The new members of the House and Senate seem to be putting some
issues out through committees and to the press, which could affect
how the electronic transactions industry does business.
It is difficult to assess how these issues will affect different
interests within the industry.
In January, the Senate held a hearing entitled “Examining the
Billing, Marketing and Disclosure Practices of the Credit Card
Industry and Their Impact on Consumers.” While much of the focus of
the hearing was the impact of practices within the credit card
industry on consumers, other topics arose that are of interest to
industry suppliers.
“I would be remiss if I did not mention one issue likely not to be
explored today—credit card interchange fees,” said Senator
Christopher Dodd of Connecticut, Chairman of the Senate Committee on
Banking, Housing and Urban Affairs in his testimony at the committee
hearing. “These fees are imposed on merchants and consumers by banks
and card associations when a credit or debit card is used to pay for
a purchase. Interchange fees are growing exponentially– and the costs
associated with these fees are expected to be between $30 and $40
billion this year alone. These opaque fees, assessed on merchants,
are passed on, in part or in whole, to consumers who have no
knowledge or understanding that a fee is even a part of the cost of
bread or milk, or any other consumer product.”
Industry professionals have a mostly supportive reaction to the
testimony and other communications from Washington.
“Senator Dodd should be commended for his attempt to take a stand
against the banking industry at large for contributing to the
unraveling of the very foundation that drives economic growth in the
U.S. and world-wide,” says Kelly Owen, CEO and Founder of
EncryptaKey, a Cypress, California-based technology solutions
provider for the identity verification market. “The foundation for
commerce in the digital age was built on a legacy of trust; trust in
the consumer that by simply putting their signature on a paper check,
they had the means and responsibility to honor that check.”
“Trust in the debit card or credit card world begins with the card
issuer, providing a consumer with an account and a plastic card, and
the merchant trusting they would indeed receive complete compensation
for a provided good or service,” adds Owen. “With the now rampant
challenges surrounding identity theft and financial transaction
fraud, the foundation of trust has been taken away, consumer
confidence is shaken and thus, the further proliferation and rapid
adoption of a technology-driven economic system is slowed.”
Others at the committee hearing emphasized the need for more
oversight with regard to identity theft. “We have a crisis in the
failure to protect and be held accountable for the personal and
financial costs of identity theft and fraudulent use of credit card
accounts,” said Dr. Robert Manning, Director to the Center for
Consumer Financial Services, Rochester Institute of Technology who
testified at the hearing. The under publicized hacking into debit
card accounts of hundreds of thousand of consumers last year
underscored the ease and desirability of criminal syndicates to
compromise the debit card systems of several major banks.
However, Owen points out that the regulatory oversight is a precursor
to a growing case for a safe gateway leading up to the consumers
point-of-entry. “It is up to the leading financial institutions to
make significant contributions in rebuilding consumer confidence and
proactively join in the fight against cyber crime. The security
technology that is employed by banks, financial services
organizations and both online and brick and mortar retailers is
obviously not
adequate because it focuses on securing the ‘point-of-entry’ rather
than the means for arriving safely at the entry gate to begin with.”
When it comes to fees, Owen emphasizes that they should be viewed as
a cost to the value they provide. “Financial institutions have no
shame in charging fees for ‘non value-added’ services such as the
‘right’ to conduct a transaction in the first place, perhaps these
same institutions should focus on providing a tangible, meaningful
and mutually beneficial solution to a real problem,” says Owen.
“Solutions are available to be explored and implemented today that
allow consumers to establish secure, bi-directional transaction
conduits between host computers and their financial or retail
organizations of choice and at the same time block would-be hackers
from capturing sensitive identity and account-related information.
Congress should hold these institutions accountable for demonstrating
that they have indeed researched and tested every proposed solution
available rather than simply relying on hidden or misrepresented fees
to off-set the cost of financial losses through cyber crime.”
In the same month, more news broke when TJX, the Framingham,
Massachusetts-based parent of TJ Maxx and Marshalls discount
retailers revealed that their card-processing network had been hacked
and that there is a possibility that the financial details on
millions of customers have been exposed.
This has sparked some interest of those in the House. The Washington
Post reported, “Data privacy is likely to be among the hottest
technology issues to face Congress this year, in part due to interest
from the new chairman of the House Financial Services Committee.”
If that wasn’t enough, they also went on to report: “Panel Chairman
Barney Frank (D-Mass.) said he plans to craft a bill that would
exempt companies from disclosing data breaches, provided they secure
the data with encryption software or other technology that would
render it virtually unreadable if it fell into the wrong hands.”
This could be bad news for some, but good news for others in the
industry.
“I learned of the latest data breach from a financial institution
that may have to bear the costs of informing customers and issuing
new credit cards but they were not told why,” explained Congressman
Barney Frank, Chairman of the House Financial Services Committee.
“This is further evidence of the need for a provision that Democrats
pushed for in last year’s debate over data security. Mainly, those
institutions where breaches have occurred must be identified and they
must bear responsibility. Specifically, this means retailers or
wholesalers must take responsibility, contrary to what common
practice is today.”
“The legislative discussions of ‘usability’ are profound bills that
shall affect not only the financial services community and its
deployment of new technologies for years to come, but more
importantly, consumers’ confidence that their most private financial
data is rendered useless if lost or stolen,” says Michael Weathers,
Vice President of Governance & Risk at Fidelity Information Services
– a leading provider of core financial institution processing, card
issuer and transaction processing services. “As history has shown,
technology changes daily and U.S. consumers’ acceptance of new
technologies that improve conveyance at reduced cost are thoroughly
embraced throughout the country. “
“Consequently, it’s fundamental that in order to ensure the
progression of the next generation technology providing greater
security measures to consumers, bills such as Senator Frank’s should
maintain neutrality concerning the use of specific types of
technologies,” adds Weathers. “Encryption may be today’s highest
level of security measure, but surely won’t be enough to protect
consumers against the next generation of attacks. Therefore,
technology companies require the flexibility to enhance their
products to ensure that they are always one step ahead of any new
threat. Senator Frank’s positions are a step in the right direction;
the underpinnings of these bills should focus on establishing an
industry security standard and best practice, rather than outlining
specific technology that may become obsolete prior to consumer
acceptance.”
We feel that any legislation that protects commerce and the ability
of an organization to continue to do business and protect his/her
brand is a good idea,” says J.D. Oder, Vice President - Research &
Development and Chief Technology Officer at the Las Vegas, Nevada-
based Shift4 Corporation.
It is bad enough to lose consumer data, it is far worse to lose
consumers entirely,” adds Oder. “It is a good first step, but
caution with the “idea” of encryption must be taken. Encryption is
great on the surface, but it is not all that is necessary to protect
against loss from a breach. Encryption requires organizations to
follow appropriate (sometimes-cumbersome) encryption key management
methodologies in order to give the encrypted solution efficacy. That
is, if ones does not protect the keys, or the keys are lost, then it
is of no use, or worse under such legislation. If you put your keys
under your front door mat, locks are of no use.”
“Methods of protecting data in commerce that do not require the data
to be present at the exploitable location whether encrypted or not,
are a better solution,” adds Oder. “Methods that remove data from the
handling of systems operated by organizations are even better.”
The problem it seems is in the mountains of data that existed without
adequate protection.
“The challenge for banks and merchants is that all this data has been
sitting around unencrypted and unprotected for decades but it was
protected via obscurity, i.e. you could only get to it from private
networks – you couldn’t access it from the Internet,” says Julie
Fergerson, Vice President of Emerging Technologies for Debix , and a
co-founder of the Merchant Risk Council. “To upgrade the
infrastructure is incredibly important but one must recognize that it
can cost banks and merchants millions of dollars to protect these
systems. Additionally, these are major technology overhauls that
cannot be done overnight. Therefore, the question every executive
weighs currently is one of balance between the business risks of not
securing their environment versus the hefty expense of securing the
environment.”
Fergerson points out that PCI is a great first step by the credit
card industry to hold merchants and banks who do not secure their
environments financially accountable for breaches.
“I suspect over time, there will be a shift from penalties if a
breach occurs and there was no compliance, to a penalty if a company
chooses not to comply,” she adds. “I would also be remiss if I did
not mention that account takeover fraud (stealing the account
information and using it) is actually on the decline and consumers
have “zero liability” for transactions they did not make. I am far
more concerned about the storage of my personal information such as
SSN and DOB, which I cannot change.” New account identity theft is,
according to Javelin, on the rise and a serious problem.
|
