We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Anne Stuart’s BPM in Action

Michael Dortch

When Business Processes Fail: Credit Card (In)Security, Anyone? Everyone?

Vote 0 Votes

I read with fascination and horror a recent posting by Bennett Hasleton, a freelance programmer based in Seattle who also happens to maintain the Web site and mailing lists for a group called Peacefire.org. That organization advocates for freedom of speech for and against censorship of younger people (who, perhaps coincidentally, are typically too young to vote). The organization has provided useful information for numerous anti-censorship campaigns and lawsuits, some of which have been successful.

But that's another story entirely.

The recent posting by Mr. Hasleton's that thrilled and chilled me appears at Slashdot.org, and is entitled "Why are CC Numbers Still So Easy To Find?" It basically lays out how easy it is to find active, working credit card numbers online. The article also lays out how easy it would be for the credit card companies to curtail or eliminate the problem, via simple alterations of business processes and perhaps a Perl script or two.

That's not the chilling part, though. The chilling part is that when Mr. Hasleton tried to be the good Samaritan, and point out the problem to the credit card companies, most of what he got was "no comment." And when he gave them actual cardholder information, only one, American Express, bothered to contact the cardholder and advise them to change their card numbers.

I'm not finished being chilled, however, and neither should you be. According to comments posted by other readers of Mr. Hasleton's article, merchants are at least as responsible for the fraud that results from credit card number theft as the credit card companies' inability or unwillingness to address the issue. That's largely because merchants are frequently too ignorant of regulations and/or technology and/or the scope of the problem – or too cheap – to take the data protection steps proscribed by already-existing standards. Those would be the Payment Card Industry – Data Security Standards, or PCI-DSS. Penalties for non-compliance can include huge fines, and the inability to process credit card payments, but non-compliance obviously still exists.

Merchants suffer, too. Every time a fraudulent transaction succeeds, a consumer's liability may be limited to $50, but the merchant can lose the merchandise and its full purchase price (plus transaction fees) to the credit card issuer. Merchants argue darkly that this is the real reason why the credit card companies do little to nothing of substance to curtail the problem of unprotected credit card information.

(Clueless IT people share some of the blame here, too, at least according to some posting comments to Mr. Hasleton's article. A strong precedent was set by the "cottage industry" that exploded around compliance with regulations such as Sarbanes-Oxley (SOX). Nonetheless, despite the obvious money to be made consulting with businesses about PCI-DSS compliance, there seems to be little awareness of or interest in providing such help among IT people.)

So there's more than enough blame to go around, and enough worthy recipients of it, where credit card information exposure and resulting fraud are concerned. And there are obvious lessons here, for companies that accept and issue credit cards, and for companies and individuals that use them.

1. Guard your credit card information (and/or that of your customers and/or business partners) as if it were cash. Lots of cash.
2. Demand documentation that your credit card information (and/or that of your customers and/or business partners) is being protected at every point in the value chain that involves you (or your customers and/or business partners).
3. Be aware of the regulations and industry guidelines intended to govern protection of sensitive information in your business and/or industry – and follow them. If you're in IT, make sure the appropriate businesspeople are involved and aware. If you're a businessperson, make sure IT is involved and aware.
4. Be transparent. It's not enough to say you're protecting sensitive information. You must be able to demonstrate that you are doing so effectively and consistently, to avoid the ire and suspicion of business partners, customers, prospects, regulators, and other stakeholders. Put shredders next to the desk of each credit card application or transaction processor if need be.

Effective and enforced business processes at any of several places along the history of every ultimately fraudulent credit card transaction would have likely killed that transaction long before its completion. Bad BPM costs money, directly and in damage to corporate perception and reputation. And who knows how much that really costs?

Leave a comment

Business process management and optimization -- philosophies, policies, practices, and punditry.

Anne Stuart

I am the editor of ebizQ.

Recently Commented On

Monthly Archives