SAIJE Thoughts

PAPER OR PLASTIC?

 We are starting to hear more and more about data breaches where credit card accounts are lost (hence the need to outline PCI Compliance). The most recent is the breach where 4.2 million credit card/debit card numbers are lost at Hannaford Grocery Stores (North East and their other chain in FL). Here is the basic article. Already 1500 known cases of fraud have occurred as a result of this breach.

While many are looking at the issues of how this happened and we may or may not ever find that out, a couple items stick out.

• Once the breach was discovered, it took about 3 weeks to fix. I understand there are technical issues, but essentially Hannaford weighed risks of shutting down credit operations vs the incovenience of fraud to its customers. Where do you think they stood?

• If Hannaford shut even the debit card operations (and still allowed credit), the risk would have been lower for its customers (at a loss of 1 - 1.5 % of the value of the charges and an inconvenience for some whose check cards for some reason cannot be used as a credit card.

Ever wonder why if you get cash at an ATM, they charge you up to $3.00, but to get cash back at a store, you get charged nothing? Or why in many places they make it more difficult to do a credit operation vs a debit operation? The answer is simple again- money. Stores are charged a percentage of the value of goods when running a credit operation (lets say 2%). When running a debit operation it’s a flat fee (around ten cents). In either case, the cost is passed to you, the consumer, which is why stores prefer debit. They can offer lower prices the more debit is used OR get a bit higher short term profit.  So they push debit operations by offering cash back operations and discourage credit by requiring signatures, paper slips, etc. So you may prefer using debit - it helps your store lower prices, but remember security. With debit charges, you are almost immediately responsible for the charges, whereas when the same card is used as a credit, your charges (and losses) are insured.

 In this case, it may be time to rethink debit vs credit for most people and use credit…..unless you want to go way back and pay cash or check. And also time to rethink stores liabilities once they discover a breach. The primary concern should be protecting the customer - in this case, when breaches are discovered, debit operations at a minimum should be suspended. Of course if the breach is due to negligence on the stores part, who ultimately pays for credit operatations will be in play between the store and credit corporations, but at least in some small part, a customer’s security is  alittle better. Yes, I realize that identity theft will still need to be monitored and more can happen, but at least your money is a tiny bit safer that way.

Simply put, in at least one area, response to the consumer, Hannaford failed in their corporate governance.

This entry was posted on Tuesday, March 18th, 2008 at 1:51 pm and is filed under Basic Security, IT Governance, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.