If there is ever a time in the United States when consumer credit is becoming a notorious part of history, it may be right now. The perils of the credit card industry have been overshadowed by the debacles of the sub-prime lending industry as well as the failing firms in that industry who are going bust.
Seemingly, every month brings a new topic that is upstream from the actual card transaction, however, affects all of the players who make the amazing convenience of card transactions happen.
A new issue of caution in the card industry is targeted at college students. According to a recent article in Business Week, the House Finance Committee will meet to discuss the damaging effects of issuing credit cards to students. However, it does not end there. The Committee, headed by Massachusetts Democrat Barney Frank, is expected to put a limit on the amount of card purchasing power that students will have in using a credit card.
The scrutiny has come about from anecdotes and stories about students, who usually do not have income during college (and are, in fact, racking up debt) using cards to pay for food, bills and other expenses. The result is that students are leaving college saddled with more debt than they ever bargained for. In addition, most of this debt was due to their lousy financial hygiene while they were focused on attaining their sheepskin.
Nevertheless, this extra debt created from sundries and other expenses puts the debt in the hands of the lenders who charge very high interest and just extends the period of debt, as if it were not long enough without the credit card.
Fraud and security breaches continue throughout the United States, however, overseas incidents are plentiful. Major rings have been recently broken in the UK and other incidents in places like Sri Lanka, Australia and the Philippines are finding their place on the map. Card security and identity theft are hardly under control.
At the University of Southern California Annenberg School's Center for Digital Future’s, a 2007 Digital Research Report that indicated that any fear about credit card security seems to be constant and creeping upward.
According to their research, “In 2001, only 5.5% of Internet users reported they were not at all concerned about the use of their credit cards on-line. Remarkably, five years later that lack of concern had risen insignificantly to 6.4%. This seems to be a fear that just will not abate or go away even though much higher percentages of web users are using credit cards on-line than in 2001.”
Their fear has not slowed them down from making purchases, however. “Users seem willing to make on-line purchases even with this high level of fear. In 2001, we believe, these fears actually inhibited on- line sales. Five years later the fears remain but no longer seem to be a barrier to buying on-line,” said the report.
So what should regulators at the Federal and state level be thinking about nowadays?
“The new regulations that are currently being debated and implemented are for security issues that have already been identified”, according to Ray Guzman, Vice President of IT for The International Bank of Miami. “Best practices and standards have been developed to account for most of the issues regarding electronic transactions and online banking. However, the pace of government regulations lags far behind the development of new technologies. As new technologies emerge on the electronic transaction supply chain, the government needs to address the need for new regulatory requirements a lot faster to have any impact on the ability of businesses to operate.”
“Financial institutions and the credit card brands have been blazing the data security trail in the commercial sector, with the Payment Card Industry's Data Security Standard (PCI DSS) being widely recognized as the most prescriptive, workable, and enforceable regulation currently in existence,” says Michael Gavin, a security strategist with Security Innovation, a consulting firm based in Wilmington, Massachusetts. “Many U.S. states (e.g., Texas, Minnesota, Massachusetts) have, or are considering, legislation based upon the PCI DSS. The impact on ISOs and other payment service providers is that in the short term they may have a fair amount of work and expense to become compliant.”
Gavin points out however, if they build information security policies and procedures to comply with the intent as well as the letter of this or any other regulation, in the long term they will have a much more efficient, manageable, and secure environment, and they will recoup the expense of becoming compliant fairly quickly (2 to 4 years).
“On the other hand”, explains Gavin, “those who take the short- sighted approach of doing the minimum amount of work to comply to the standard specifically as it exists when they do the work, won't spend as much up-front, but will never recoup that expense, and furthermore, will need to spend even more money for every change to the regulation and for every new regulation that they must comply with”.
“These regulations are changing over time, e.g., the 1.0 version of the PCI DSS focused primarily on infrastructure information security, i.e., network and host based security requirements and controls,” says Gavin. “ The 1.1 version of the PCI DSS adds more focus on the security of the software running on those hosts in those environments. Future versions of the PCI DSS will likely add even more emphasis on software or application security, as well as expand requirements regarding data security. Other regulations may either adopt the PCI DSS as their enforceable component, or recommend the PCI DSS as a best practice for implementing those regulations.”
“In the next couple of years, regulations surrounding online transactions will continue to be addressed,” says Guzman. “One of the key areas that will be discussed is online purchases and funds transfers. The industry will move away from credit card transactions as the primary method of online purchases and identification and instead turn to radio frequency identification (RFIDS) and biometrics to authenticate users. This will all have a major impact on how people's transactions are monitored and identity theft is detected. In turn, new regulations will mandate additional requirements surrounding how businesses and banks protect individual's personal data and transmit financial records over the Internet.”
“The current goal is to vastly improve the security of all entities involved in the transaction supply chain,” adds Gavin. “Once that has been universally achieved, the card processors will continue to look at ways to prevent fraud and the theft of card data; those are the overriding goals of the regulations. In addition, they will then look for ways to make money on these new secured channels, e.g., pushing e-commerce, self-help web-based portals, single source of personal and SMB financial and insurance products, and other cost saving and/or income generating initiatives.”
Gavin explains that there have been complaints that these regulations are too expensive, especially for small to medium size businesses (including ISOs) to implement. Says Gavin, “I firmly believe, that if done right, these regulations can help to lower costs in the long term.”
“It is best that businesses identify and align all information technology and business strategies in order to comply with present and future regulations related to electronic transactions,” says Guzman. “One way to stay on top of the most recent technologies and issues is to research and discuss with vendors the future products and services in development.”
|
