Gridlock In Action: Retailers Demand New Regulations To Protect Consumers

chicksdaddy writes: How bad is the gridlock in Washington D.C.? So bad that the nation's retailers are calling for federal legislation on cyber security and data protection to protect consumer information — even though they would bear the brunt of whatever legislation is passed. The Security Ledger notes that groups representing many of the nation's retailers sent a letter (PDF) to Congressional leaders last week urging them to pass federal data protection legislation that sets clear rules for businesses serving consumers.

"The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact," the letter reads. "A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

Retailers would likely bear the brunt of a new federal data protection law. The motivation for pushing for one anyway may be simplicity. Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. There is broad, bi-partisan agreement on the need for a data breach and consumer protection law. However, small differences of opinion on its scope and provisions, exacerbated by political gridlock in Congress since 2010 have combined to stay the federal government's hand. Meanwhile, reader schwit1 points out that banks are now starting to demand that retailers pay for all the financial damage their security breaches cause.

CYA

[thaylin]

I think this is just CYA. The government will set a minimum standard of security which the retailers will set as their default level and that way when a breach happens they can say, well we followed the government mandates, we should not be sued. This is not for the customers, it is for the retailers.

In reality they should be securing their systems to the best of their ability.

Re:CYA

[TigerPlish]

The last sentence of TFS has a link to an article mentioning bankers are pressuring retailers to pay for the banks' costs in a post-breach cleanup.

Money talks. In this case the bankers hold all the cards and the retailers will have no choice but to armor their payment systems. That, or spend hand-over-fist in cleanup and damaged reputation.

Which road will they take? The cheaper one -- which I suspect is to armor their POS systems.

Re:CYA

[gstoddart]

In reality they should be securing their systems to the best of their ability.

I wouldn't say "to the best of the ability of the retailers".

They've already demonstrated themselves to be lazy, incompetent, and largely indifferent to security.

They should be held to an entirely different standard than "the best of their ability", because we already know that's not good enough.

Re:CYA

[postbigbang]

And if either the banks, the retailers, and/or any member of the supply chain gave up a single point in transactions TO UPGRADE THEIR SECURITY INFRASTRUCTURE and SELF POLICE, then government interaction would be unnecessary and consumer safety would soar.

It's always someone else's problem, and someone else needs to eat the costs. So crappy POS, putting your fingers in your ears when IT warns you that your systems are about to explode, be breached, or become a PR nightmare, are all OK because it's the other guy's problem, never your own.

Fuck that.

Re:CYA

[jbmartin6]

I'm not so sure that armoring POS systems is the cheaper option. Sure there are a myriad of things that can be done, but how effective are they likely to be? Even a company like RSA got breached, and their seed database was armored pretty well until reality pried it open. Ultimately the underlying issue will remain, which is that "shared secret" is an oxymoron. As long as the payment is verified by shared information someone will find a way to steal and use the shared information. After all, retailers can't just seal the information in a box and never access it, they need to use it. And thieves will just access it the same way the retailer does.

Re:CYA

[houghi]

Hey! The companies are the ones who bought the politicians, so they should be the ones to come up with a solution that does not cost the companies anything.
If you were serious about politics, put YOUR money where your mouth is.

  /Sarcasm

Re:CYA

[Shortguy881]

Hmmm... what better way to close a bunch of small businesses than demand all businesses meet some arbitrary security requiremnts.

"Sorry mom and pop, your shop doesn't have the required firewall, point of sale equipment, network security administrator, or minimum database standards.I'll have to shut you down"

"But we dont even have a computer. All our sales are manual!"

"Sorry, take it up with the Another Department to Fuck You Over**"

**Name pending

Re:CYA

[Art+Challenor]

I'm not so sure that armoring POS systems is the cheaper option.

The cheapest thing is to buy off politicians so that they can continue doing what they are currently doing, but shift the blame to the consumer. This, I assume, is the purpose of the legislation. (Cynicism is almost always the model with the most accurate predictions of political outcomes in the US).

Re:CYA

[TigerPlish]

No, the Mom and Pop likely uses a 3rd-party payment processor.

What, you thought *everyone* taking credit / debit payments have their own in-house?

Re:CYA

[internerdj]

I'm really confused here. We've got the bankers pressuring the retailers for higher security or they will legally pursue them to cover the damages. Isn't this the picture perfect case where capitalism should solve the problem? Why are the retailers running to the government for regulation? Shouldn't the market solution be cheapest for the pure blooded capitalists of retail?

Re:CYA

[gmhowell]

Holy shit. First post (that I can see at my threshold) captures things in their entirety. Are you sure you belong on slashdot?

Re:CYA

[gmhowell]

They've already demonstrated themselves to be lazy, incompetent, and largely indifferent to security.

Maybe. Or maybe they're just cheap.

Re:CYA

[Shortguy881]

I think you missed the point. New regulations means more stringent requirements, means newer equipment, upgrade costs, compliance testing, etc. If you don't think these new regulations are going to be a burden, you are naive.

Re:CYA

[fuzzyfuzzyfungus]

I think this is just CYA. The government will set a minimum standard of security which the retailers will set as their default level and that way when a breach happens they can say, well we followed the government mandates, we should not be sued.

I agree that this isn't some altruistic action motivated by concern over the poor consumers; but asking for regulation is something that also serves a secondary purpose: 'retail security' is a collective action problem: It costs money to do(best case, it costs money but at least you can do it unilaterally, as in the case of hardening your own network and backend; worst case it costs money and can't be done without industry-wide buy-in, as with replacing mag stripes with something less totally fucked); but the benefits are mostly invisible (customers only care how secure you are when you weren't secure enough and you get cracked; up until then, they don't know and don't care whether you are pitifully insecure and lucky or highly secure).

Under these circumstances, it's difficult to justify unilateral improvements ("Hey, the nerds over in the cost center want more money because something, something, identity theft, yadda yadda. Tell them to STFU, it's cheaper just to 'apologize' and offer a free year of credit monitoring") and even more difficult to drive a coordinated, multi-actor, upgrade.

If you lobby for a regulation, though, you can be assured that your competitors have to deal with the same hassle you are dealing with and are in a much better position to say "Hey! Other merchants, banks, and involved parties? Y'know those new regulations? Compliance will end up costing us all less if we just roll out something less broken, rather than individually slapping band-aids on our shitty systems."

It's not elegant; but that is an additional use of regulation, aside from CYA.

Re:CYA

[gstoddart]

If you don't think these new regulations are going to be a burden, you are naive.

If you think having no regulations isn't already a burden on other people, you're also naive.

So, if companies want to take risks with the financial information of their customers, they should be the ones assuming the risk, not the customers.

Right now, in order to maximize corporate profits, customers are the ones bearing the risk for the crap the corporations do. Sorry, but screw corporate profits. We want to see some corporate responsibility and liability.

My credit card company has had to send me a new card three times in the last year, and I can never identify the source. If I knew who the hell was doing a shit job of security, I'd stop buying from them.

And I presume the large number of customers they lose would be an incentive to actually take this seriously.

So I'm afraid I have no sympathy for these companies. If you're going to hold onto my financial and personal information, you're going to have to do it in such a way as to not constantly expose it.

Re:CYA

[HideyoshiJP]

In all fairness, those that may wish to put security solutions in place may need a way to justify the increased cost of additional security to the larger shareholders, who often can't see the forest for the trees. You'd think those shareholders would just invest in IT/security companies...

Re:CYA

[CrimsonAvenger]

Shouldn't the market solution be cheapest for the pure blooded capitalists of retail?

Two things:

1) Whatever makes you think that retail giants are "pure-blooded capitalists"?

2) A sufficiently powerful government usually means that the cheapest solution to any problem is to buy favourable legislation.

Re:CYA

[mlts]

I will be a bit of a devil's advocate here:

We also need guidelines and standards for security. This isn't something that I can quantify, toss a high amount at a CISSP and get some unit of security. PCI-DSS3 is an example of decent guidelines. Another are the NIST SCAP items.

What would be an ideal would be some standard body making up security standards, not just guidelines (segment and firewall networks), but actual steps to secure operating systems and appliances with varying levels of security [1]. This wouldn't just be something that an organization could do once, but something that would have to be made at least quarterly with emergency workarounds coming out 24/7, such as replacing bash with Busybox or compiling a binary from the fixed source.

There are also issues and publications that wouldn't be as obvious... for example, guidelines on securing HVAC systems or basic power. Recommendations for organization charts to protect against social engineering, so someone name-dropping a VP doesn't get a file full of root passwords just by asking. Even physical guidelines like protecting against tailgaters at building entrances [2], or what type of lock cylinders to use (as some brands of cylinders had reports about security gaps which got remedied in later models.) Security is a moving target, and it would take a lot of cash to keep an organization funded which keeps on top of this... but it would do far more to help things than adding new regulations [3].

Right now, the major vendors have security tools usually baked into the OS which are pretty good. The trick is to have one coherent clearinghouse that can help people use what tools are available and still remain vendor neutral.

[1]: For example, on AIX, if I wanted one level of security, I'd sign all binaries on the system and configure trustchk to disallow anything else to be run. If I wanted higher than that, I'd disable root (so UID 0 processes had no "special-ness" about them) and set trustchk with LOCK_KERN_POLICIES on so there is no process on the system that can allow untrusted binaries, libraries, or even shell scripts to run.

[2]: Badge policies have to apply equally in a company, and if all someone needs to do is wear a suit or a uniform to get in, then physical security has failed. 99% of the time, it may just be nothing... but there is always that 1% where calling security on someone might have just stopped an attack.

[3]: Sarbanes-Oxley comes to mind. I've yet to read about it being enforced... except when it was used against an individual who had an improperly fished grouper.

Re:CYA

[peragrin]

The cheaper option is to stop storing credit data and have the banks and credit card companies and switch to one time tokens for all transactions.

That way in the event of breaches credit and banking information can't be stolen.

Guess which way it won't go. Though Amex is trying to go that way. Hence the support for Apple pay.

Re:CYA

[Shortguy881]

Actually you are taking the risk by using a credit card. Go to an ATM and get some cash. Problem solved.

Better yet, lets get rid of capitalism all together. How about we just walk into a store and be given what we want. Clearly we are all entitled to it.

Re:CYA

[hey!]

Well, this is the dark side of competition. Without regulation, you find yourself competing with bottom feeders.

It's one thing to be competing with bottom feeders who simply externalize costs -- e.g. shipping waste to countries with weak environmental regulations. It's another thing to be competing with bottom feeders who undermine trust in your industry. You can't just copy them and say, "everyone does it, that's life." Winning that race to the bottom is actually bad for your bottom line.

Re:CYA

[innocent_white_lamb]

I own a small "mom and pop" business.

I accept cash, cash or cash. No credit or debit cards of any kind.

I save a lot of money on fees that I would otherwise have to pay to banks for accepting their cards, and I don't have to hassle around with payment terminals and the like.

All of my customers know that they have to bring cash when they come here. Anyone who doesn't know that (new people in town) find out pretty quickly on their first visit, and there is a bank machine about a half-block away from here.

Re:CYA

[AK+Marc]

Minimum standard laws usually come with liability limits. "If you put a disclaimer in your ToS, your liability is limited to $3." So the retailers want the rules so they can determine (and limit) liability and guard against it, rather than having unbounded liability, as currently exists.

Re:CYA

[AK+Marc]

Yes, carrying around cash is lower risk than a credit card with $0 liability limits. Or not. I'll stick to credit cards. Safer for me. Worse for the retailer. They are likely hoping this legislation will lower liability for the retailer, and push it on the banks or customers.

Re:CYA

[gstoddart]

Better yet, lets get rid of capitalism all together.

The concept of ownership?

No, not really.

The absurdity which is the notion of laissez faire, free market, unregulated capitalism which is a self healing entity which achieves optimal outcomes over time because it's infallible and people will play by the rules??

Now, that version of Capitalism is a complete fucking lie perpetrated by people who are either intellectually dishonest enough to believe it, or sociopathic enough to want it anyway.

That version of capitalism is a complete fiction, and is in fact nothing at all like what actually happens -- specifically because everyone in the system knows damned well the only way to win is lie, cheat, and steal.

So all of the assumptions of how it will regulate itself pretty much fall apart. Because those assumptions are about as stupid as the assumptions of Communism ... or pretty much any other "ism" which is supposed to lead us to a wonderful utopia if only people would listen to the theorists and live as perfectly as they envision.

Go ahead, drink the Kool Aid of Capitalism. But don't for a minute believe half the stories you've been told about it -- because they're all complete fiction.

Pure Capitalism is just as dangerous as pure Marxism. The main difference is the lies its adherents use to justify it.

Re:CYA

[mjwx]

No, the Mom and Pop likely uses a 3rd-party payment processor.

What, you thought *everyone* taking credit / debit payments have their own in-house?

I used to work for an outsourcing outfit that looked after small stores, including their EFTPOS systems and you'd be surprised how many small "mum and dad" stores used things like an EFTPOS client sitting on an unpatched XP box in the back room (half the time the staff would also be using this box for email/excel/Facebook). Using a 3rd party payment processor is expensive, you're talking about $500 p/m expensive per terminal for the most basic services. For a cafe $500 a month is the difference between being in the red and being in the black.

If you need to be convinced why you should pay cash in physical stores, go do tech support for one.

Re:CYA

[tlhIngan]

Yes, carrying around cash is lower risk than a credit card with $0 liability limits. Or not. I'll stick to credit cards. Safer for me. Worse for the retailer. They are likely hoping this legislation will lower liability for the retailer, and push it on the banks or customers.

And there's the REAL reason.

The customer getting their CC stolen is a minor inconvenience of having to reset their auto-payment systems. But a retailer hit with a chargeback? Big problem.

If credit cards keep getting leaked out, eventually they're going to be used by someone and it could hit the retailer. Who doesn't find out until they charge it and the bank tells them that no, they were a victim, too bad, so sad.

Card Not Present transactions (mail order, online) are the most riskiest transaction of all - even swiping is more secure as you can verify the embossed number against the stored number, and the CVV. Then there's Chip+PIN and EMV which are the most secure methods we have now (they're not super super super secure, but on a relative scale, they are the most secure).

And online retailers want data protection laws because eventually they're going to be a victim.

I know when my bank called me, some guy racked up $1000 worth of stuff, including $500 at some drum store. That's $500 in inventory that that retailer lost - hope they have the transaction details so they could trace where the product fraudulently went.

And yes, in the 14 years I've had a credit card, I've had 2 legit chargebacks - 1 was for a product they never shipped, and another was a product that never arrived. In the past 3 years, I've changed my credit card about 5 times already. Total loss to me? Maybe about $200 in cash that I had to run to the bank to pay off a bill because the replacement card didn't arrive in time to be billed to the card. (and likewise, a $200 less charged to my credit card. Since I pay it off every month, it washes out).

Retailers will probably demand some sort of EMV system for online purchases where most likely either you use an app on your phone to enter transaction details (merchant ID, transaction ID, amount transacted, etc) and it spits back a hash for that transaction that verifies the card. Fancier cards will have the electronics to do it on the card to do that so all you have to do is whip out your card. (The card can be powered by a battery - since the cards are only good for 3 years, the battery only has to last at least that long, and it's something we're able to do since regular digital watches with fancy interfaces can often last 7-10 years on an itty-bitty battery).

Re:CYA

[AK+Marc]

And yes, in the 14 years I've had a credit card, I've had 2 legit chargebacks - 1 was for a product they never shipped, and another was a product that never arrived. In the past 3 years, I've changed my credit card about 5 times already. Total loss to me? Maybe about $200 in cash that I had to run to the bank to pay off a bill because the replacement card didn't arrive in time to be billed to the card. (and likewise, a $200 less charged to my credit card. Since I pay it off every month, it washes out).

I had two chargebacks. Once I bought something off eBay, using PayPal (via credit card, never a bank account). The item didn't show up, I worked with the seller for a bit, but just did a chargeback. I paid and never got it. The seller told me I need to pay insurance to be able to do that. That's wrong. The "insurance" pays him, not me. That's his responsibility. His responsibility is to deliver the item in agreed condition. I don't care if he wants me to pay insurance, consumer law is clear, if I never got it, I don't have to pay. He argued. I charged back. Problem solved.

The other was a DOA product from a store that the return failed. So I left the item there, kept my receipt and performed a chargeback.

Lost a credit card in a foreign country once. Canceled that day, no loss, no problem. Declined to get a replacement (for a fee) and used a backup for the remainder of the trip. Credit cards are great. Lose $10,000 cash, big problem. Lose a card with $20k limit? Max $0 liability.

Re:CYA

[Shortguy881]

Actually we live in a socialist oligarchy, far from any real capitalism. I also don't believe pure unadulterated capitalism is the way to go. There should be some oversight. However, the fundamental concept of capitalism, that I have to work for my own keep, is better than the idea of work or not you get your fair share.

As you pointed out in your post, the problem really isn't Capitalism or Marxism or any "ism." Its the corruptibility of people. So how do you plan to fix that?

Re:CYA

[tlhIngan]

I accept cash, cash or cash. No credit or debit cards of any kind.

I save a lot of money on fees that I would otherwise have to pay to banks for accepting their cards, and I don't have to hassle around with payment terminals and the like.

You're also not moving a lot of cash, because it costs you little enough that the risk is worth it. (And no, $1000/day isn't a lot of money.

Because once you start racking up the dollars, you start having to spend dollars to protect those dollars - which is the true cost of handling cash. (Plus, you probably only have 1 or 2 cashiers, and a system based around a regular dumb cash register, and are fairly loose with cash).

In other companies, cash control is king - to handle cash requires you to get special training and trust, while doing a credit transaction means any floor lackey can do the transaction because the backend computer can verify the money.

So yeah, as a small mom and pop, cash works because at most you're out a day's take if you get mugged making the deposit. But since the day's take is relatively small, you're not a huge target either, especially if you make multiple runs to the bank during the day (if you can) so the amount you carry is low and amount you can lose is low.

But take a much larger company like a big-box retailer, and cash handling does cost money - a real cashier gets paid more than minimum wage (you need to trust them with cash, plus train them on how to handle it and having your register and box out significantly can be a fireable offense). Plus, significant cash transactions mandate measures for cash protection. E.g., when a big game is released, the stores selling it may easily do $50K or more in cash in one day which means rolling out an armored vehicle to transfer that money to a bank, which cost hundreds of dollars in an of itself (if it costs $500, that's already 1% of the cash take!). So those businesses handling cash can cost more money than credit (because credit just transparently goes into their account with full reporting and correlation with the register).

Re:CYA

[gstoddart]

Actually we live in a socialist oligarchy

No, you do not. You live in an oligarchy, but it definitely isn't socialist. Oligarchies are pretty much orthogonal to socialist. In fact, the oligarchy wants to remove the last bit of "social" you have left, and the people cheering the oligarchy who are in government are working to hasten in.

So how do you plan to fix that?

Summary rejection of all economic and political theories which assume people will play by the rules of your "ism" and it will be a perfect system once people accept it as perfect and infallible.

I am not required to have a plan to "fix it". Not my job. Nobody is gonna listen to me anyway.

But I can say that any system which has the in-built assumptions that you can rely on anything except corruption, and people being selfish bastards is probably complete crap, is built on ridiculously naive assumptions, and is likely inherently flawed by people who can't get past their own "ism".

So, in the same way that when the Communists say that "if only people can be made to see how awesome this is", or when the Anarcho-Capitalists say tell us the same thing .. these are people who are willing to burn the world to remake it in their own image.

I view some of the crap the Libertarians say to be as "burn the Earth and force it to match what we want" to be as scary and unfounded as half the crap Mao did.

Beware the person who tells you he has The Solution. He's probably a zealot.

I believe the shining path of Communism no more than I believe in the Utopian fantasy of Libertarian economics -- both are complete lies.

Re:CYA

[Shortguy881]

Oligarchy refers to the organization of the government, socialism to how it handles economic activities. The two are mutually exclusive. Between welfare, medicaid, medicare, government subsidized health insurance, food stamps, disability, tax rebates, subsidized cell phones and internet plans, and many more programs, we live in a socialist society. Most people disagree because the rich don't pay as much into this system but that's because its an oligarchy. Those in power are redistributing the middle class wealth to the poor.

Saying the world sucks, people suck, and there is nothing we can do about it is pointless. Apathy towards the worlds problems is a big part of the reason we are in such a mess.

Capitalism lends itself more to self interest, playing off human behavior. That is why I think its the better choice. Its not perfect, but at least I'll take a stand and try to make the world a better place.

Huh?

What's this got to do with traffic problems?

Er...lobbiest fails to do job, so panic?

[xxxJonBoyxxx]

>> gridlock...nation's retailers

Er...lobbiest fails to do job, so panic?

>> they would bear the brunt of whatever legislation is passed....there are 47 different state-based security breach notification laws

In other words, they want a single Federal law to replace all the state laws, which would do two things: 1) allow them to concentrate their efforts on watering down the federal law 2) take the ability for people to collect damages against it out of state courts and 3) reduce their notification costs because they would only do the bare minimum required by the federal law (e.g., filing it in a basement drawer marked with "beware the leopard"). I see no "brunt" here. (IANAL)

Re:Er...lobbiest fails to do job, so panic?

[Trailer+Trash]

There's more to it. Note the last line - banks want to make retailers pay for their expenses when these breaches occur. My bank just had to send me (and presumably thousands of other people) new debit cards due to the Home Depot breach, for instance. That cost them plenty in aggregate - sending me a letter and then a new card. It's not much, maybe $2 or $3 for me, but multiply that by 10,000 or 100,000 and suddenly some money's in play.

So if the retailers can hijack the "regulation" they can write it such that they don't have to reimburse banks.

I know this is hard for some people to understand, but big business *wants badly* to be "regulated". They have the money to buy legislation, so they won't personally be regulated or they will be regulated to the extent that the regulation simply defines their current business processes and won't harm them. The point of such legislation is to create barriers of entry into their markets and harm smaller competitors. And, in this case, other businesses that wish to extract money from them.

Re:Er...lobbiest fails to do job, so panic?

[Optic7]

Your guess for the cost to produce a regular credit/debit card is exactly right, but chip cards apparently cost a lot more. Bank of America sent me a new "chip-and-signature" card (yuck, why not chip-and-pin, so frustrating) after the Home Depot breach. According to this article:

"The cost to produce and distribute a card to a customer is under $2. The cost to make and distribute a chip card to a customer is between $15 and $20," says Coleman.

The last link on TFS says that just community banks and credit unions are already on the hook for $160 million. That's not even counting the banking giants. We're talking LOTS of money lost and wasted by a lot of people because of Target, Home Depot, et al being lax with their security.

Re:Er...lobbiest fails to do job, so panic?

[Trailer+Trash]

One thing to note is that the chip card shouldn't need to be replaced after one of these breaches since they're doing end-to-end encryption, so hopefully it's a one-time cost that they were going to incur anyway.

Re:Er...lobbiest fails to do job, so panic?

[Optic7]

I'm not positive about the technical aspects of the chip, but just thinking about it, I don't believe that chip cards protect you from certain fraudulent transactions, like online purchases. I'm giving the website my card number, expiration date, card verification number, name, and billing address.

Someone who gains access to all that information stored by the retailer would certainly have all they need to initiate another online transaction elsewhere. The only way the bank has of preventing that would be to issue a new card number.

Translation

[Charliemopps]

Translation: Please pass a law that dictates the minimum effort we are required to put forward so we can barely meet that very low bar and not get sued. As it is, we have to actually pay attention to security and update constantly. If you pass a law, it will be out of date in about 3 months... but hey! At least we can't get sued. And that's all that really matters.

Re:Translation

[mrchaotica]

There is a less pessimistic translation: "Please pass a law so that our competitors are forced to spend money securing their systems, so that we can justify doing so without fear of being out-competed."

Re:Translation

[oh_my_080980980]

Umm no, it's the above: "Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam."

Jackass.

Re:Translation

[Charliemopps]

There is a less pessimistic translation: "Please pass a law so that our competitors are forced to spend money securing their systems, so that we can justify doing so without fear of being out-competed."

less pessimistic = extremely unlikely but supports my world-view so I chose to believe it despite the evidence.

Re:Translation

[roman_mir]

Obviously this is the correct interpretation of what is being demanded here. Yes, some retailers want government to help destroy their competition for them. The reality is that there is plenty of market forces at play here. If you know that a particular retailer doesn't take your information seriously enough and a breach happens and there is no adequate timely response to your satisfaction, you are not going to buy through this retailer anymore. What this regulation would do is make sure that there is LESS competition, not more, this way the security breaches will still happen with the large retailers, but the smaller ones will not be there anymore because the government will regulate them out of this type of business so the consumer will have no choices left.

Re:Translation

[david_thornley]

Except that such competition depends on people knowing what's going on. I don't know much about the security Target used to have, before their breach. I don't know how, or whether, they've improved it. I know they had a major breach, and at least some credible speculation about what happened, and that's it. Right now, I don't know if Target or Home Depot has better security.

Re:Translation

[roman_mir]

Right, but you wouldn't be in any different position if any government regulations were enforced, you would have false sense of security and less competition for your money by fewer retailers. As a customer right now you can avoid Target and/or Home Depot and that is the market pressure that the companies would have to consider to improve and become more transparent if enough people care and stop buying there. With government regulations you would just have no choices at all, Target and Home Depot would be the only stores if they could get government to destroy their competition with regulations. Would Target and Home Depot be more secure and more transparent with government regulations? No, they just would have less competition.

Re:Translation

[david_thornley]

What I'm saying here is that market forces DON'T WORK for this. I can't really tell security with transparency from covered-up incompetence. I know that Target leaked credit card information, but how secure is Wal-mart? Have they been leaking for years without telling anybody? How would I know?

If government regulations were enforced, I'd at least have more information on security. This comes with costs, as you point out, so I really don't know what the best thing to do is.

Re:Translation

[Your.Master]

How is it extremely unlikely? What evidence are you talking about?

Re:Repeat with me

[TigerPlish]

So you'd rather have it so there are no Federal consequences for being a sloppy, lazy, bug-infested easy target?

Sometimes regulation protect all of us, not just corporations. This could be one of those.

OK, I have a non-regulated approach to fighting breaches: If your company is stupid enough to get breached, the banks and card issuers must block you from doing credit and debit card business again -- ever. Good luck with cash-only.

Is that too cold-hearted for you? You'd rather have that instead of rules and consequences for data breaches?

Missing the point.

[Orgasmatron]

This isn't (just) about trying to dodge liability by having defined standards to meet.

The big retailers are all spending shitloads of money on security because they have to. Now they want regulations that require everyone else to do the same.

A few million each year for security compliance is nothing to Target or Walmart. It is a dagger in the heart of their local and regional competition.

Re:Missing the point.

[TigerPlish]

A few million each year for security compliance is nothing to Target or Walmart. It is a dagger in the heart of their local and regional competition.

Mom and Pop don't have their own POS. They use payment processing houses. It's the Big Dogs that have their own POS systems.

Re:Missing the point.

[oh_my_080980980]

Jesus tap dancing Christ. Read the fucking article. It has nothing to do with forcing companies to spend any money on security! It's about the "...47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam" The retailers want one single system for NOTIFICATION of a breach: "A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

Do you understand now moron!

Re:Repeat with me

[gstoddart]

Yeah, no, no they don't.

Which is why the Republicans have been de-regulating, because when corporations can do anything they want, that protects corporate interests.

Regulations protect us from corporations.

Re:Repeat with me

[Immerman]

Sounds to me like the default outcome down this path is that the banks start forcing the retailers to eat the losses rather than covering it themselves. Which would mostly work for me - let the people responsible for allowing the breach pay for the privilege of being sloppy. In that context federal regulations would likely indemnify them against damages if they employed the legal minimum of protections, or at least make sure that all their competitors are footing a comparable bill so that the cost of security doesn't put them at a competitive disadvantage.

Sure, we'll get some incremental protection via the regulations, but nothing compared to what the retailers are likely to get.

Shift the cost to the consumer ...

[CaptainDork]

The banks are not the point of contact for the consumer ... the retailer is. Banks AND retailers want the retailer to bear the cost so the retailer can pass it on to the consumer.

Consumers, in one form or another, will be responsible for breaches.

Re:Shift the cost to the consumer ...

[cdrudge]

Consumers, in one form or another, will be responsible for breaches.

We (the consumers) always have been. If breaches start to hurt the bottom line of the processors, merchant fees will just increase. Merchant fees increasing will result in merchandise prices to rise or credit card surcharges (where legal).

Gridlock

Gridlock? Yes, the democrat Senate has prevented many bipartisan House bills from passing. It will be good to see the Senate in the hands of the GOP. Hopefully Obama won't continue the gridlock by vetoing bills.

Re:Gridlock

[oh_my_080980980]

You mean like the immigration reform bills tied up in the house that would pass if Boehner allowed a vote? Yeah keep promoting that canard....

Re:Gridlock

[gurps_npc]

If the bills were bipartisan, then the democrats would be helping it by definition.

How much do you get paid to put forth idiotic political propaganda like this?.

As for your silly wish for Obama to roll over and be the GOP's lapdog, he's got way too much of a backbone to do that.

Re:Gridlock

[AK+Marc]

Ah, RINO, the Scotsman of the USA. The Official Republican party let them in, approved their platform and stance. They are Republican in name only only if *all* Republicans are in name only.

Re:Repeat with me

[Pope+Hagbard]

FOUR LEGS GOOD TWO LEGS BAD

I can't understand people who think reality is simple.

Permission to be secure

[penguinoid]

Consumers don't properly appreciate cyber security. Nor do stockholders. This makes it difficult to justify the expense of proper security. But if it is a legal requirement, then you can do it.

Re:Permission to be secure

[Another,+completely]

And if your competitors have to do it also, then they can't undercut you with their simpler and cheaper (although less secure) systems.

Re:Oh, that one.

Ted Cruz is a fine American. Get used to him, he will be leading this great nation.

Re:Repeat with me

If they are negligent, and you are harmed, you sue. Is this concept so difficult? With regulations, you still may be harmed, but they are protected from negligence, and you are unable to sue. Easier to pay off a few polticos than millions of victims, no?

Seems logical enough on their part

[charronia]

Because really, who wants to deal with 47 different state laws when you can just have one federal law? At the very least, it would save their legal departments a lot of headaches.

Retailers can improve security in one big way

[Applehu+Akbar]

Just turn NFC back on while you wait for CurrentC to get off the ground and be tested sometime next year. It's already on your registers, and some of the NFC vendors have high-grade security that sharply reduces the risk of credit card breaches.

Re:Repeat with me

[oh_my_080980980]

Yo moron, they're trying to reduce their liability not protect the consumer. FTA: "Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam." Do you understand now?

Lenders are the culprits.

[140Mandak262Jamuna]

Data breach and identity theft etc would not be a serious issue if the lenders exercised due diligence before extending credit to make sure the borrower's credentials are correct. They make sure it is impossible for ordinary person to lock up the credit reports and credit to make sure no unauthorized accounts are opened unbeknownst to them.

If we make the lenders liable for all the damage caused by them. We don't even need any new laws for this. The lender has all the right to be very lax and extend credit to any Tom Dick or Harry. But if they are going to report to credit reporting agencies about default or missed payments, they have to prove that the credit was extended to the correct person. If they mistakenly report missed payments on the victim of identity thefts, the banks should be fully liable for all the damage caused to the innocent party.

The banks are the worst. They extend credit without checking. They destroyed the cheap Point-of-sale pin encoded debit/ATM transactions by conflating it with credit transactions. Merchants who used to pay a flat fees of 25 cents or so per transactions are being saddled with 2%.

The financial sector has gone from less than 5% of S&P500 index to 15% of the index. From all the economic activity going on in the country the banks rake in more than 50% of the profits. Companies that take the risk and actually make products make much less money than the the banks.

The banks have grown too big to fail, too big to jail.

All the talk about government must be small misses a crucial point. The moment the government becomes smaller than the most powerful person, that person would drown the government in a bath tub. The courts have ruled corporations are people. Now corporations are actively drowning the government in a bathtub. The banks are at the forefront. If we don't realize and and reign in the banks, we are doomed.

Re:Repeat with me

[oh_my_080980980]

LMOL - do you know where regulations come from? They come from corporate lobbyists. Corporations write legislation that Congress passes. These "regulations" reduce the liability to Corporations. They do not protect consumers! Check out ALEC sometime.

Re:Grover Norquist called

[oh_my_080980980]

Except it's not consumer protection. It's corporate protection. Try taking our head out of your ass sometime.

Gridlock is so bad ...

[RoccamOccam]

The gridlock has been so bad that the American public has voted to fix it. Yay!

Re:Gridlock is so bad ...

[paulpach]

The gridlock has been so bad that the American public has voted to fix it. Yay!

I will gladly take gridlock over the out of control goverments we have had in the last 13 years or so.

If Obama was incapable of passing a single law for the rest of his term, I would be very happy. I wish there was this gridlock when Bush was president pushing for bailouts.

Re:Oh, that one.

[oh_my_080980980]

LMOL - only in your tiny little mind.

Re:Repeat with me

[gstoddart]

Wow, such a simplistic and reductionist world view you have.

Yes, laws which are written on behalf of corporate lobbyists are designed to game the system to give corporations the most freedom. This means you should stop the process of corporate lobbyists, because they don't help anybody except corporations.

But, environmental laws, consumer protection laws, banking laws, laws designed to stop insider trading ... these are all intended to prevent corporations from being able to do anything they please without consequence. Those laws are the kind of things some people want to repeal under the notion that anything which prevents a company from acting like assholes is unfair.

So, if you say "all government regulations are bad", it's as stupid and meaningless as if you say "all government regulations are good".

One political end of the spectrum wants to pass laws to limit the amount of crap companies can do. Another end of the political spectrum wants it to be "anything goes" for corporations.

The latter of those two? They're the people behind your ALEC, and the people who would do away with any form of environmental and consumer protection. These are the people who want you to have an oligarchy in which humans are secondary to corporate profits.

Anybody who says "it should be ok to pollute, and to make toxic products because the free market will regulate itself and people will make good choices" is lying to you. Because it won't happen that way.

Retailers Already Pay

[rjstanford]

The cost of fraud and security is built in to the interchange rates that make up the bulk of card-present fees from Visa et al. By and large, the retailers already cover those costs. If specific retailer-focussed fines are put in place they should be accompanied by a drop in interchange rates (not going to hold my breath here). Also, by reducing cost-sharing and increasing self-insurance, that's another way of squeezing out smaller merchants (who can't begin to cover those costs) in favor of the larger ones (who don't need external underwriting to do so).

Re:Repeat with me

[sjames]

The problem is that the technology to make the breaches meaningless has existed for decades now but the banks refuse to implement anything like it. The banks are the ones that have foisted the fundamentally flawed system on the retaiolers and now expect them to spend bucketloads of cash on shoring it all up.

As long as they are allowed to continue pushing the costs off onto merchants and consumers, the problems will continue.

For example, if credit cards were smart cards and consumers carried a cheap dumb card terminal with them, they could cryptographically sign transaction records which retailers could submit once. It wouldn't actually matter at that point if each and every such record was copied as soon as it was made or even if the POS terminal was actively infected at the time. The records could only cause the purchase amount to transfer from customer to merchant once.

Come on Obama, use reverse psychology!

[sootman]

Now that the Rs are in power, it's time to Obama to lean in and take one (or ten) for the team. Everything that's good, come out against it; everything that's bad, say you support it. The Rs will slavishly oppose and BAM! Progress.

North Pacific, a musical

[Impy+the+Impiuos+Imp]

> and Guam

"Oh no! Someone took the credit card receipts from the grocery's trash! Well, according to Guam law, we must notify consumers."

(Opens window). "Hey, Frank! Charlie took your credit card receipt! Oh, and Paul, get your damned chickens off the runway!"

Re:Repeat with me

[FictionPimp]

Which is the exact opposite of what merchants are trying to do with their shitty CurrentC.

They don't want security, they want protection from liability. They probably want to move that liability onto the consumer.

The summary is wrong

[MobyDisk]

The summary claims that the retailers would bear the brunt of the legislation. The opposite is true. The letter is written by retailers, asking for increased regulation of cloud providers and banks. The letter is specifically calls out Apple and J.P. Morgan as the causes of recent data breaches. It complains that the retailers are responsible for notifying their customers of breaches, but they aren't the only link in the chain.

Re:Repeat with me

[silfen]

Sometimes regulation protect all of us, not just corporations. This could be one of those.

Or maybe not. Along with such regulations usually comes immunity from liability lawsuits.

Re:Grover Norquist called

[silfen]

FEMA homo training camps.

That sounds like fun. Unfortunately, instead, they just hand the money to their corporate cronies.

This consumer protection stuff is just more liberalati socialistic hogwash.

Just because something is called "consumer protection" doesn't actually make it "consumer protection".

Re:Repeat with me

[Immerman]

That addresses a completely different attack vector, and I agree that the banks should be stepping up there. However, when Mom&Pop Co. has their credit card database stolen and I get hit with a bunch of fraudulent charges, yes - they should be at least partly liable.

Granted though - regulations requiring the banks to offer actual secure transactions would likely be a far more appropriate response: In a free market Mom&Pop would simply and easily reduce their liability by refusing to use insecure banking technology, but in a country where essentially no banks offer such technology their choice is only between accepting the insecurity or passing up the sales opportunity.

Regulation should make it "regular"

[magarity]

there are 47 different state-based security breach notification laws

These retailers should be careful what they wish for. One of the main problems with health insurance used to be that every state had its own set of laws and licensing. Now that the feds took over the regulation of it they not only require everyone buy it but also dictate coverage levels, like it or not.

Re:Regulation should make it "regular"

[slew]

there are 47 different state-based security breach notification laws

These retailers should be careful what they wish for. One of the main problems with health insurance used to be that every state had its own set of laws and licensing. Now that the feds took over the regulation of it they not only require everyone buy it but also dictate coverage levels, like it or not.

Sigh... Actually the way Obamacare is set up, insurance companies should *like* it. They theoretically get lots of new customers who are forced to buy their services and are pretty much guaranteed 20% of the premiums to run their business (80% has to go to medical reimbursement) and they are allowed to pick and choose the medical providers they will contract with... It's likely the patients that get the screw on this (other than the sorely underused HRA option which is another can of worms)...

Similarly, the large retailers would like a defined standard security coverage levels for POS transactions. The large retailers will simply pass this cost on to the consumers confident in the knowledge that nobody can undercut them in this dimension (as they have economies of scale). It's likely the consumers that will get the screw on this one as they will have to pay for the security upgrades for the smaller retailers...

I think people don't generally realize how much they are actually paying for the convenience of credit card transactions as the costs are cleverly hidden from them. In fact, until recently, the costs were mostly handled in a completely regressive manner (rich generally pay less, poor pay more). Interest payments subsidized the no-fee cards for those freeloaders (industry term) that don't carry monthly balances, Rewards cards dollars are extorted directly from the merchants (merchants have to pay a higher percentage to clear rewards cards than non-rewards cards). The money comes from the merchants so they charge higher prices, and the banks skim the money that is passed through them.

Consumers addicted to plastic payment are essentially enabling the banks to skim money from the retailers (and thus you the consumer)... Think of these two questions you might ask a random consumer...

Would like a convenient way to pay such that you will pay 3% higher prices to retailers so that large banks can get 50% of that money?
Or would you like a convenient way to pay if I gave you back 1% of your purchases volume so you can spend more money?

Clever, those credit card companies, aren't they ;^)

Re:Repeat with me

[sjames]

Yes, but likely in part because the last few years have made it apparent that banks will never be held accountable for the laws they break.

Re:Grover Norquist called

[Ol+Olsoc]

> FEMA homo training camps that is like boyscout camp but with somewhat less homoeroticism, right?

Well played sir, Well played!

Re:Grover Norquist called

[Ol+Olsoc]

Except it's not consumer protection. It's corporate protection. Try taking our head out of your ass sometime.

Speaking of, it's pretty plain to see you have a sore one. It can be pretty tough at those Focus on the Family rallies.

No humor gene, it would appear.

Re:Grover Norquist called

[Ol+Olsoc]

FEMA homo training camps.

That sounds like fun. Unfortunately, instead, they just hand the money to their corporate cronies.

This consumer protection stuff is just more liberalati socialistic hogwash.

Just because something is called "consumer protection" doesn't actually make it "consumer protection".

Should I send a Whoosh with my posts these days?

Re:Grover Norquist called

[silfen]

Should I send a Whoosh with my posts these days?

No. Should I?

Micro case study ...

[quax]

... of why libertarians are wrong about the role of governments.

Free markets are nothing that comes about naturally. It is the governments that create the regulatory framework that allows for free markets to function.

Business hurt when governments fail in this most important job.

Re:Repeat with me

[afidel]

Wrong, the reason we don't have EMV in the US is the retailers didn't want to pony up the cash to upgrade their POS systems. The banks finally put their foot down about 18 months ago and set a deadline that shifts the liability for non-EMV transactions to the retailer starting 9/2015.

Re:Repeat with me

[sjames]

Too bad they went from a totally broken system to a half broken system when they could have gone to a functional system.

Then there's the matter of the tech being decades old. They had the option to introduce it through attrition so the cost would be part of the normal upgrade cycle.

Re:Repeat with me

[afidel]

In cryptography old is good as long as the cypher strength is still sufficient to thwart expected attacks. The only weakness in EMV I'm aware of is a man in the middle attack against chip-n-pin where you can send a pin not required signal to the terminal if you can get between the card and the terminal. Since most US banks will be doing chip and signature, not chip and pin that's moot. If you're aware of another attack on EMV then please enlighten me.

This is mildly amusing

[Loopy]

Here we see people clamoring for government regulation of tech issues after numerous stories on that same government's lack of understanding of tech issues. Really?

If the banks charge the retailer that suffered the breach for the damages resulting from the breach, then only the offenders suffer rather than making everyone suffer under onerous and ill-conceived regulations. Not to mention that charging for the damages from a breach means the punishment will actually fit the crime. Further, punishing a single guilty retailer for a breach means the customers can go to another retailer that is not having to raise prices to cover a breach fine, which is even more incentive for a company to protect against a breach in the first place.

And all this takes place without the need for 2000 pages of regulation that nobody will be able to understand and no risk of unintended consequences resulting from it that nobody can fix because of the same gridlock the article summary complains about.

It's like that scene in Kill Bill where Budd's manager tells him that "fucking with your cash is the only thing you kids seem to understand."

Re:This is mildly amusing

[david_thornley]

How do you determine what costs come from a particular breach? Some are obvious ("Here, Home Depot, this is a bill for $2 for every card we had to replace because of you"), some are not ("there's a fraudulent card-not-present transaction here from somebody whose card may have been leaked by Home Depot or Target or somebody").

Re:Repeat with me

[sjames]

Web and mail order (that is, card not present transactions in general).

A proper public key signature card benefits from being old (well understood) and having a sufficient key strength. It could even be used to sign a recurring charge authorization.

Re:Oh, that one.

[AK+Marc]

He's a Cuban-Canadian ineligible for Presidency.

Re:Grover Norquist called

[Ol+Olsoc]

>I sincerely hope you die a traumatic death at the hands of a greedy corporation who doesn't care about your safety.

That would be awesome.

And I sincerely hope that you live a long, happy, and healthy life.