Don't-Ask-Don't-Tell E-Commerce

When it comes to IT security, good technology can't protect an organization against bad policy. Judging from the way the banking industry handled the recent theft of more than 8 million credit card account numbers \[QuickLink 36530\], that's a lesson that major U.S. credit card associations and issuers have yet to learn.

The situation is unlikely to improve in the near term because the financial services firms that control most credit cards see little economic incentive to change their ways. Those most at risk of incurring losses include consumers (through identity theft), and merchants that accept "card-not-present" transactions.

The card associations' policies, as demonstrated, could be described thusly: Don't publicize credit card thefts in any way; don't require card issuers to notify affected card owners unless they ask; don't share the list of compromised account numbers with merchants; and don't require banks to reissue stolen cards. And don't worry -- banks will monitor accounts for "unusual activity" with automated, high-tech monitoring tools.

Card-not-present transactions aren't protected by the same zero-liability policy given to consumers and merchants at brick-and-mortar stores, where clerks can physically check the credit card and obtain a signature. This puts online vendors at a competitive disadvantage.

Meanwhile, credit card fraud is increasing. In early February, the largest electronic break-in to date took place at credit card processor Data Processors International (DPI) in Omaha. Some 8 million Visa, MasterCard and other accounts were affected. Yet customers wouldn't have known about the breach until their statements started arriving if it hadn't been for Citizens Bank, which decided to recall 8,800 affected cards.

If accounts are used fradulently, how much damage will online merchants suffer before the monitoring systems catch on and defuse the situation? Probably nothing will happen. But merchants won't know for sure until cardholders receive their statements.

What's worse, this cloak of secrecy could ultimately erode cardholder confidence and trust. For example, the story of the DPI incident surfaced in the press on Feb. 17. DPI acknowledged the incident on the 20th. A spokesperson declined to say when the break-in occurred, but unofficial reports put it early in the month -- perhaps as early as Feb. 3 or 4. Visa said it "immediately notified all affected card-issuing financial institutions." Yet one bank manager I spoke with said she couldn't confirm whether specific cards were on the list until Feb. 19. Her bank didn't start receiving the compromised account numbers until Feb. 17 and received the last batch two days later. Was this case the exception?

To their credit, some card issuers are moving to protect online transactions with new authentication programs. For example, MasterCard SecureCode and Verified by Visa require the buyer to use a password before making a purchase. Merchants who obtain passwords from buyers are protected from chargebacks. But most buyers don't have one yet. MasterCard and others should follow Visa's lead and protect e-commerce providers that request passwords from buyers.

This shifts the cost of stolen data away from merchants but doesn't solve the problem. Credit card companies should also question whether having dozens of processing companies handling customer data makes sense in a Web-connected world. Or whether security measures that address the way card transaction processors, issuers and merchants handle and protect account data should be more strictly dictated and policed. Or whether it makes better business sense to assume a policy of more open disclosure with cardholders.

In a world where credit card numbers can be used for fraud or identity theft, organizations have a moral obligation to disclose such compromises to cardholders and merchants as soon as a security hole is closed.

The industry worries about the expense of reissuing cards. Yet banks have spent a lifetime building trust, and serious erosion of consumer confidence could cost far more than simply replacing those cards. It could cost billions in lost sales to e-commerce merchants that are dependent on credit card payment systems.

The current policies are bad for e-commerce, bad for consumers and, ultimately, bad for business. The industry should make changes now, before consumers finally wake up to what's going on and legislators step into the breach.

Robert L. Mitchell is Computerworld's technology evaluations editor. Contact him at

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon