It’s all about the consumer. The push from federal legislators to implement measures to protect the consumer seems like it will never stop. And they seem to have a two pronged focus: security and disclosure. Vendors in the transaction industry need to pay attention to this.
Industry players that we spoke to seem to think that while consumer disclosure has much of the attention leaders such as Senator Carl Levin (D) of Michigan, and Representative Carolyn McCarthy (D) of New York, security concerns are also not going away. This has just got to be on the minds of the same folks who are concerned about consumer disclosure.
It’s not just about Democrats either. In fact, recently, the senior ranking Republican on the House Financial Services Committee, Spencer Bachus (R- Alabama), made a statement that “Members on both sides of the aisle – regarding industry practices that they view as particularly unfair, and that are in some instances enough to offend the sense of justice of the average American. The level of dissatisfaction – and in the case of many of my constituents, anger – at these practices has reached a point where more than just enhanced
disclosures may be needed to address the concerns. Several of the
largest credit-card issuing financial institutions have recently announced changes to some of the practices that have caused the greatest public outcry – and I commend them for it – but it is nevertheless perfectly appropriate for this Committee to fully examine these issues to ensure adequate protection of the American consumer.”
This is a familiar tune that has been resonating from the financial committees and subcommittees lately. However, there is another issue that we also keep hearing about over and over with regard to the card industry and electronic transactions: security. There’s every reason to expect that tighter measures to insure that consumer identity theft and security is not compromised will also continue to be on the radar scopes “on both sides of the aisle” as Bachus puts it.
Eric Linxwiler is the Executive Vice President of EncryptaKey, a company in Cypress, California specializing in information systems security technology, cited some factoids that he found from Trusted- ID of Redwood City, California regarding identity theft:
- There are over 10 million identity theft victims in the US.
- An identity is stolen every 4 seconds in the US.
- The average cost to restore a stolen identity is $8,000.
- Victims spend an average of 600 hours recovering from this crime.
“Alarming trends such as these coupled with the attention now coming from the highest levels of government through the creation of President Bush’s Identity Theft Task Force, make it evident that government leaders on every level will continue to deliberate intensely around mandating higher quality and security standards when it comes to protecting citizens’ personal and financial privacy.”
Says Linxwiler. “It should be noted however that it is most often the Government itself and its local, state and federal agencies that appear to be most at risk and suffer the most consistent losses.”
Linxwiller cites an example of the breach recently reported by the Utah Attorney General whereby as many as 20,000 Social Security numbers have been stolen from the Division of Workforce Services.
“While it appears certain that US employers, financial institutions, credit card processors and both on-line and brick and mortar retailers alike will continue to get most of the Government’s attention over the next several years, one could only hope that leaders take necessary steps in scrutinizing their own security policies and procedures,” he adds.
“While it is noble and somewhat expected by the general public that the Government continues to raise its level of scrutiny related to electronic transactions, the dialogue tends only to result in futile attempts to ‘legislate solutions’ for identity protection,
which typically means long debate, insatiable appeal and slow
adoption,” says Linxwiler. “One could argue that the solution lies not in more Government intervention but rather in a substantial overhaul of long-held security practices. Rather than continuing to focus on higher levels of regulation for how suppliers and service providers protect data, perhaps we should provide education and solutions to the very people who create the opportunity for theft in the first place; remote workforce employees and common internet users and ecommerce consumers. Solutions exist today that focus more on empowering end users to take protection into their own hands and less on imposing limitations. Higher levels of protection are available today that will not require legislative mandate, infrastructure modifications or standards alterations. “
“The security industry is poised to initiate a paradigm shift with regard to how data and citizens are protected and given the appropriate motivation,” he adds. “Government could help make this happen with less scrutiny and legislation and more education and sponsored promotion.”
Others in the industry concur. “My general view is that we are going to see increasing levels of government regulation and scrutiny of electronic transactions from a variety of different sources,” says Tom Smedinghoff, an attorney and partner with Wildman Harrold in Chicago, where his practice focuses on the new legal issues relating to the developing field of information law and electronic business activities. “One of the biggest areas of new regulation for electronic transactions will revolve around data security issues, particularly where personal data is involved.”
Smedinghoff gives several examples about data security measures that are being taken.
First, he states that the Federal Trade Commission has begun taking the position that failure to provide adequate security for online transactions (and personal data) is an unfair business practice.
He also points out that the Federal banking regulators have opened the debate over the issue of authentication by stating that single factor authentication is insufficient for online banking transactions. “We are likely to see more activity on that front, particularly as online commercial fraud problems increase,” says Smedinghoff. “Even the United Nations, through its Commission on International Trade Law, is looking at the issues raised by cross- border authentication.”
He adds that transactions involving credit cards are also under the microscope as a result of the TJX breach. Several states have introduced legislation to mandate compliance with all or part of the Payment Card Industry (PCI) standard for credit card processing. He points out that a law in Minnesota has already passed.
“Discussions are actively underway to consider the role of notaries in online transactions, and how they might add security to the process,” Smedinghoff adds. “Virginia recently passed an electronic notary statute, and work may soon begin on uniform legislation to define the role of the notary in electronic transactions. Courts are starting to question the admissibility of evidence from electronic transactions without an adequate showing of security, and we can expect more scrutiny of those issues in future decisions.”
When it comes to vendors in the electronic transaction supply chain, there are several ways they may be affected according to Smedinghoff.
“Vendors may well find that either compliance with new rules is a condition of the enforceability of electronic transactions, or non- compliance carries significant penalties,” he explains. “In either case, however, increased government regulation and scrutiny will put a premium on carefully designing the processes for online transactions to ensure legal compliance. This includes, for example, implementing appropriate processes to properly authenticate the other party, establish a legally valid signature or other act of assent, ensure a legally valid contract, make appropriate disclosures and, where necessary, obtain appropriate consents from the other party, and adequately protect the security of the data involved in the transaction.”
Others we found in the industry believe that existing regulation for the transactions industry will tighten around data integrity and also increase in enforcing regulations.
“Our view of the one and three year time horizon for regulation of electronic transactions is that there will be tighter regulation focused on the processing, storage and information management practices (read hygiene) as it relates to electronic transactions,”
says Tom Keithley, Vice President Credit And Integration, I4 Commerce a Timonium, Maryland-based developer of technology and software solutions for merchant payment and trasactions. “The regulation changes will likely include introduction and/or strengthening of financial penalties for non-compliance. At the same time, enforcement of existing regulations will also increase.”
But like Smeddinghoff and Linxwiler, Keithley also sees security at the forefront of most discussions by federal regulators. Keithley feels that the growth of networks means more vulnerability and security risk. “In general, the protection of private personal information has become a regulatory imperative due to the explosion of electronic commerce as well as the recognition that the rapid advances in software and publicly available networks has introduced a larger number of gaps or vulnerabilities in the technologies that underlay the new points of interaction,” says Keithley. “The impact of this trend on vendors depends on where the vendor sits in the value chain. In general, end-users that interact heavily with consumers (read: merchants) will respond to the increased level of financial penalty and the incremental costs to mitigate this risk by looking for solutions that remove the cost and the risk from their P&L’s.”
Keithley cites an example of a merchant holding credit card data and personal customer information within their data base. Today, he says, they will be motivated to look for solutions that allow them to close the sales without holding the sensitive data. Hosted checkout solutions will likely benefit from the change in regulation as long as they have adequate data security built into their platforms,” says Keithley. “If you shift to the software as a service vertical, the regulatory changes may well be a net negative as most of these models do not have the margin to absorb the incremental costs without changing their pricing. Additionally, merchants will look much more carefully at storing critical information on another entity’s servers. Similarly, models that collect and store sensitive data but do not have matching revenue streams providing revenue to their business will be negatively affected as they cope with the incremental cost that comes with the changes.”
As Keithley puts it, “the longer term effect of the regulatory changes will be to reduce the information held as everyone in the chain begins to rethink the cost/benefit trade-off of holding the data.”
|
