Theres a good chance well have more of it in the months to come, and not just the usual "thousands of card numbers were stolen" stuff.
Even though merchants arent ready for it, Visa and MasterCard are making noises like theyre really, honestly and truly going to enforce the security standards they have been pushing on the retail world.
Enforcement could be the death penalty for some retailers.
I instinctively side with the banks and credit card companies; what theyre saying is that if youre going to be doing business with us, and therefore be entrusted with sensitive information, the loss of which could cost money and time for us and our customers, you need to use strict security guidelines in the operation of your computer systems and business practices.
According to a recent Wall Street Journal story (subscription required), Visa says that only 17 percent of 231 large merchants have complied with CISP, and another 75 percent have filed a plan for doing so.
This means that 8 percent (of large retailers) havent even bothered to file a plan. Imagine what the situation is for small retailers! In fairness, Visa also said that at this time last year only 2 percent were in compliance, so clearly progress is being made.
Im not really an expert on the standards, but my understanding is that they are a serious effort and you cant easily cheat them. For instance, at the strictest levels, reserved for these large merchants who handle large numbers of cards, independent audits are required.
And the big merchants are among the most aggressive at adopting technologies like Wi-Fi that have at least great potential for insecurity.
Im told that in big-box stores and modern supermarkets youre likely to find lots of Wi-Fi that they use to quickly and cheaply install new equipment without having to run wires. Do you think the store manager has had any training in network management?
A secure wireless network, the kind that would comply with PCI/CISP, requires, among other things, WPA (Wi-Fi Protected Access) protection and Radius authentication.
Keeping this running requires either on-site expertise or remote management. Or they could just not be as strict about things, which is what I bet happens most of the time.