Comments on: Should Credit Card Issuers Reissue Cards Immediately After a Breach? http://blog.subjunctive.com/2008/08/12/should-credit-card-issuers-reissue-cards-immediately-after-a-breach/ Notes on Security, Privacy, and the Law Sun, 28 Feb 2010 18:36:35 +0000 http://wordpress.com/ hourly 1 By: jtgraves http://blog.subjunctive.com/2008/08/12/should-credit-card-issuers-reissue-cards-immediately-after-a-breach/#comment-17 jtgraves Thu, 14 Aug 2008 15:45:04 +0000 http://jtgraves.wordpress.com/?p=64#comment-17 I disagree. The history of data breaches shows that many were the result of easily-fixed problems. For example, <a href="http://www.scmagazineus.com/Report-TJX-breach-began-in-Minnesota-Marshalls-parking-lot/article/34954/" rel="nofollow">the original point of entry in the TJX breach was a wireless network using WEP</a>. Anyone who's been paying attention to wireless networking has known since 2002 that WEP is useless. That TJX was still using WEP in 2006 was...well, let's just say I'm trying hard to avoid words like "negligent" (but obviously failing). Moreover, taking proper care of data should be part of the bargain when one accumulates information about others. To claim the alternative—that it's just too much to expect merchants to protect theft of credit cards from their information systems—is to say that data loss is a fact of life, that it happens to everyone, and that nothing merchants can do will change that. Maybe there's a background level of data loss that's unavoidable, but I don't think we've seen the level of due care necessary to prove that. In the meantime, I think PCI and the FTC are on the right track. I disagree. The history of data breaches shows that many were the result of easily-fixed problems. For example, the original point of entry in the TJX breach was a wireless network using WEP. Anyone who’s been paying attention to wireless networking has known since 2002 that WEP is useless. That TJX was still using WEP in 2006 was…well, let’s just say I’m trying hard to avoid words like “negligent” (but obviously failing).

Moreover, taking proper care of data should be part of the bargain when one accumulates information about others. To claim the alternative—that it’s just too much to expect merchants to protect theft of credit cards from their information systems—is to say that data loss is a fact of life, that it happens to everyone, and that nothing merchants can do will change that. Maybe there’s a background level of data loss that’s unavoidable, but I don’t think we’ve seen the level of due care necessary to prove that. In the meantime, I think PCI and the FTC are on the right track.

]]> By: Benjamin Wright http://blog.subjunctive.com/2008/08/12/should-credit-card-issuers-reissue-cards-immediately-after-a-breach/#comment-16 Benjamin Wright Thu, 14 Aug 2008 03:59:47 +0000 http://jtgraves.wordpress.com/?p=64#comment-16 Jim: I argue players like banks (drafters of the Payment Card Industry Data Security Standard, or PCI) and the Federal Trade Commission have attempted to foist too much responsibility on credit card merchants. By their nature, merchants are not qualified to maintain the level of security expected of them under the PCI or by the FTC. What do you think? --Ben <a href="http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html" rel="nofollow">http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html</a> Jim: I argue players like banks (drafters of the Payment Card Industry Data Security Standard, or PCI) and the Federal Trade Commission have attempted to foist too much responsibility on credit card merchants. By their nature, merchants are not qualified to maintain the level of security expected of them under the PCI or by the FTC. What do you think? –Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

]]>