Seek first to understand, and then to be understood
February 26th, 2007 Posted in Credit Card Fraud, Merchant
I am beginning to understand the pressure the card associations and the PCI SSC are under, when all I read about are the naysayers. I don’t know if it’s just security people who are critical or just curmudgeons who like to blog, but I hear more bad things said about PCI than good ones. I think this is the same reason you only see crime and punishment in the news - for the shock and awe value.
I wish that people would seek first to understand and then to be understood.
I hear people one after another who complain about PCI, but never once offer an alternative, much less have any idea what the real alternative would be. I wrote in my Gestalt of PCI manifesto about the ‘price’ vs ‘cost’ of credit card fraud, so it does exist. I also wrote about the alternative to industry regulated compliance programs - government regulation compliance programs, and you can see how well that is working for SOX.
I can see how Alex is harsh on compliance, because maybe he got burned by a bad auditor or just doesn’t understand the full scope of how it works. I dislike his comment that PCI awareness is “superfluous”. Perhaps I can share some insight into the “teeth” behind PCI.
The $5m he claims TJX suffered in data losses is just the tip of the ice berg. They may have spent $5m on forensic costs and initial fines, but that is like sitting in the eye of a hurricane or the quiet before the storm. Consider the following:
- TJX is currently the target of several class action lawsuits.
- Reissuance fees are an average of $25/card. Assuming they only reissue 2% of the 40m cards (800,000) that is a cost of $20m.
- Fraud cost recovery fees. Even though the issuers pay the cost of fraud up front, they recover these costs from the compromised merchant either through direct programs, litigation, or the new Visa ADCR program. If you assume that only 1-2% of compromised credit cards experience fraudulent transactions, but the average fraud charge is $1000. You take 40m * 1% * $1k = $400m in potential fraud dollars the banks will recover from the merchant.
- Although the TJX CEO claimed he will not offer credit monitoring, they may be required to as part of the class action settlement. Credit monitoring retails at $100/person/year but can be purchased in bulk for $10/person/year. Multiply this by 40m cards, or maybe 5m people and you have another $50m.
- Depending on the scrutiny of the FTC they could be put under review for 20+ years. Don’t forget what happened to BJs Wholesale Club.
- Remediation costs. Remember, if they want to keep accepting credit cards they need to get compliant, and fast. These costs could easily be in the tens of millions of dollars as any change they make needs to be rolled out to every retail store.
Trust me, TJX will be out of the news in a few months and in a few years nobody will remember it happened, but their costs will be anything but minimal. You will just never see it because it is boring to watch news coverage of FTC filings.
I can see how you would think TJX got off easy if you don’t understand the full impact of what really goes on beneath the 2′ deep media coverage.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
10 Responses to “Seek first to understand, and then to be understood”
By Alex on Feb 26, 2007
Having done PCI for Fortune 500s, having known similar incidents among retailers, I stand by my post. It’s not that I’ve been stung by an auditor, but that as an auditor who understands risk, I’m not thrilled with any approach that relies on a “checklist”, low risk to the data owner and has a track record of being impotent to change corporate culture.
RE: The amount of loss, I’d expect them to be somewhere in the $45 million range DSW was in. If current levels keep up, that might be 5% of their annual profit, correct? Those costs might not be “minimal” to you, but to the data owners, I doubt they’re enough of an incentive to do much more than create a due diligence paper trail.
Finally, there are many people offering alternatives. One is suggested in the article you linked.
By datasecurity on Feb 26, 2007
Alex,
I appreciate your comments and hear that you are a seasoned information security expert. I just beg to differ about your experience with PCI. The fact that you reference it as a checklist means that I stand by my post.
I have done 100 PCI audits for Fortume 500 merchants and acquiring banks all the way to small merchants. And I have always leveraged “compensating controls” in some area for each audit. That should show that it is more than just a checklist of items.
I’ve blogged twice about the non-prescriptive nature of PCI. I am sorry we disagree about PCI but that is a good thing. I like stimulating conversation that in the end causes both parties to think a little differently about the situation. Is it working? =)
I also disagree with your assumption that the TJX data loss would be in line with DSW. The DSW data loss was estimated at 1.4 million card numbers, while the TJX data loss is estimated at 40 million card numbers. That is no where near the same!
Please inform me of the alternative you describe. And then answer me this. How can you justify stopping a merchant from accepting credit cards due to a security breach that causes no loss to the actual cardholder? It seems to me that you want to see someone go to jail or for the merchant to fail as a result of these breaches.
Credit card numbers can be reissued and the cardholder is not liable for any of the fraud. Also, credit card fraud is going DOWN despite the increasing fears people have about it.
By Adam on Feb 26, 2007
I agree with you about “who complain about PCI, but never once offer an alternative”
I think PCI is a rotten standard, but don’t yet know how to write a better one.
By admin on Feb 27, 2007
Hmm… well Adam, I certainly disagree with your “rotten standard” comment, but I can understand how you feel. If I had not been working with the standard this long and understand it inside and out I would agree. The problem is that it needs more explanation about the intent.
Until people understand the intent of each requirement and how to couple that with compensating controls it can be a really hairy mess to map to large companies.
Thank you for the feedback, we appreciate it.
By Dissent on Feb 27, 2007
As one of the naysayers you cite, I already indicated in my blog that I’m not a security person. I’m not even a curmudgeon, although I do get very testy about people violating my privacy or losing my personal details through sloppy security.
If I were to allow even a few patients’ records to be compromised through sloppy security, I would run the risk of losing my license to practice in my state, which could cost me the potential for all future income. That’s a pretty good motivator to be careful about protecting records. Note that they are my files, but that the state considers them the patients’ records and patients would have an individual cause of action. Would we argue that my patients shouldn’t complain because it doesn’t cost them any money if I allow their records to be compromised?
With business, however, we are told that our details or records are not our records — that they are the business’s records. And we have no individual cause of action unless we can prove financial harm.
The bottom line for me is that yes, I think that if a business knowingly engages in shoddy or substandard security practices, there should be consequences that are more serious than just loss of profits, however heavy the reduction in profits might be. While businesses are essential to our economy, that doesn’t mean that they should get a “get out of jail free” pass if they really engage in egregious corporate conduct.
By datasecurity on Feb 27, 2007
Dissent,
I imagine you work in the medical field due to having patients. If you loose their files you have lost (1) personal information about their health and (2) their social security number. Both of these things can be used to ruin their life in one way or another.
If credit card numbers are stolen they cannot be used to commit “identity theft” (although everyone seems to confuse the two) and they cannot be used to disparage your ability to work in any capacity. In fact, the largest measured loss to the consumer is in the replacement of the card. The largest impact the consumer sees is not being able to use their card for a period of time.
So, yes, I feel that shutting down the company and firing all their employees is not a good trade off compared with people having their cards replaced.
But that is not what I am debating. What I’m saying is that TJX is not getting off easy. They have class action lawsuits pending and potential FTC investigations. They have huge legal bills, a disparaged reputation, and future cost recovery that could be in the tens of millions of dollars.
It’s not a minor deal that people have been making it out to be.
By dw on Aug 28, 2007
I know I’m late to this party, but I’m wondering where you get the $25/card reissue cost. I see lots of people throwing out various figures, but citations to a reliable source.