As the new year breaks, it gives the opportunity to pause and reflect
over the events of the past year, and the trends likely to emerge.
Some might be tempted to say that 2007 was a difficult year - the TJX breach yielded over 95 million compromised records and focused attention to an even greater degree on the protections afforded personal data. For an industry whose existence depends upon the rapid exchange of “personally identifiable information,” such scrutiny is often uncomfortable. Not because of any misdeeds on the part of the industry per se, rather because the industry is not well understood by those that are not part of the community.
The lack of understanding has manifested itself in countless ways over the past year. Most notable was the very effective job by the media in equating account data compromise with identity theft. The likelihood of committing identity theft from a single account number, with no accompanying data, is very slim. If the card data is stolen in conjunction with other personal data, the likelihood increases, but card data theft alone does not equal identity theft. This misconception has cost companies hundreds of thousands of dollars as they battle plaintiff’s attorneys over the issue of printing expiration dates in conjunction with truncated account data on receipts. Again, the likelihood of identity theft being perpetrated
with such information is so negligible as to be almost non-existent.
Yet the complexity of the industry is such that these lawsuits continue to be a blight upon the industry.
The complexity of the industry also resulted in states proposing, and in Minnesota’s case passing, laws that mandate PCI Compliance. Both California and Texas came within a hairs’ breadth of passing laws that would have a significant impact on the industry, yet had almost no input from anyone other than consumer advocates and Credit Union associations. This is not to say that their input was not valuable, but certainly it would be helpful to hear from all sides of the issue before passing such a potentially impactful law. The Texas legislation has been tabled and will likely be resurrected in the next session. The California law was, surprisingly, vetoed by the governor who indicated a need for a more balanced approach. A glimmer of hope that the complexity of the industry is not lost on all.
It almost goes without saying that legislation is going to continue to be something with which the industry will wrestle. On both the federal and state levels, politicians are moving to act in ways that can be construed as “consumer protection.” Hence the flood of data breach notification laws. The federal government should act to minimize the confusion of those notification laws by passing one that would supercede them. Debate over federal data security and breach notification laws drew on throughout the last year, and will likely do so again.
FACTA also spread its shadow over the year. Merchants, even some service providers, were plagued by plaintiffs’ attorneys filing class action suits regarding the printing of receipts
containing both truncated account numbers and expiration dates.
Though they’ve met with little success, the very fact of their existence is a trouble to the industry at large. Companies have spent hundreds of thousands of dollars in defending the cases, despite repeated findings in which judges did not grant class status and stated that the harm done to the plaintiff as a result of these “violations” was so negligible as to be almost non-existent. Though that seems to be favorable for the industry, the fact remains that these cases are likely to continue plaguing the industry in the coming year as attorneys seek out more “plaintiff friendly” states in which to file.
In addition to the external pressures bought to bear on the industry,
the industry is also facing significant pressure from within.
Merchants have become savvier about their PCI compliance obligations, forcing those companies that service merchants to become equally savvy in supporting PCI compliance. The card brands have become much more proactive about their enforcement of compliance issues. The end of the year saw the Payment Card Industry Security Standards Council (PCI SSC) announce the adoption of a new standard, the Payment Application Data Security Standard (PADSS).
The tension within the industry was increased when the National Retail Federation sent a charged letter to the PCI SSC denouncing the card brands for requiring merchants to retain certain data. This letter met with mixed reaction from the industry at large. While the merchants certainly applauded such a move, many in the industry met the event with a jaundiced eye. The passing of blame serves little purpose, except perhaps to divert the attention of the public – a bit of sleight of hand to trick the consumers’ eye.
Given the above, it can be easy to become somewhat cynical about the
state of the industry, but there have been positive changes as well.
First and foremost is that the increasing focus on data security and privacy has led companies to make this a top of mind initiative. As more and more companies are promoting security, consumer confidence in those companies can be expected to grow apace. As companies discover the competitive advantages to be enjoyed by protecting data, the security of the industry as a whole will increase.
Additionally, the past year has seen an increased emphasis on educating the industry about data security. Visa USA in particular has taken great steps towards educating acquirers, merchants and service providers about their Cardholder Information Security Program. In October, MasterCard Worldwide introduced their PCI Merchant Education Program. These initiatives answer a growing call
for more insight into the PCI DSS and the objectives of the program.
The coming year is going to see a continuation of such initiatives.
Likely these programs will be enhanced as the industry becomes more informed and the PCI DSS becomes more entrenched in the daily business operations of companies in and around the industry.
Though PCI DSS awareness has certainly reached critical mass, many companies are beginning to move beyond “security for compliance sake.” In the past some companies addressed security simply to meet the letter of the law, so to speak. The evolution of the industry has taken many past that mindset. PCI DSS is increasingly addressed as a component of the larger IT governance puzzle. Companies will continue to address compliance issues within the context of an overarching IT Governance program. Not only does this allow companies to incorporate other types of data (rather than simply cardholder data) under the protective auspices of their data protection program, but in many cases adhering to a broader IT governance framework provides a significant step in achieving PCI DSS compliance. This also allows companies to address other compliance obligations, such as SOX, or GLBA.
Another trend that is likely to continue in the coming year is that of innovation - from all corners of the world. Last year saw a spike in solutions from service providers designed to supplement and
support compliance initiatives on the part of their customers.
Several such companies will continue to offer innovative solutions to the problem of data protection. The innovation does not just come
into play from service providers, though. Several merchants have
devised several unique ways to successfully address their compliance obligations. Innovation has also, and will continue, to derive from quarters only tangentially related to the industry. Security product vendors have begun to develop products and services made specifically
to meet the security and compliance needs of the payments industry.
Though the “silver bullet” approach is still used by those that do not understand the market, many vendors have become more informed about the business objectives, as well as the security objectives, of the industry.
The theme emerging here is that the focus on the payments industry, from merchant to card brand, is increasing. This may seem somewhat redundant, but neither the industry nor individual companies within it will be able to “fly under the radar.” Companies are being held increasingly accountable for the data in their purview. The call for greater transparency is affecting every aspect of public life, from government to financial industries and the electronic transaction industry is not immune. Growing public awareness of the industry, and
the data required to fuel the industry, may be seen as a challenge.
The goal for the coming year should be to meet that challenge head on. While the industry has, in fact, made great strides in protecting data, even more can be accomplished.