Why do massive credit card hacks keep happening?

Follow the money and you will understand

Flaming WaferWhy do so many large companies get ‘hacked’ with the attendant credit card information lists stolen? That is easy, the credit card industry makes money from each theft and so does nothing to prevent it.

I know it sounds ludicrous but that is actually what happens, mass credit card thefts through breaches, hacks, insider action, or whatnot are good for a card company’s bottom line. Because of this they have lobbied for rules so that they are not liable for anything, all the burden is on the issuer, merchant, or consumer. It is a broken system.

First up lets look at the root of all this, the so called Payment Card Industry (PCI) standards,this FAQ may be a little more informative than the dumbed down official version though. PCI was developed by the major card companies and most people think it is there to ensure a merchant actually takes security seriously. This notion is also what parties with so called ‘skin in the game’ promote because they want you to believe it. Unfortunately it does no such thing or at least only does so in a trivial way.

Why do we say this especially if you read the web sites and attendant materials, it is all about securing things correctly. There are worksheets, recommended actions, and things you can do galore to ‘secure’ your credit card processing functions. In short it reads more or less like an industry best practices guide which on a basic level, it is. That is the root of the problem.

What the PCI guidelines do is to provide a set of best practices that anyone touching a credit card can follow. These guidelines vary according to size, past problems, and a host of other items and can be broadly categorized as the larger you are, the more you have to do. It all sounds great on paper, the larger the risk, the more you are required to do, and they even give you a checklist of sorts.

Unfortunately that best practices list is so vague and broad you can do just about anything and pass an audit. SemiAccurate knows several people with long time PCI compliance experience and they all describe the process, at least as far as actual security goes, as a joke. It does “squat all” other than provide companies with a list that they can check off and then claim they followed, “industry best practices”. Real security is almost unrelated to these guidelines.

If it is such a joke, why does the industry mandate it? If it does nothing, why should anyone bother? The answer to that is the first key to this entire story, it actually does a lot for anyone who follows it, but what it does is completely unrelated to security. That benefit is that it provides compliance, something that in the modern world is worth far more than actual security.

Compliance is simply a way for a company to say in legal terms, “We did the best we possibly could to ensure security” even if they didn’t do anything more than the bare minimum to pass the tests. Did I forget to mention that a company is required to have their PCI status tested by an approved third-party whom the merchant pays? Think about that for a second, any guesses where the auditor’s loyalties lie? Also said scans and audits only check for compliance with the guidelines, not actual security.

So what you have in PCI standards is nothing more than a legal shield, a big shiny framed certificate that says you can pull out if you have a breach. In short it is an industry approved stamp of approval that makes the inevitable lawsuit after a hack unable to collect anything more than actual damages if even that. PCI is nothing more than a way for the industry to squirm out of most lawsuits and make the ones they can’t weasel out of effectively not worth launching. PCI standards don’t do squat for security unless you consider the bottom line of incompetent or uncaring companies to be actual security. This is of course by design, it is meant to thwart the consumer’s legal recourses and it does so very well.

If that is the case, why don’t credit card companies actually force things to be actually secure? That is the next problem and it depends on who you mean by credit card companies. There are a few levels of card company, the card brands like Visa and American Express, the issuing banks, that would be who you get the actual cards from, and the merchants who take them. On the bottom of the pile is the consumer who has the card issued to them.

Power in this industry rests in one place, the card brands and their attendant companies. They can make up rules somewhat arbitrarily and those lower down the line have literally no say in them. Why? Because they can pull the plug on the issuer on a whim and there goes a major part of their business. Being a member of this chain is voluntary so good luck to any merchant who tries to fight that, no chance. Consumers, well they are just roadkill, they have no rights other than the odd law passed by a few states that tends to be so watered down by lobbyists that it is worthless. Only one link in the chain has the power, and that is the top.

Why is this a problem? Remember those arbitrary rules we mentioned? Guess what some of them have been placed to do? If there is fraud on your card that is no fault of yours at all, guess who pays? Most banks shield consumers to have a small or no liability in such cases, merchants who have fraud committed against them are not so lucky. They get stiffed with the bill and they get fined for various things like taking a bad card. The issuing bank usually doesn’t pay a cent and possibly gets a cut of the fine. The card brand company makes a lot of money off the fine too.

Then it gets worse, the merchant has the fees it pays go up for, well a long time. They get dinged because they were a crime victim and this is on top of the money they lost and fines they paid. The consumer on the other hand has to get a new card with all the attendant hassles but that is probably worth it. Target and Home Depot get hacked, you get headaches, the merchants who have the stolen cards used at their store get stiffed, and the card issuers and card brands make money.

Do you see how this is a rather perverse incentive system? Do you see how it can lead to card brands and card issuers making sure there is no actual security or at least mandating things that don’t actually secure a wet paper bag? Can you see how those affected have absolutely no power to affect change? Can you see why this system will never actually change? In short there is too much profit involved and the margins on those fees are perilously close to 100% for those receiving them.

Better yet those who were actually damaged do not just have zero recourse, those profiting from the hacks have a near absolute legal shield to protect them. Not at all ironically it is a shield of their own design that nearly everyone in the industry agrees is a good thing. Some of this might be that you if don’t agree and comply, you can’t be in the industry so it is about as fair an honest as a North Korean election. Participation in the credit card system is technically voluntary for merchants, not that you can really run a business without it, so merchants had damn well smile and pretend to be happy.

Now scale this out to the massive breaches we are seeing of late, millions to tens of millions of cards hacked at once. If you use 1M cards as a hypothetical hack and there are 1000 of those numbers fraudulently used against an innocent merchant, we have a starting point. Lets also assume that each merchant does $1M in credit card transactions a year and the average consumer is liable for only $50 each.

From here the merchants who had the stolen cards used against them have to foot almost the entire bill for the theft, anything purchased from them is gone and they have no real recourse. That is the beginning of their pain, they get fined on top of that but we don’t have access to what those numbers are. Yes those who were just victimized by the hackers are victimized by the card companies. Why? Because the card companies can and the merchants have absolutely no recourse.

Worse yet their processing fees go up, usually way up. If we only assume a mere .5% rise in fees, something we understand no card brand is nice enough to only impose, that would be an extra $50K/year per merchant or $50M for the card brands. Per year, and those increases can go on for many years too. Now we are talking real money, and it is almost 100% profit for the card brands and issuing banks.

So that is the basic problem, in our hypothetical hack of 1M credit cards, the card brands and card issuers make a net total of $50 million plus a few tens of thousands in fines. How this is split is a good question but our sources say that the overwhelming majority goes to the card brands, you know, the ones that make the rules. Think this is coincidence? The merchants get abjectly screwed and have to foot the entire bill, sometimes for many years down the line. All this for being an innocent victim.

Those unlucky .1% of consumers who had their numbers used could be on the hook for a bit more too. Also please remember that this is for a mere 1000 used cards out of 1M hacked, if that number goes up to 2000 used, the brands and issuers make 100M/year plus those miscellaneous fines and adders that aren’t public. Not a bad business model and it goes to show why card security from the top is completely absent.

The normal consumer recourse for such brazen and abject abuse from a large company is of course to sue, in this hypothetical case it would be quite warranted. Consumers and merchants did nothing wrong and end up paying tens to hundreds of million of dollars a year for the privilege of being a victim.

Luckily the credit card industry has thought that one out and taken swift preëmptive action. There is no direct liability in this hypothetical case for either the brand or the issuing bank so they are off the hook. The merchants who had the cards used on them and the consumer have no real liability either even though they pay for it in the end. The real one for the lawyers to go after in the end is the company that got hacked.

That is where PCI comes back into play, it says that the company hacked did the best they could do to secure things at least in the legal sense. They have audits, scans, and seals of approval to show their due diligence too. This is something that companies have made a great deal of effort to make sure held up in court, there is a lot of legal precedent to back up what PCI compliance means. In short the bar is raised so high that you have to prove a company was effectively willfully negligent in their security to collect a dime from them. That is effectively impossible and makes all but the most egregious and well documented hacks impossible to collect over in court.

What this means is that the credit card system works exactly as designed. Those making the rules somehow rake in massive profits from each hack, so why should they change? Those that get hacked and have their lists of customer cards stolen are almost perfectly shielded from the one recourse a consumer or other victim has, the legal system. Those that get victimized are simply on the hook and there is nothing they can do about it, that would be you and random merchants everywhere.

Don’t look for government to change things either, the credit card industry has quite a few lobbyists, you don’t. You are screwed, the industry makes massive profits from each hack, and there is nothing anyone can do about it, legally or otherwise. Given the amount of money involved, don’t look for this to change. Just be happy that you can shop ‘securely’ at any PCI compliant merchant, compliance is job one citizen and the system works exactly as designed. Unfortunately it doesn’t work for you.S|A

The following two tabs change content below.

Charlie Demerjian

Roving engine of chaos and snide remarks at SemiAccurate
Charlie Demerjian is the founder of Stone Arch Networking Services and SemiAccurate.com. SemiAccurate.com is a technology news site; addressing hardware design, software selection, customization, securing and maintenance, with over one million views per month. He is a technologist and analyst specializing in semiconductors, system and network architecture. As head writer of SemiAccurate.com, he regularly advises writers, analysts, and industry executives on technical matters and long lead industry trends. Charlie is also a council member with Gerson Lehman Group. FullyAccurate