Over the holidays, my wife and I took a short vacation to Napa Valley. We had the opportunity to visit a number of wineries and purchase a few bottlesan experience that also demonstrated the shortcomings of antiquated card security.
At the end of the trip, we faced the challenge of shipping the wine home. We selected an overnight express company with a location near our hotel. We subsequently learned that the store was a franchisee of a top overnight express company, with the name of the overnight company displayed throughout the store.
The clerk quickly informed us of the charges and the number of days for shipping. We offered our credit card for paymentand began to have second thoughts.
The clerk provided us with a form that asked for our home address and contact information. The form also required us to write our credit card number on it.
When I indicated to the clerk that I did not want to have my credit card number readily accessible on the form, she explained that this was their process for handling credit card payments. Later in the day, the form would be processed along with the credit card. The form would be kept until the shipment was fully processed.
My only alternative was to pay cash. Between my wife and me, we paid the bill and left.
As the result of our credit cards having been stolen both physically and through retailer security breaches, I have been sensitized to the need to protect them. In addition, with numerous data breaches at major retailers, banks have admonished all cardholders to take additional steps to protect themselves.
The incident we encountered raised a number of questions in my mind. As the cardholder, was I supposed to challenge the store clerk as to their compliance with the Payment Card Industry Data Security Standard? I imagined our questions: Can I see your procedures? Can you show me where you store the forms with the credit card numbers? Do you have a lock on the storage cabinet? When and how are the forms destroyed?
This would have been an embarrassment to the clerk, the other customers and my wife.
But as a payments buff, I was still flummoxed by the event. Upon our return home, I sent a letter to the chief executive of the overnight express company.
I requested an answer to three simple questions: Does their PCI compliance security program extend to this store? Would they reimburse my costs if an identity theft was traced back to the store? Is it unreasonable to expect a retail store of a national brand to have a merchant terminal to swipe a card? Is that too great of an expense? Security is only as good as its weakest link. Where does the responsibility begin and end for the cardholder and the merchant?
The current dialogue around merchant processing swipe fees and security plays a part in this discussion. Small merchants argue that interchange fees are already so expensive that they cannot afford to bear the costs of being responsible for PCI compliance and maintaining the latest technology.
Banks, on the other hand, are bearing the costs of card replacement and fraud losses. In the case of card theft at a large retailer, this can mean reissuing millions of cards.
Meanwhile, the consumer is left to bear the costs of correcting ruined credit as the result of fraudulent transactions.
The current paradigm of shifting responsibility for protecting the integrity of the payment process to some or all of the participants does not seem to be valid. A minimum set of criteria for point of sale technology needs to be established before a merchant is permitted to accept card payments. It is also time to sunset paper merchant processing slips, even as a back-up method when a terminal is not available. It's not worth the fraud risk.
I have yet to receive a response from the overnight express company CEO. My letter is probably working its way through their customer service labyrinth and possibly their law department. In the meantime, however, I am enjoying my wine.
Lawrence F. Buettner is senior vice president of WAUSAU Financial Systems.