purposes, AES is faster and has not been defeated. Why then have the requirements not been updated, you ask? It is expensive to update the technology to support high encryption rather than low encryption. It really represents collusion between the PCI consortium and the financial institutions to “dumb down” security measures purely for business impact purposes.
Now that I’ve taken you on a brief tour of just one security component protecting consumers with basic security standards, I assure you that there are many other fundamental security measures that should be in place that are not required, measured, tested or reported on currently.
As a business entity, the lifeblood of a business is the customer and the customer can only support business if their financial identity is solvent. This symbiotic relationship will not thrive without vigilance on both sides. Merchants must protect their intellectual property, their customers, profits, etc. while consumers play a pivotal role in security, too. Keeping technology up to date and utilizing secure methods of conducting business or personal transactions is vital. The other facet is in demanding that businesses handle your personal information with great care. Just like corporations come together for mutual benefit, like the members of the PCI consortium have, so too must consumers come together for mutual benefit.
There are consumer advocacy organizations available, such as Consumer Action that provide consumers with representation and advice on their marketplace rights, security and privacy. These organizations give you a voice that corporations will hear. Insist that the retailers you do business with are actually protecting you by applying vigorous international security standards such as ISO 27002. Retailers should be able to prove that independent security verifications such as PCI audits are being conducted on a routine basis, ideally no less than quarterly as well as validating industry standard security certifications like the SSAE 16 have been earned. All of these things provide assurances to consumers that security and privacy are taken seriously.
Know your rights and assert them!