Will fear trump convenience?

THE PUBLIC HAS DEMONSTRATED an amazing tolerance for careless handling of payment data. Despite widespread media coverage of data breaches, consumers still love their cards--credit and debit. It may appear that they have accepted a higher level of risk, but in reality the rules of the game haven't

Some purchasing behaviors have been affected by the risks of payment fraud. Many people still will not use debit cards for online purchases, for example. At what point will a massive data breach, such as the one at TJX Companies earlier this year, erode consumer confidence to the point where fear begins to overcome the love of convenience? Cash, after all, remains a very viable small-dollar option.

There's also the matter of anger. With so many people hooked on cards, any missteps that compromise these payment devices may engender a backlash to the offending parties. Published reports have indicated that TJX was lax in its data handling, storage, and security procedures. How much the company's reputation or bottom line will suffer won't be known for some time, but one source estimates the cost at $25 million already.

Unfortunately, consumers may or may not discern the exact place in the system where the screw-up occurred and may lash out at the most convenient party. Banks have been particularly sensitive to being blamed--by dint of being the card issuer and the one responsible for reporting breaches--for the sins of a merchant, or of a third-party processor. This has happened numerous times already. In the TJX case, the banks and savings banks in Massachusetts, where TJX is headquartered, urged the Massachusetts Bankers Association to act quickly to make it clear that banks were not the cause of the breach, and, in fact, were also victims. The MBA (along with Connecticut and Maine bankers associations) filed suit against TJX in April to seek redress for the costs to banks of having to reissue cards because of the breach.

The whole system of rules, and responsibility for enforcing them, within the card payments sphere is complex--too complex to be effective. Efforts have been made to improve the situation, such as the rollout of the Payment Card Industry (PCI) data security standard last fall. Also, the ABA has just formed a payment systems working group (see page 18).

Still, there are many players and many competitive cross-interests at play--card issuers, merchant acquiring banks, card processors, merchants, the card companies, and, of course, consumers. The business is and always has been highly competitive. As a result, information about fraud, breaches, and fines is notoriously hard to come by as it can have real competitive impact.

Competition has brought many innovations to the payment system, but in the current environment, if the banking, payments, and retail industries are to come to a consensus on how to prevent and deal fairly with data security rules and issues, they had better move fast.

Banks, in particular, are at the center of the payments system, though their position is eroding, as discussed in the cover story (p. 25). Ali the more reason to insert themselves boldly into the data security issue.

WILLIAM W. STREETER

Editor-in-Chief

bstreeter@sbpub.com