Did you hear?! Hackers have gotten into the transaction records of your favorite store and stolen thousands of customers’ credit card information, possibly yours. If you are like most people when faced with this news, you will be alarmed, even mortified. Your trust in that brand has been violated. And, with all of this emotion and genuine concern for your financial safety you will…do absolutely nothing.
As shoppers in the digital age, we are not our parents
The type of indifference described above is not only common, it is an epidemic. But it hasn’t always been that way. Our parents used to highly regard “having credit” and being deemed “credit worthy” was an achievement. They protected their credit status by paying bills on time, never missing a mortgage payment and using their credit cards only with trusted stores at which they had been shopping for years…the Sears, Woolworth’s and Macy’s of the world. The notion that someone could get a hold of their credit card information and use it in untoward ways was unthinkable for them and they protected themselves against such a calamity.
Bank protections lead to consumer indifference
We still have a fear of losing our identity. In 1995, that fear was put on the big screen in “The Net, ” in which Sandra Bullock’s character has her identity stolen. But back then, if that happened to you, the burden of reclaiming whatever was taken, notably your money, and proving charges made with credit cards were fraudulent fell to the consumer. It was a terribly time-consuming process during which the victim would still be out the money and credit that was suspended until the issues were resolved.
But then credit card companies, led by American Express, began making it much easier to dispute charges. Not wanting to lose customers to rivals, they amped up their protection services and made the process of recovery much easier. With a simple phone call, you could alert the companies of of the fraudulent charges and they would refund you the credit as quickly as 24-48 hours later. As this practice became commonplace, consumers stopped considering these violations as anything more than a potential minor hassle. What would our parents think of that?!
PCI compliance by companies could help
In 2006, the Payment Card Industry (PCI) Council was created to develop a set of industry standards that, if companies complied with them, could significantly increase consumer protection levels by ensuring that steps were taken to reduce the threat of information hacking. Most large companies agreed to improve their operations and put in place security measures that complied with the new standards.
Everything was fine, right? Not quite. Those looking to infiltrate these systems found new ways to breach them and retrieve valuable customer information.
An example: many big companies use satellite connections to send information to and from their stores. Thieves determined they could literally sit in their cars in a parking lot, armed with log-in data they stole from other means, and log into the company system wirelessly. Once they were in, they could find anything they’d like and since they looked like an approved user, no safeguards would be triggered. In this example, the company that got hacked may have thought it was in compliance and, it very likely was at one time. But the times change.
A compliance audit keeps companies up to date
Complying with the PCI standards is not an easy task. It takes an investment of time and money, both of which are in short supply especially in the retail sector. However, making the investment goes a long way toward ensuring that customer credit card information is protected and that points of vulnerability, like in the parking lot example above, are addressed. The consumers win because their information isn’t susceptible to hacks and companies win because they don’t suffer the public relations backlash from a major breach.
Are either of those “wins” enough motivation for a company to make the investment? The answer seems to be no. Compounding the problem is that many companies which give some attention to PCI Compliance and perform an audit do it themselves, mostly in an effort to save money. This leads to all types of conflicts of interest in which the company will not accurately report risks for fear of having to recommend solutions that put their budgets at risk.
Imagine that you are an IT director tasked with completing a PCI audit. Throughout the course of the audit, you find a glaring violation of the standards, the fix for which would cost the company millions of dollars. You know that your department budget can’t handle that new line item so, rather than report it and see some of your programs cut, you choose to ignore it. The integrity of the audit has just been weakened.
It is for this reason that we recommend a third party be brought in to do ANY kind of audit, but especially a PCI Audit. An outside firm will not have a bias and will report on what it finds accurately.
No major consequences leads to apathy
Examples of a company having their secure information hacked and tens of thousands of consumer records being stolen are abundant. For a short time, the news is full of stories about the breach and the social media world is alight with messages about the situation. Consumer advocate groups issue statements. Government officials promise reform. But after a week or so, the storm dies down and people move on with their lives.
I spoke with a business associate of mine the other day. After a major national retailer was hacked recently with millions of consumers’ credit card information stolen, he said he was in one of their stores the NEXT DAY and used his credit card.
If a company is out of PCI Compliance, there really is very little about which they need to worry as a consequence. Government and bank fines are minimal. Consumers may temporarily stay away but, they come back and use credit to buy items. The media leaves the story behind, focusing on the current news of the day. The result is a short-term blip in their sales, possibly, and a few negative stories in the media. And since consumers aren’t rallying to force changes in the company’s policies, life goes on as usual.
PCI Standards have been developed and revised over time to provide a level of secure shopping that all consumers want. Yet until there are significant consequences for those companies who are out of compliance, consumers should not expect secure shopping.