Martin McKeay

PCI exists to protect credit card companies, not consumers

By Martin McKeay
February 20, 2007 9:13 AM EST
From on the Stop & Shop breach:

"The credit card company eats it," Mendes said. "Not me."

Michael Farnum got the right quote, but totally missed the point of the Payment Card Industry Data Security Standards (PCI DSS) yesterday; the PCI standards weren't created to help consumers, they were created to protect the credit card companies from fraud and to transfer the risks from the credit card companies to merchants and merchant banks.  The fact that this make consumers feel more secure and give the illusion that Visa and Master Card care about consumers is a nice side-effect, but protecting the company's own bottom line is why these standards really exist.

Don't get me wrong, I'm a big fan of the PCI standards, but the maximum a consumer is going to have to pay if their credit card is compromised is fifty dollars.  While not an insignificant amount, about the cost of an inexpensive dinner and movie for a couple, $50 is nothing compared to the thousands of dollars that can be charged against your credit card in just a few minutes by a clever thief.  So the real impact to the consumer is almost insignificant and Mr. Mendes probably has the proper amount of concern over an incident that really doesn't have that much an impact on his life.

The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored. PCI was created to set a baseline these merchants have to adhere to, thereby lessening the amount of compromises suffered by merchants.  BeforePCI, if a merchant was compromised, they suffered an embarrassing incident, but the bulk of the financial burden was carried by the credit card companies who ate the charges, not the merchants.

PCI pushes that burden downstream and forces merchants to take on a preventative role rather than a reactive role.  They have to put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks.  By forcing this to be an issue about prevention rather than reaction, the credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs anyways.  The fact that this increases overall security for consumers and merchants is an excellent byproduct, but the reality is, it's about the credit card companies not having to eat the cost of compromises.

If the consumers had to shoulder the burden of compromises and credit card fraud, PCI would never have been created.  But since the law states that consumers are only liable for a token amount, someone else has to pay that cost.  Visa and Master Card were paying that cost, but have figured out how to transfer the risk to the merchants and simultaneously created a PR campaign that shows they really care about consumers.  As usual in business, it's not about doing what's right, it's about doing what's going to make the most profit.

Sorry Michael, but PCI is just about profit when it comes down to it, not protecting consumers.

Related Discussion: