Is the media letting banks off the hook on payment card security?

Gartner analyst Avivah Litan has a bone to pick with the media. She wants reporters to stop beating up on TJX and other retailers over security problems and for a change start focusing more on why banks and credit card companies aren't doing more to fix payment system security.

The real problem isn't that some retailers are failing to adequately secure credit card data. Sure that's an issue. But a much bigger problem is the fact the entire payment system is decades old, archaic and in desperate need of a complete security overhaul, she said.

And the folks that need to fix it are the very banks and credit card companies making retailers jump through hoops with all sorts of security mandates. "Nobody ever talks about the fact that the banks and credit card companies could solve this more easily," than retailers, Litan said. "But they are just not putting any effort into it."

According to Litan, rather than trying to get every entity around the world that handles payment card data to implement security controls it's a lot simpler to fix the system to mitigate the need for such controls in the first place. For starters, banks could make it less necessary for merchants to store cardholder data, she said. Retailers store this stuff because it is needed for handling charge backs, and sometimes for handling recurring charges and refunds. If you don't force merchants to provide this information to banks when handling a chargeback, merchants won't keep in the first place If they don't keep it, they can't lose it!

Maybe the banks themselves can store the data. They already have better security controls than the average retail merchant, and there are far fewer banks than retailers, so it is easier to safeguard data, she said. This is something the National Retail Federation has already proposed and is an issue that needs to be seriously considered, according to Litan.

Another option is to require personal identification numbers (PIN) for every payment card transaction. The approach is already used in Europe and there's no reason it can't be used in the , she said. "The fraud on signature debit is 43 times higher than PIN debit," Litan said. So requiring a PIN is a surefire way to reduce card fraud by a good 95% or so. "But the banks actually encourage merchants to use signature debit," because those transactions get them more money, she said.

It also wouldn't hurt credit card companies look at the new RevolutionCard from Revolution Money, a company backed by Steve Case (of AOL fame), Litan said. The card is not embossed with a name or an account number. Instead, use is 100% by personal identification number, so the chances of an unauthorized user committing fraud with a lost or stolen card are mighty slim.

There's another option: Some contactless cards today already use dynamic card verification/validation numbers that change with every transaction. That's a concept that might be worth considering, she said.

"Banks get bent out of shape"  when they have to bear the costs of fraud resulting from a data breach, Litan said. With the TJX breach for instance, a lot of the data that was stolen was magnetic stripe data used to make counterfeit cards for what's called card-present fraud. Banks typically pay the costs of such fraud and go after retailers for not protecting the data, she said. But when the retailer has to eat the costs of a fraudulent transaction, the concern for security isn't the same, she said. "They have not really cared about strong protections if it is a card-not-present transaction," that led to fraud, she said.

"So it's easy to beat up on TJX, but you need to spread your beating a little," Litan said, referring to the media.

What do you think? Should banks and credit card companies take more responsibility for securing the payment ecosystem? Or is it the retailers themselves who are ultimately responsible for keeping it safe? After all, what ever the merits of their arguments may be, retailers are the ones that are holding all the customer data at the moment. Even if fundamental changes are made to the payment system it's going to take years for retailers to purge all card holder data from their systems and their applications. Till that time at least, shouldn't they be the ones who are held primarily accountable for protecting that data?