MOUNT SNOW, Vt. -- While the Payment Card Industry data security standards are fine, they don’t go far enough to suit one of the speakers at the recent Northeast Acquirers Association annual conference.
PCI protects card data but doesn’t guard against identity theft, noted Linda Grimm, CSR director of consulting.
After declaring identity theft the No. 1 fear among consumers, Grimm began quizzing her audience about security, tossing a piece of chocolate to the first attendee to call out a correct answer to each question.
With that as her method, she quickly established that 10 million Americans fall victim to identity theft each year.
Grimm went on to explain why she finds identity theft a more serious problem than the theft of credit card information alone.
Fifty percent of the identity-theft victims don’t find out about the crime for three months, and 15% don’t know for four years or more, Grimm said.
Thieves rack up an average of $339 on stolen credit cards, and consumers have no liability for the debt, but identity theft averages more than $4,900, and the victim can be on the hook for many of those bills, she noted.
While consumers pay nothing to shed the cost of a stolen card by making a single phone call, they work an average of 33 hours and spend in the neighborhood of $1,000 to undo a case of identity theft, Grimm reported.
To help prevent identity theft, ISOs should comply with PCI but should go farther, also protecting Social Security numbers, driver’s license information, date of birth and other personal data, she maintained.
“Who has this data?” Grimm asked her audience rhetorically. “Everybody.”
Acquirers have lots of information on the merchants they service, she pointed out.
What’s more, 95% of breaches result in the theft of information not protected by PCI data security standards, she said.
Meanwhile, the U.S. transition to EMV smartcards is lulling some ISOs, agents and merchants into thinking the need for complying with PCI standards to protect data is simply going to evaporate because chip cards are more secure than magnetic stripe cards, Grimm asserted.
“No,” she said in reply to her own statement. “Don’t let anybody fool you” about less need for PCI after the industry institutes EMV.
In fact, the small retailers that ISOs and agents serve are becoming the targets of more data attacks as larger merchants become better at protecting themselves from breaches, Grimm said.
She also cautioned that more data is compromised through mishandling, including the classic example of misplacing a laptop, than through criminal hacking.
With the population of identity-theft victims growing by 10 million a year, the government is taking notice, too, Grimm notes, adding that President Barack Obama has called for a “consumer privacy bill of rights” that could affect data handling.
The federal government is more aggressively enforcing industry-specific legislation that has been on the books for a while, such as the Health Insurance Portability and Accountability Act, or HIPAA as it’s commonly called.
Some 46 states have enacted breach-reporting laws, and a few states even require companies to comply with PCI standards.
In some jurisdictions, authorities have declared that businesses that have privacy policies on their websites are guilty of deceptive practices if criminals breach the sites. Courts have imposed fines and even jail time for breaches, too.
After a breach, companies are pursued state government, the federal government and the card brands. The Federal Trade Commission can audit the companies for decades, Grimm warned.
To head off those actions, ISOs can stop collecting personal information they don’t need, Grimm suggested.
Creating a “culture of compliance” -- with policies, procedures and training -- can persuade prosecutors to impose lower fines, she maintained.
Breach insurance also makes sense for some businesses and is becoming more common, Grimm told attendees.