In my opinion, you are relatively safe using your credit card or debit card, today, just as safe as it was for you to use it, yesterday, and just as safe as it will be, tomorrow, or at least, as safe as, in the near future. Ironically, you may be safer using your credit card on the web, versus at the store level. And that is because Internet technology and e-commerce came about relatively recently, and the information technology industry anticipated the need for security, as the Internet is a very public place. Along with the development of the web, Internet specific technology was developed and made available to the information technology community in terms of security measures, thus, creating a standard. No such standard existed for developers of the in-store brick-and-mortar applications. Ironically, the credit card industry did not put forth a standard, nor did it make any attempts to communicate its needs to the information technology sector, nor did it anticipate the need, nor was it, or is it, now, qualified to do so. All in all, the credit card industry is purely reliant upon third party private information technology companies to protect it from the security flaws within its own products it disseminated by its deployment in the yesteryear. Recently a number of lawsuits have been filed against information technology companies for negligent security, POC (point-of-compromise), as it is known in the industry. The responsibility of protection that the credit card companies expect and are seeking from third party companies cannot exceed the responsibility that they have to themselves, in my opinion. In addition, in the absence of an agreement between these credit card companies, issuers, and third party information technology companies, the instrument by which this need is communicated is absent. Thus, the Economic Rule Doctrine applies. However, some District Courts have issued opinions to the contrary, completely misunderstanding the application of the Economic Loss Rule to these types of relationships and rendering nonsensical opinions that are completely off-point.

Now, you might be surprised, but the credit companies have not done much, if anything at all, that’s significant, in order to improve card security. However, that has no significant impact on the credit card holder. This is because, in general, as the credit card holder, you are not responsible for fraud of your account unless the fraud is somehow related to activity that you are a part of.

Currently, credit card companies and various issuers, have buffered up their low-tech efforts to thwart fraud. What they do now, that they have not done much of, in the past, is monitor your credit card activities, and if something unusual, for you, takes place, they call you to verify the charge. To clarify some terms, a credit card issuer is your bank that gave you the card, like Bank of America, for example. An example of a credit card company is, Visa, Mastercard or some other card issuer. Until recently, and in general, banks across the country would issue you a Visa Card or a Mastercard Card on behalf of Visa and Mastercard International, respectively . These banks act somewhat as a broker per their agreements with these credit card companies. American Express, historically, was, and to a large extent still is, its own card issuer. American Express also predominantly processes through the processing networks associated with Visa and Mastercard.

So what has the credit card industry and these credit card companies done in order to thwart fraud? The answer may shock you, although there is still no need for you, as a credit card holder, to be alarmed or concerned about. After all, they are still responsible for the fraud, if such occurs on your account. At most, you may experience some processing delays on your card. Most of us carry multiple cards anyway. So, in an emergency, you could charge your other card, or call the issuer, and straighten it all out.

The truth is, the credit card industry may not be able to afford to do anything at all. It is simply too expensive for the card industry to introduce secure, and therefore, different, technology to take a serious dent out of crime, such as, skimming, card duplication, card fraud, forgery and identity theft. Every single device that reads credit cards would have to be switched out. The dilemma the industry is faced with is clearly understood. The card companies have been riding on a technologically inferior platform of yesteryear, ready, waiting, and wanting to explode. These companies have been parked on automatic. Once the initial technology was developed and deployed, the research, development and technology aspect of the business left the forefront of their business model. These industries generally promote people within their own ranks, and thus, are very much inbred. This executive inbreeding creates a stagnation of skill sets needed to understand new emerging technologies which endanger the industry platform. For example, in a meeting with a top executive responsible for operations of one of the major card issuers, which shall remain unnamed, my associates and I, were shocked to discover that this individual, through whose department flowed billions of dollars of transactions on a yearly basis, did not understand, what I would call, rudimentary technological factors involved in card processing, and the type of integration that is available between third party information technology companies and themselves. Although, believing that they were very well informed, this cognition was pervasive throughout management of the risk department as well. Exactly, this type of executive ignorance, and worse, arrogance, leads to poor judgment and poor decisions, as is exemplified in the many forms of PCI requirements card companies are currently trying to push on all of us.

At our encounters with these high level executives, in their defense, some of the real clever ones attempted to bring up the ISO standard of formatting cards. The ISO standard formulated for positioning and formatting of cards does not pass "the chicken and the egg" defense. The standard ISO adapted that was presented to this organization which defines official standards, was driven by the credit card industry. So, they are following the standard of encoding cards they formulated, not the other way around.

PCI standards are not laws. Companies, or a number of companies comprising an industry, cannot pass laws. Laws, in this country, are passed by a completely different process involving the legislative apparatus and other appropriate procedures. So, these so-called laws are really would-be standards, or in reality, are mere requirements, at best. Standards are really defined by what is the predominant methodology for doing things within an industry. Ideally then, these requirements, should be incorporated into the merchant agreements, credit card companies or issuers, have with their individual merchants that wish to process/accept their cards. These contracts could be entered into during the initial setup phase or through an addendum. Then, should a compromise occur, and the merchant would not have followed these contractual requirements, the merchant would then have been provided an instrument outlining these requirements, that is placed on notice, and could be sued for breach of contract. It is sad to say, that most issuers are improperly equipped and improperly trained to even understand these requirements. If you are a merchant, just try calling your ISO or card processing provider, and ask what receipts can I have redacted, and what am I permitted to store. Another very good opportunity to convey these requirements presents itself during the certification processes between the credit card processing companies or processing networks and with third party technology companies that wish to provide applications that perform authorization and card processing facilities. During the certification phase, agreements could be entered to, or a compliance certificate issued with respect to whatever security requirements exist, in conjunction to the operations certificate. It is sad to say, that none of these communications channels exist.

Consider this, currently all, but the last four digits of a card have to be redacted, that is, starred. However, what the card holder may not be unaware of, is that the merchant copy of the receipt contains their entire card number. This is done for merchant protection. Initially, all receipts were required to be redacted. But, what happens to a merchant that processes thousands of dollars in credit cards, and has a batch dropped from their equipment and the equipment of the processing network? With redacted receipts, what would the merchant re-key? The liability the card companies and processing networks are faced with, in this scenario, outweighs the liability of a breach. And, hence the decision that the merchant receipt contain the entire card number was understandably put in place. You, the card holder, get the warm and fuzzy when you see your receipt redacted, the merchant gets their security blanket. Security improvement – marginal. The argument here is, there is a benefit, if you, the card holder, loses the receipt. That’s a single receipt benefit!

In the final analysis, you, as a credit card holder are still safe using your card since the issuer is responsible for any fraudulent activities. You should always check your agreement and make sure that this is the case, prior to accepting the terms, or activating the card. However, although the card companies are currently putting forth effort to create awareness for implementation of security measures, because of a poorly designed and insecure platform, there are many problems plaguing this industry with respect to security. For example, they have not put forth any effort to create a standard in terms of secure technology and encryption. The credit card industry needs to stop being reliant on the technology sector, and others, to solve their problems. The security issues we are faced with today, is the direct result of their products, and hence, it is their problem. A single unified encryption standard needs to be either developed or adapted for industry use, which the industry approves and endorses. Processor and merchant agreements should explicitly incorporate the security needs of credit card companies. The merchants then would have second level agreements with their technology suppliers that would also incorporate, outline and inform the parties of these needs and requirements. And finally, all of these attempts to secure the existing platform may prove ineffective, until the platform itself is changed and secured at its basic level, the thing that starts it all, the card itself.

.