About two years ago, I had a conversation with a family member about his Stone Age practice of using cash and checks for almost every purchase. He admitted to owning just one credit card and no ATM or debit card, and he didn’t even know about online banking.
I poked fun at him. I couldn’t imagine how he can live with the inconvenience of carrying cash and a checkbook, using them to cover every purchase he makes. I joked about the Information Age passing him by.
Now I’m thinking he might have the last laugh.
The more I learn about computer security (or lack of it), the more nervous I become about our society’s increasing dependence on information rather than cash as legal tender. By information I mean the type of data typically embedded in the magnetic strip on the back of a credit or debit card, or the data of a bank or payment account. Today it’s possible to buy virtually anything without handling real money.
Lately I’ve been thinking about how often and where I use my debit card. I pull it out for almost every in-person purchase, including the small ones for just a few dollars. At the gas station, the grocery store, the hobby shop, the dry cleaner, the stop-n-rob convenience store. It’s just so easy, so convenient, to swipe my card, type my PIN and be on my way.
Having just concluded research on PCI compliance, I’m now acutely aware of how many companies that accept payment cards have data security violations. Many small retailers (like the ones mentioned above) aren’t even aware of PCI DSS, much less comply with it. With every swipe of my card, I’m putting my financial well-being at risk by not knowing precisely how the data is used, stored or transmitted.
The PCI Data Security Standard was adopted to protect businesses and their customers from data loss that could lead to theft by fraud. There are four levels of the standard that apply to retailers based on the number of payment transactions they process each year. The lowest (least stringent) level of the standard is reserved for the small volume retailers. According to Gartner and Digital Transactions News, there are more than six million North American retailers in this category — far more than in all other merchant levels combined. Only about 19 per cent of these retailers meet the PCI standard for data security. Put another way, about 80 per cent of the time, the small merchant in your neighbourhood is playing Russian roulette with your financial information.
Of course, midsize to large merchants have suspect data security practices as well. So far, 2,000 cases of known fraud have sprung from the Hannaford Brothers Companies breach. TJX Companies acknowledges the theft of 47.5 million credit and debit card numbers. Upwards of 650,000 JCPenney customers could be affected by a GE Capital breach. And these are known breaches. How many more are unknown, or simply not reported?
Fortunately, I’m not one of the millions of people who have been notified that my personal information may have been compromised by a data breach. Not yet, anyway. But according to the Better Business Bureau (BBB), identity fraud hits about 4 per cent of the adult American population each year — almost nine million adults in 2006 alone.
The BBB says a victim spends an average of 40 hours trying to resolve the problems caused by identity fraud. In 2006, the average fraud amount was US$6,383, although the average out-of-pocket cost to the individual was $422, meaning businesses sustain a hefty portion of the loss. (Thus, the impetus for mandatory compliance with PCI DSS.)
The tools and the techniques for better protecting the payment card system exist. However, their adoption has been slow, often due to the burdensome cost of implementation and the simple lack of understanding of how important they are. But as the saying goes, a chain is only as strong as its weakest link.
I’m definitely growing uneasy about using my credit and ATM cards. They may be convenient, but what is the price of that convenience? Maybe it’s time for our cashless society to go back to using fewer cards and more dollar bills, at least until information security improves. I can almost hear my relative laughing.