Credit card firms need to change policies

When it comes to IT security, good technology can’t protect an organization against bad policy. Judging from the way the banking industry handled the recent theft of more than 8 million credit card account numbers, that’s a lesson that major U.S. credit card associations and issuers have yet to learn.

The situation is unlikely to improve in the near term because the financial services firms that control most credit cards see little economic incentive to change their ways. Those most at risk of incurring losses include consumers (through identity theft), and merchants that accept “card-not-present” transactions.

The card associations’ policies, as demonstrated, could be described thusly: don’t publicize credit card thefts in any way; don’t require card issuers to notify affected card owners unless they ask; don’t share the list of compromised account numbers with merchants; and don’t require banks to reissue stolen cards. And don’t worry – banks will monitor accounts for “unusual activity” with automated, high-tech monitoring tools.

Card-not-present transactions aren’t protected by the same zero-liability policy given to consumers and merchants at brick-and-mortar stores, where clerks can physically check the credit card and obtain a signature. This puts online vendors at a competitive disadvantage.

If accounts are used fraudulently, how much damage will online merchants suffer before the monitoring systems catch on and defuse the situation? Probably nothing will happen. But merchants won’t know for sure until cardholders receive their statements.

To their credit, some card issuers are moving to protect online transactions with new authentication programs. For example, MasterCard SecureCode and Verified by Visa require the buyer to use a password before making a purchase. Merchants who obtain passwords from buyers are protected from chargebacks. But most buyers don’t have one yet. MasterCard and others should follow Visa’s lead and protect e-commerce providers that request passwords from buyers.

This shifts the cost of stolen data away from merchants but doesn’t solve the problem. Credit card companies should also question whether having dozens of processing companies handling customer data makes sense in a Web-connected world. Or whether security measures that address the way card transaction processors, issuers and merchants handle and protect account data should be more strictly dictated and policed. Or whether it makes better business sense to assume a policy of more open disclosure with cardholders.

The industry worries about the expense of reissuing cards.Yet banks have spent a lifetime building trust, and serious erosion of consumer confidence could cost far more than simply replacing those cards. It could cost billions in lost sales to e-commerce merchants that are dependent on credit card payment systems.

The current policies are bad for e-commerce, bad for consumers and, ultimately, bad for business. The industry should make changes now, before consumers finally wake up to what’s going on and legislators step into the breach.