Today in the mail I saw the all too familiar envelope from my bank’s debit card issuer. No, my debit card isn’t expired. As usual, it’s been involved in yet another credit card processing breach.
Again, as usual, my bank doesn’t tell me where my card number was compromised. This time though I have a very good clue thanks to the recent Hy-Vee breach announcement. Unfortunately, no matter where the card is compromised I have to go through the dance of changing my recurring payments and updating anything else that is connected.
So why am I ranting about this on my blog? Because in my humble opinion it’s time for the companies that handle credit cards to be held to a higher standard. The security auditors in the room are now yelling, “But what about PCI-DSS!” PCI-DSS, HIPAA, etc are only as good as the penalties for non-compliance. With HIPAA there is at least the threat that the US government will step in and issue fines to an organization when there is a breach or an audit reveals deficiencies. PCI-DSS, on the other hand, is a set of rules developed by the Payment Card Industry (PCI) themselves. The only threat that companies have of non-compliance is that they may get breached. Then if the affected customers don’t band together in a class-action lawsuit, the company will most likely just wave free credit monitoring at the affected users, if they even do that.
To be honest, I don’t think the actual payment card companies like Discover, Visa, and Mastercard are the problem. It’s the companies that use their services. They’re the weak link in the security chain. It’s Target, Home Depot, Hy-Vee and the countless others that are the problem.
In my latest exposure, I wasn’t doing anything online where I was saving my card for future use. It was either compromised by using it at the Hy-Vee restaurant or their gas station. Either way, why was any of my information stored? Run the transaction, record the transaction number and result and poof my PAN and PIN should be history.
I’m not a huge fan of government regulations. But, I think that the businesses using credit card information have proven themselves inept at regulating their industry on their own. There need to be regulatory penalties and redress for consumers when their information is mishandled.
Beyond the penalties though there should be required reporting. There’s no excuse that Hy-Vee or whomever else didn’t contact me directly. In this communication the consumer should be made aware of the following:
- What was exposed?
- When was it exposed?
- How was it exposed?
- Why was the information stored?
What do you think about the current state of security when it comes to payment cards?