Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, how about the "acceptable risk" concept that underlies the very security procedures of credit card companies themselves and pervades their relationships with their parties? Do As I Say, Not As I Do?
The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.
In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.
This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer.
"Acceptable risk" has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer.
Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts.
Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale.
Because fraud is an hemorrhage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft.
What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems.
There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable.
"A fraud is a sale" is the only outcome possible from using such security school of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for.
Ed Gerck
Friday, March 02, 2007
Subscribe to:
Post Comments (Atom)
1 comment:
Ed;
You're right on - the credit card companies do have a revenue stream from fraud - especially when it's against on-line merchants. In fact, in 2001, the last year enough HARD data was available, their revenue stream from fraud was USD $550 Million. That all came from chargeback fees against the merchants. And since it was fraud, the merchants lost the product and the income from the product along with the shipping costs and the chargeback fees. Merchants, of course, have no choice but to pass those losses on to the honest customers.
A sad situation, but yes, at least from on-line fraud, the card companies profit very nicely.
Post a Comment