A business opportunity for somebody...
Jan. 25th, 2007 08:49 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jducoeurI wonder if there are any companies with the security and publicity smarts to offer a "Safe to Shop Here" logo for big stores? Given the TJX debacle (and the new news that people who shopped at TJX stores are having their identities stolen), I expect the public to start at least fractionally noticing information security as a concern. That would seem to create a business opportunity for someone to come out with a "Certified Secure" label for stores, the same way they're trying to build a "Guaranteed Organic" label that consumers recognize. Like that, only a fraction of the public would notice, but that fraction is likely to be passionate about it.
Not an easy task: the company would have to have the security chops to conduct really good security audits, and have the marketing machine to convince the public that they really are holding these companies to account. But it would seem like a way to print money if they could pull it off: it could become a significant competitive advantage to have your store certified by them (assuming they managed to get the public to pay attention to the label), and the space is pretty big.
(Devil's advocate: doing this without major legal exposure would be tricky -- the company couldn't afford to *guarantee* the security, just establish that their customers are following good enterprise-grade practices...)
Not an easy task: the company would have to have the security chops to conduct really good security audits, and have the marketing machine to convince the public that they really are holding these companies to account. But it would seem like a way to print money if they could pull it off: it could become a significant competitive advantage to have your store certified by them (assuming they managed to get the public to pay attention to the label), and the space is pretty big.
(Devil's advocate: doing this without major legal exposure would be tricky -- the company couldn't afford to *guarantee* the security, just establish that their customers are following good enterprise-grade practices...)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2007-01-25 01:52 pm (UTC)This is why you don't use the word "Certified", and most definitely not the word "Guaranteed".
"Tested."
"Reviewed."
Etc.
That tells them that when your Secret Shopper, or your Security Expert, or what have you, conducted a live-fire test, things went well.
What happens the rest of the time, you don't know.
(no subject)
Date: 2007-01-25 02:06 pm (UTC)(no subject)
Date: 2007-01-25 02:10 pm (UTC)"This software certified 100% Kosher by Rabbi Ben Geek."
;)
(no subject)
Date: 2007-01-25 02:16 pm (UTC)The SAS-70 standard is published by the American Institute of CPAs, and lots of independent contractors implement it. This would mean that the Data Handling Standard (or whatever) would be defined by a major organization, and folks would be trained to implement it and stand behind it themselves.
Now if only the big accounting firms were capable of not colluding with their clients...
(no subject)
Date: 2007-01-25 02:17 pm (UTC)(no subject)
Date: 2007-01-25 02:20 pm (UTC)And it isn't working?
In theory and by intention, the use of one of those trademarked cards is supposed to provide that sense of security.
Frankly, the current programs they offer are merely profit centers for them, and any similar program (such as you are offering) are probably further such useless profit centers.
(no subject)
Date: 2007-01-25 03:19 pm (UTC)No, it isn't. There's a world of difference between "We won't hold you responsible for fraudulent charges" (which is what they offer) and "we will help prevent frauduent charges in the frist place" (which the credit card companies really don't claim to do).
And it isn't working?
That depends upon who you ask, and what you define as "working".
Your average consumer who gets a card number stolen and notes fraudulent charges, can, after jumping through hoops, get those charges expunged. In that sense, what the credit card companies does works. Sure, there are occasional horror stories, but with millions of cards, you'll expect the occasional snafu.
In the sense that they have no way to be proactive and prevent the theft in the first place, what they are doing doesn't work at all.
Mind you, the big horror of identity theft is probably Social Security numbers, rather than Credit Card numbers. And those are usually stolen by your fellow coworkers who have access to your HR files...
(no subject)
Date: 2007-01-25 03:39 pm (UTC)Visa, Mastercard, American Express and probably all the others, have in-house programs for data retention, management, verification AND DESTRUCTION for customer data. These are based upon an industry wide standard.
If clearing houses and merchants do not meet those standards, all of these companies (Visa, Mastercard, American Express) can and do FINE those companies. Alas, rather than audit for potential breeches, those card companies merely assess fines post facto.
That the customer is protected financially, is mostly a side benefit of Federal Law - although some programs (such as Amex Gold Card) offer additional protections or benefits. Generally, however, it involves chargebacks, and the merchant eats the cost. The credit card processors and the credit card companies themselves don't absorb the cost of most frauds.
All of this put another way: those logo-holders and licensors MAKE MORE MONEY when there is fraud, than when there isn't. Despite all the various protection programs they seem to offer.
All of them do fraud control at the consumer and merchant level
(no subject)
Date: 2007-01-25 05:11 pm (UTC)Oh, but your actual point still isn't what
He's talking about fraud control at the merchant level that is made customer-visible. The average consumer has never heard of the merchant level controls. The credit card companies don't "offer" the merchant-level controls to anyone. They don't advertise based upon them. They most certainly do not say "having our logo on the window means this merchant follows safe policies". The consumer reads about his own personal protection, and considers that sufficient.
So, of course they don't work. Their business, as yet, does not depend upon them working. In general, it does not pay a company to put in strong regulatory controls before such time as the cost of the controls is less than the cost of losses the controls would prevent.
(no subject)
Date: 2007-01-25 05:57 pm (UTC)Consumers feel insecure. It used to be the case that they felt insecure because someone might steal "the card" and charge to "the card", and they'd have to pay for it. That problem is, largely, solved - if an individual card is physically stolen, fraudelent purchases on it are almost always made whole, by charging back to the merchants who sold the goods. (Bad for the merchants, good for the consumers - and an incentive to the merchant to prevent fraud or theft.)
Now, customers are insecure because, beyond theft of a SINGLE card, their identity can be stolen, new cards can be opened, calls can be made, electronic usage of that ACCOUNT (not the card, the number) can occur around the world, and within minutes.
I believe it is THAT case, that
So, let's talk about information security: there are four parties at play here (in the general case): the consumer, the merchant, the clearing house, and the licensing company (Visa, Mastercard, so forth). Two of them matter in terms of the actual data handling and data security that I believe
And it is the programs that THOSE two vendors are ALREADY required to conform with, that would provide that security. And they no one has a vested interest in offering guarantees based upon that security.
(And they do talk about them, somewhat, and advertise them. Remember Citibank advertising pictures on cards, as fraud control?)
It does cost them money to have a publicly known wide-scale breach. Especially in some states, such as California. But it only costs the two middle tiers - the licensing authorities profit from the breach by fining the middle tiers.
I happen to think that [Unknown site tag] is both correct (see the Citibank and other advertising - showing some response to consumer concern) and incorrect (merchants would accept too much risk and liability.)
What I do expect to see is that issuing banks will start to offer extra service in terms of card and account replacement/exchange and such. But NOT a guarantee against disclosure or ID theft.
Why? They already try to prevent it, and fail.
(no subject)
Date: 2007-01-26 12:39 am (UTC)First, you're correct that the current processes don't work, precisely because the incentive structure is completely wrong. *I* am saying that there is a potential market advantage to be gained in implementing a different, more stringent system, that is built around more rigorous information security certification, instead of the half-hearted mechanisms that don't work.
To succeed, it would require a true infosec company to convince some major merchants that they can get a leg up on their rivals by playing along -- whether that's realistic or not is unclear. If they could get critical mass, however, it could potentially upend the entire system, by changing the incentive structure for infosec.
Or, in other words:
They already try to prevent it, and fail.
Nonsense. You just argued yourself that they *don't* sincerely try to prevent it -- they don't have sufficient reason to do so. I'm saying that this provides a possible market opportunity for someone...
"Approved" Vendor...
Date: 2007-01-25 04:03 pm (UTC)(no subject)
Date: 2007-01-25 05:13 pm (UTC)