It’s a long time since the public considered the phrase “computer security” to be an achievable state instead of the game it is: Forty announced data breaches since January 1, affecting banks, brokerages, schools, government offices and other institutions have taken care of that.
And some of these breaches are dangerous to consumers and the payments industry, however the companies involved might try to spin the news, or keep it quiet. Consider, for instance, the March 8 event in which 17.8 million files supposedly stolen from Deerfield Beach, Fla.-based iBill Inc. were posted online. The files included names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amounts. iBill mainly handles payments for adult sites.
The company says the stolen data wasn’t theirs, and, aside from a few blog entries, the incident pretty much escaped media notice. But the data, which was posted on sites used by phishers, came from someplace, and whether this particular hack ever makes it into the major media or not, the point is that it’s just another example of how dangerous the current security environment is for the people on whom the industry depends for its existence.
After all, March was also the month when an international debit card breach splashed all over the media, several laptops carrying hundreds of thousands of customer files were lost, news surfaced that the spoils from a recent phishing attack were routed to the Bank of China, and the long-awaited data security bill was reported out of Congressional committee.
Since accepting payments online depends on the willingness of consumers to make them in the first place, the unending stream of announcements is more than a form of water torture for the payments industry. It’s more like a death from a thousand cuts: Every announcement is another reason for people to use websites to shop online, but not buy.
That latent danger would eviscerate altogether the case for online commerce. And the industry can forget about significantly watering down the data security bill in an election year—if the reader will forgive us for repeating ourselves, supporting it is a natural posture for grandstanding politicians.
As a result, it’s not good enough anymore for the world of e-commerce to get by with catchy ad campaigns about how the industry is looking out for its customers; it’s going to have to prove that sending money online is safe, and give customers useful tools to avoid problems in the first place—not just fix things after the fact—or risk undermining the enterprise.
That last would be a shame, not to mention a self-inflicted wound. The market for online commerce is already proven, and growing at a respectable rate. According to the U.S. Census Bureau, it grew in the last quarter of 2005 by 23 percent over the fourth quarter of 2004, compared with overall retail sales growth of 6 percent in the same period. And while e-commerce sales are nothing compared with overall retail receipts—2.4 percent of the fourth quarter’s adjusted $960 billion—it’s clear that e-commerce is a fixture of modern life, and online sales are a healthy growth area for card payments of all stripes.
To its credit, not every financial institution has its head in the sand. Bank of America has been proactive in this arena, as have E*Trade and MasterCard. But too many institutions seem to be clinging to the idea that they don’t have to do much to plug the holes in their online security walls, as long as new accounts outnumber lost accounts, and that saying they’re looking out for their customers is as good as actually looking out for their customers. In an era of eroding faith in institutions of all sorts, the credibility gap between ad campaigns and common sense in this particular arena has to be zero, or that’s where customer confidence will go.
This approach isn’t just shortsighted bean-counting; it’s the equivalent of avoiding a visit to the doctor because it might uncover an expensive disease. In the long run, lack of preventive maintenance could prove equally fatal to these institutions’ bottom lines. After all, the main argument for committing to online commerce is that it’s a cheap replacement for tellers, sales clerks, and real estate.
If people stop using the online channel, those financial firms that refuse to take their metaphorical castor oil will find themselves saddled with higher transaction costs, lower profits, and, eventually, lower share prices. Looked at that way, investing in serious computer security for customers is a wise outlay, and not an opportunity for hair-splitting arguments about saving on overhead: That last strikes us like arguing that you don’t need a roof, because you live in the desert.
One thing that can be done: The industry can adopt one of the existing systems that match customer buying profiles with individual transactions, so that possible fraud can be stopped at the point of sale, instead of letting the transaction go through, protecting the consumer later, and making the merchant eat the loss. Cheap? No. But a powerful tool against crime.
Another? Segue in the United States from the ubiquitous mag stripe to chip cards. Upgrading all those ATMs and point-of-sale terminals would certainly be pricey, but it would also reinforce customer confidence that sooner or later has to totter. Let’s just hope the average consumer never finds out that a mag stripe card can be created with a card blank, a piece of magnetic tape, and an iron.