Theres nothing like credit card ID theft to make computer security relevant to the general public. Weve had a lot of news lately on the subject and it deserves to be big news.
Theres a good chance well have more of it in the months to come, and not just the usual “thousands of card numbers were stolen” stuff.
Even though merchants arent ready for it, Visa and MasterCard are making noises like theyre really, honestly and truly going to enforce the security standards they have been pushing on the retail world.
Enforcement could be the death penalty for some retailers.
I instinctively side with the banks and credit card companies; what theyre saying is that if youre going to be doing business with us, and therefore be entrusted with sensitive information, the loss of which could cost money and time for us and our customers, you need to use strict security guidelines in the operation of your computer systems and business practices.
Visa calls these new guidelines CISP (Cardholder Information Security Program), and MasterCard calls them PCI (Payment Card Industry) Data Security Standard.
According to a recent Wall Street Journal story (subscription required), Visa says that only 17 percent of 231 large merchants have complied with CISP, and another 75 percent have filed a plan for doing so.
This means that 8 percent (of large retailers) havent even bothered to file a plan. Imagine what the situation is for small retailers! In fairness, Visa also said that at this time last year only 2 percent were in compliance, so clearly progress is being made.
Im not really an expert on the standards, but my understanding is that they are a serious effort and you cant easily cheat them. For instance, at the strictest levels, reserved for these large merchants who handle large numbers of cards, independent audits are required.
And the big merchants are among the most aggressive at adopting technologies like Wi-Fi that have at least great potential for insecurity.
Im told that in big-box stores and modern supermarkets youre likely to find lots of Wi-Fi that they use to quickly and cheaply install new equipment without having to run wires. Do you think the store manager has had any training in network management?
A secure wireless network, the kind that would comply with PCI/CISP, requires, among other things, WPA (Wi-Fi Protected Access) protection and Radius authentication.
Keeping this running requires either on-site expertise or remote management. Or they could just not be as strict about things, which is what I bet happens most of the time.
Next Page: Credit card companies will have to draw the line.
Credit Card Companies Will
Have to Draw the Line”>
You cant just put a few Linksys cards and a router in, you have to get professional network management tools from a vendor like AirWave that can actually audit the network and enforce policy.
And when it comes to the flower shop in town, you can forget the possibility that it or the guy it bought its systems from know anything about network security. If only 17 percent of large merchants are compliant, the number of small merchants must be puny.
Its true they are held to a lesser standard, but this doesnt make me feel any better. Im more comforted by the fact that theyre less likely to be the target of e-thieves than a large store with lots of data.
Clearly, cost pressures on large merchants are tremendous, and as a consumer Im all in favor of big stores driving prices down. This is a good example of a floor on the process, which regulates how quickly and wildly they may grow.
Once again, as a consumer, I cant complain. The money merchants spend on security of financial information is money spent in my interests.
Visa and MasterCard are so big and powerful they cant throw their weight around too conspicuously or theyll get in trouble, so they really do need to give merchants every chance to comply. In the meantime though, security breaches are costing them and their member banks big bucks.
The Wall Street Journal article stated that Citigroup, Washington Mutual and Bank of American are part of a group of banks that have been invalidating and replacing cards that only may have been compromised in the most recent card data loss. This in spite of the fact that it can cost up to $20 every time they do that. This cant go on much longer.
So at some point the credit card companies will have to start switching off service to merchants who dont meet the requirements, or merchants will get the message that the threats are empty.
Its possible they could go the carrot route rather than the stick and offer financial incentives to compliant merchants. Or they could do both.
When either happens, look for outraged merchants to pony up money to lawyers that they were unwilling to spend on security. Thats when youll know who you want to do business with.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.