So a few months ago a data breach meant USAA cancelled our old cards and gave us all new ones. Good on their part to be ahead of that shit, but damn it's annoying to have to update everything. We do almost everything via web or mobile, most through automatic billing. It was months before we got it all straightened out. Saw this on Facebook recently: A friend just got hit for $10,000 by the Home Depot data breach. It's time to address this with Federal legislation. 1: pin and chip. 2: make it illegal to store CC numbers past a certain date. 48 hours. Escalating financial penalties PER stored record. 3: criminal penalties on executives whose companies allow data breaches. That will enhance security spending to where it must be. 4. minimum $100,000 USD fine PER breached/exposed credit card number regardless if it was fraudulently used or not. 5. I truly no longer care who has to absorb those costs. If you disagree you are wrong. I don't agree with all of those, but I'm also don't think throwing up our hands and saying 'Oh well, companies are just going to use/lose/misuse our data, not really anything can be done about it' is the answer either. Do you think there should be penalties for losing or misusing customers data? How would you define it. What do you think the penalties should be?
Europe has the right idea. Data privacy means companies cannot store certain kinds of data, and other data if stored (addresses and phone numbers for example) must be cleansed before stored in non-production databases so employees don't have access. Data privacy there means you must opt in to any data sharing program. Here the default is you must opt out (if it's even possible). The biggest joke here are the credit bureaus that have your entire life's history, financial and employment (and almost anything else may be inferred from this data) open to whatever company pays them to spit it up. This doesn't exist outside the US. I've had my ID stolen and used. It was as simple as someone getting my SS# from a mail item. Since then someone else has been filing tax returns for me, and opening accounts under my name. The IRS has given me a secure pin to file returns online after 4 years of this. But the credit bureaus require police reports and letters to lock down my personal data. Either that or pay them to keep quiet.
Actually, most states have similar laws in place to the European rules. I'm not sure whether the penalties or enforcement are in place, though.
Really? I don't think so. Opting out is the default for personal data here in the states. In Europe the default is you must opt in, agree to have your data stored, before companies may do this. US companies that do business in Europe may have adopted these standards to some extent, but usually it's just for their European operations. Credit data has a different set of standards but it's privately controlled. Credit card companies have formed an alliance, Payment Card Industry (PCI) with their own standards to be PCI compliant. Merchants and credit card data processors pay fines to this private entity if they are not in compliance. There are no federal or state laws that I'm aware of governing this. And of course, the companies weigh the cost of compliance with the cost of data breaches before deciding what to do. I switched careers in the last year. Previously I worked for multinational travel industry data processing companies. Now I work for a multinational POS (yes, there is a double entendre for the taking) company. It's shocking how merchants store and handle data. All those cash registers and ATMs are running Windows XP!!!!! (for the most part). A lot have Internet connections for their WAN. And the LANs are laughably primitive.
I'm talking about requirements for how data is handled, not how it's collected. I agree that we are pretty lax about regulating collection.
I'm not aware of any state or federal standards for data handling. Government agencies may have a set of standards. Private industry has private standards and choose whether to participate or not. Companies that do business in Europe must conform to their standards.
Chip and pin is coming next year to the US, but even that can be hacked. The only way to have total security is to not use electronic funds transfers of any kind, but that's impossible in the 21st. Century. Even if you make it impossible for companies to store credit card info for more than 24 hours, that won't solve the problem, because in the case of the Target attack, it was malware in their system which was capturing the information and sending it to the hackers. It was doing this in real time, so just a few seconds after Target had your info, the hackers had your info. Even if you make it impossible to steal credit card info from a brick and mortar retailer, hackers will just move to attacking online retailers. You make that impossible, they'll go after the banks, and they'll keep trying, no matter what solutions you come up with, because there's a big payday at the end.
There is a movement to protect yourself (if you're a data processing company) against lawsuits. Perhaps that's what you have in mind? The lawyers are laughably dictating data processing standards. Idiots.
It's coming, but merchants have to pay for the equipment or pay fines to not be in compliance and weigh this with the cost of losing customers. There are no federal/state standards. It's governed by PCI. Changing those gas pumps to have contact (or contactless RF readers) is costly. It's not going to happen that fast. You're right about Target's breach. Details are hard to come by but it was probably malware introduced a long time before the breach was known. The fear of malware's impact on windows isn't for your home computer, but for the millions of cash registers ATMs and back-office servers running windows. I think modern data encryption can solve a lot of the problems, but the cost of adopting the hardware and software is high. And there are no federal or state requirements to do so. Besides, your data is in the clear every time you buy a meal or pay your bar tab with a credit card. I don't know why people are so paranoid about giving it to a machine but they'll happily give it up to a cocktail waitress.
I read somewhere (corporate spam or the chickencoop) that card fraud in Europe simply moved from retail locations using chip and PIN (that they've had in place for 25 years) to other points, but that the amount of fraud wasn't reduced.
Hmm, you may be right. I was exposed to a set of regulations a couple of years back that were similar to what Europe does, regarding segregation of data types, encryption levels, etc., but that was working for a state contractor. It's possible that the laws only applied to that circumstance. Also possible, Massachusetts might be ahead of the curve on these regulations, so I shouldn't take that as indicative of general US standards.
Generally speaking I think legislation is less effective the more it tries to micromanage. We get better results when they set the rules and then let people/industry/market sweat the details. As such the idea of 'You figure out how you want to protect people's data, but if you fuck it up, here are the penalties.' The obvious short coming is that the larger corporations could just eat the costs, giving them an advantage. And one click shopping, returns without a receipt, targeted ads, etc are all very real advantages. Not quite sure what the answer is. Tie fines to revenue?
From what Square says Chip and PIN has a couple of years before total compliance is necessary. They are currently working on a new reader for their business's that can read the new cards. However I'm pretty sure my new CC from Chase is Chip and Pen already.
I have used my debit card at Home Depot about a month ago. So far no unusual activity. If anyone has my info and wants to clean out my account, I spend as fast I can like a drunken sailor so they better do it fast! Seriously though I may just start carrying around huge wads of cash once I pay my bills versus have it sitting in my account where somebody could access it. Yes, I take the chance on being robbed, but these days don't we all in one way (gunpoint) or another (cyber attack)?
There are already massive fines that are put into place by the credit card industry on merchants with breaches. And there is also a massive uptick in insurance that covers the consequences of data breaches. The market is already compensating for and protecting against these breaches. That said, in a lot of ways, credit cards are very annoying for businesses. Something radically different, if it became available, could replace them in a heartbeat. Merchants hate credit cards - in a dependent sort of way.
