June, 2005

Forty million more credit cards at risk out there, who-knows-where. That, according to this morning’s revelation and this time it's an Arizona credit-card processor, Credit Card Solutions, who dropped the ball. This latest security failure is just another of the embarrassments of recent months that have now put nearly everyone with a card at jeopardy.

A visit to Credit Card Solutions web site makes no excuses and takes a very straightforward approach to explaining what happened. Unlike government, credit card processors depend upon consumer faith in their integrity and so they get out in front with the truth instead of making knee-jerk denials.

But it’s happened again and as I suggested in an earlier commentary, no one knows where the incursions end, if anywhere. Congress is in turmoil, a veritable hubbub and hallabaloo of what-to-do's, with each elected official salivating to get his or her name attached to a piece of legislation.

The problem is that no one really knows any more about how to handle this then they do the more pervasive but less threatening issue of spam. Charles Shumer, Senator from New York didn’t waste any time getting a news release out that put him front-row-center, saying "Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly."

Quickly isn’t likely to fix it, Chuck.

MasterCard says it supports the extension of data security laws. MC would have transaction processors (like Credit Card Solutions) and data brokers (Trans Union and others) meet the same standards as banks. If they were required to meet the same standards as banks, they would no doubt absolve themselves from any losses due to fraud, but collect a fee someplace along the line for the cost of the fraudulent transaction. Shockingly, that’s what card-issuing banks do. They not only take themselves conveniently off the hook, but charge fees to merchants for reversing unauthorized charges. It’s just another income stream for the banks.

The banks are sitting pretty. Banks always sit pretty. When they drive consumers to the edge of bankruptcy with usurious late-fees, they merely ask for (and get) restrictions in the bankruptcy laws that protect their assets. The Senate, by the way, recently put its seal of approval on that nifty legislative effort. But make banks and issuing companies actually responsible for their misuse, mishandling or abuse of customer information? Nah! Not a chance.

It's retailers who are left holding the bag financially. With all the hand-wringing in Congress about consumers at risk, it’s really the world-wide merchants, particularly those who do business on the Internet who are taking a bath. For all those tap-dancing congressional savants, eager to throw this or that law out there with their name on it, no one knows how to do it.

At least not without the banks leading the charge and that just isn't going to happen.

If the banking industry were part of the liability stream, there’d damned sure be a quick fix along the lines of additional encryption or a layering of access codes. But banking interests are best served by easy access to cards and they have thus far insulated themselves from taking any kind of hit when things go wrong.

Wouldn’t it be a miracle to see Congress go after the banks?

Get out of the Archives and read what Jim's writing today