Those wacky merchants
After my previous post on privacy and security on the Internet, I ran across Rich Mogull’s ‘Picking apart the Hannaford Breach' post. To me, issues of privacy and security are related to this post. I am going out on a limb here because I am making an assumption – assertion, actually - of intent, but it appears to me this is the crux of the issue. Merchants want to maintain the relationship with the customer, and probably more importantly to them, the data about the customers. Financial data, purchasing data, location data and preferences that is in turn cross referenced with other data sources to further extrapolate valuable information. The merchant then uses this to make themselves more competitive in the marketplace, or sells the information to others for profit. This data is sensitive and not obfuscated because it is this direct and targeted marketing data that others will pay for. But keeping this data forms the basis for credit fraud and identity theft as it relates to these merchant breaches. In Hannaford's own words here.
Think about this another way: How does a grocery store justify keeping debit card numbers? It is certainly NOT dispute resolution like it is claimed with Credit Cards. The money is transferred immediately. I cannot call up and refuse payment like I can with a credit card. So why would a company continue to keep private information if it involves both cost (IT Infrastructure) and risk (Theft)?
Do you think merchants are trying to have their cake and eat it too?
I mentioned the Payment Intermediary concept in the previous post as well, for consumer privacy in that context, and security in this context. That proxy concept I felt had great promise for providing a platform for anonymous purchases. I would have a relationship with credit card company, and the credit card company has a relationship with the merchant to clear payment. I would only need to authenticate to one party, the credit card company, and not every merchant. Another major advantage to the consumer when this type of payment proxy is implemented is not allowing some merchant to play fast and loose with my financial information. They don’t have it so they can’t lose it. There would not be an exchange with the merchant of the credit card number or other related information, only the credit card company payment.
Sure, in the case of purchasing Internet goods
requires that the name and address information be passed, but for
services, the purchase of virtual goods or in person purchases, there
may not even be that. At its core it relieved
the merchant of the responsibility of having to store the credit card
number, and simply keeping the transaction number for dispute
resolution. Does a merchant need to be involved in the
credit card validation process at all? Note that I am also making the
same assumption Rich is making that, due to the time frame and number
of account numbers, this had to be an HQ central breach as they simply
would not have been able to obtain 4.2 million unique numbers from any
single grocery store.
And on the subject of Internet purchases, any you ever remember Amazon asking you if you wanted then to store your credit card? Neither do I, but they do it anyway. Half of the airline web sites do as well. I have no information to support the claim, but I will bet better than 50% of online merchants hold credit card data long term. As a consumer, I don’t want this because I DO NOT TRUST THEM. Nothing personal. Call it fear of the unknown, but I have no idea how good their security is and would not have chosen for them to keep the number if I had a choice. Credit Card issuers should not been keen on this either as it creates unnecessary risks.
I am told the concept of Internet Payment intermediary failed because the merchants refused to participate as they claimed that they lost the customer relationship. I cannot prove this to be true, but there is certainly evidence that makes this believable. More likely it was because they lost the personal consumer data, which had a hard dollar value to them. The point remains that a solution was proposed that could have provided privacy, and removed one additional link in the chain for credit card processing which I assume would result in reduced credit card fraud. There will come a time that the merchant behavior and business model will force credit card companies to take action to maintain their profits and reduce fraud rates. Visa IPO anyone?
There were a number of publicized reports after the TJ Maxx breach that various merchants were complaining of being forced to store credit card information for the purpose of dispute resolution. I made some inquiries and done a bit of research, but I have never seen anything published that confirms or denies this report. So until I see otherwise, I assume that the merchants create the problem as they are trying to derive value from customer information, which may include the credit card or debit card number.
One final note on Rich’s post: PCI is not worthless. PCI should be considered ‘Security 101: Basic Best Practices’. A PCI audit on the other hand, as a bare minimum lowest common denominator, is worthless. If you need someone to certify your doing the absolute minimum, you’re really missing the entire point of the exercise.
Recent Comments