While on the one hand, few organisations take information security as seriously as they should, to blame merchants for not maintaining PCI compliance is akin to blaming the doctor for your illness. In non-cash payments the fault lies not with the merchant’s lack of security culture, but with the payment card ecosystem itself.
I understand the motivation behind this article; Maintaining PCI Compliance a Showstopper for Many Retailers, but it shows a spectacular lack of understanding of the real issues.
The branded-card payment technology is broken, pure and simple, and so far no-one in the card-payments arena has done much to fix it. Instead, they have all put the onus, and the cost, onto the end merchant, who then has two choices;
- Eat the cost
- Pass the cost on to their customer
Guess which happens 9 times out of 10?
But why should the merchant be wholly responsible for the protection of the cardholder data? Are credit cards core to their business? They shouldn’t, and no, are the respective answers; payment for services / goods rendered is core, the means by which they receive payment is ancillary, and in this case then, responsibility for securing the payment type should be on the payment service provider.
50 odd years ago certain card brands came up with an excellent concept; the payment card. Banks jumped all over it and started providing lines of credit through the medium of plastic and the concept exploded. Now credit cards are the de facto, and ubiquitous, form of non-cash payment accepted globally.
So ubiquitous in fact, that few people seem to question the fact that the system is inherently insecure, inefficient, inflexible and massively expensive to maintain. Not for the card brands mind you, but for everyone else. The only ones who cannot recoup their costs is the consumer.
I have no problem paying for the convenience of a non-cash payment mechanism, but as a business owner, I DO object to being the only one paying for security of cardholder data when the technology itself is broken and any innovation away from the current system is stifled until such times as the card brands can catch-up. Which they won’t at the rate they are going.
The card brands clearly want things to continue as they are, as do the issuers and acquirers for obvious reasons. Banks make money from branded cards by charging both annual fees and interest on lines of credit so they have no desire to change things. Large retail, who should have enormous power and influence over payments innovation have, for some reason, completely missed the point. So it’s left to the rest of us to make a difference.
The challenge is that ‘we’ are ignorant and are clearly quite happy to go along with whatever is given to us. If this seems harsh, just look at the above article again. Verizon SHOULD know better than to blame the merchants, but if they don’t, what chance to the rest of us have?
Until such times are the ‘merchants’ learn ask the right questions this type of nonsense will continue, and until we, the ‘consumer’, start demanding REAL alternatives, we have no-one but ourselves to blame.