Why One Hack Is Different From Another For Consumers

I often field questions about what certain news stories mean in general and to the person asking me.  These questions tend to include “what should I do” followed by “is that what you’re doing?”

First – As the About page states, these are my views and not indicative of any employer or any other associate of mine.

Next – What I do should probably seldom be what you would do for any number of reasons, one of the leading being that risk is defined and accepted by each person/entity and the choices that go with that are experience-defining.  I won’t allow my teenage daughter to go to Europe on a class trip at this age and maybe you would.  That choice includes any number of things I think about and commitments that you and I may differ on … all of which, collectively, affect mine, my daughter, and, depending on the snarkiness, the entire family’s experience.

Caveats done (I think).

With recent hacks getting lots of press it may be helpful to your sleep to consider this: not all security incidents are equal.

When someone compromises payment cards from a retail/dining organization, you are blessed with some promises and protections.  The same isn’t true if your Personally Identifiable Information (PII) or Protected Health Information (PHI) are accessed (a.k.a. “stolen”).

Worldwide consumers benefit from a non-governmental regulatory body.  Yeah, let that sink in.  Re-read it.

There is a group of women, men, and, for all I know, parakeets or something, who take on the burden of publishing standards.  That’s a big word.  This group writes a set of statements that businesses MUST live up to so that the group will give the business its blessing.  Well, it’s a little more complicated than that but for the purpose of this blog post, we’ll leave it at that.  Non-governmental – The group is not under the direction of any nation/government.  Instead, it is formed from a group of people who typically have experience in the financial industry.  This group is regulatory.  That means that what they say matters.  If you thought people needed to have guns and tanks to be able to enforce their views then you’ve missed the importance of both money and business.  Those are powerful and this group of people say that their opinion matters and people listen.  Want to know why?  Consider this: if you were a company that wanted to make it easy for people to buy your products or services AND you didn’t want to have to satisfy America’s laws and Europe’s laws and China’s laws and …. Well, you can see how obeying all those sets of laws about credit cards and accepting plastic payments could get painful.  So the Payment Card Industry (PCI) formed its own group and they called the group the PCI Security Standards Council and that’s the group that decides a LOT about what you have to do if you ever touch payment cards regardless of whether they’re credit or debit cards.

Now we know that the PCI SSC makes rules (NOT laws) about what companies must do to take your payment card.  Please keep in mind that this is simplified but it’s accurate for the purposes of this presentation.

One thing PCI has been motivated to do is make it VERY painless for you in the event someone “steals” your payment card data.  If anyone gains access to your 16-digit payment card and the three-digit CVV number on the back or whatever they need so they can make a purchase in your name, using your payment card the PCI has directed and negotiated with card issuing banks what must be done.  In a fit of self-preservation, banks in America will almost universally reverse charges on your credit account immediately when you call them to dispute a charge and the business that charged your card then typically must prove that the charge was valid.  There are a number of factors in this (e.g. if your card was physically present or not, if they followed procedures, etc) but THE SYSTEM IS SLANTED IN YOUR FAVOR.  This may be the first time you’ve felt that way but take some solace; it’s true.  Then again, maybe not so much.  The reason the payment card industry makes this so incredibly painless for consumers is they know how much you are likely to spend.  Reversing a small charge so that you feel positive about your experience will pay off for the bank many, MANY times over during the life of your relationship with the bank.

Debit cards are a little different because that’s “real” money and not exactly digital numbers so banks tend to reserve the right to take up to 5 business days to restore the funds to your account.

With all that background, it’s easy to see why the pain you feel over something like the recent Sonic payment card breach should probably not keep you awake at night.  You have an advocate in the credit card company even if they’re protecting their own investment in your money.

Next let’s consider the Equifax data breach.

This is WAY different for several reasons.

  1. Payment cards are validated per transaction.

This means each transaction where you use your payment card requires the business taking your card to validate several things, even to the point that when you swipe your card or insert the chip, that little sales terminal calls some bank somewhere and makes sure you can pay for whatever it is on the counter … if not, you’ll get the dreaded DECLINED! message and then your palms get sweaty and you have that frantic thought that maybe your spouse paid the mortgage before payday instead of after and what … oh yeah.  Sorry, I got lost in the moment.  You’ve probably felt that sense of fright so I’ll just leave that alone.  Suffice it to say, PCI and the rules around payment cards strongly encourage business to make absolutely sure they can get their money when you use your card or else the business is on the hook for letting you walk out with the stuff (don’t use this info for fraudulent or illegal purposes).

2. Transactions that depend on PII or PHI do NOT validate the transaction.

Say What!

Yep, that’s right.  When you walk into a doctor’s office or apply for a job, the transaction of getting service is much less geared to protect you from someone claiming to be you.  There are rational reasons for this but let’s leave it at “we have a blunt approach today.”

The regulatory bodies that tend to take action when a business fails to adequately protect your PII or PHI are governmental, versus PCI SSC being created and run by the payment card industry.  Typically either the Federal Trade Commission (FTC), which is tasked with protecting consumer rights, Office for Civil Rights (OCR), the sub-department of Housing and Human Services (HHS) tasked with enforcing reported HIPAA infractions.

Because they are governmental, these agencies can be impacted by changes in administration, laws, funding … and they are already trying to keep up in a battle against smart, financially empowered (and often nation-sponsored) active attackers.  This leaves both the protections they can dictate and the resolution of breaches far less effective than what PCI ensures is available for payment card breaches.

Where payment card breaches has a victim, someone who can be held accountable (the business in question) and a clear resolution (give you your money back), PII/PHI breaches cannot devalue your data the same way a bank can just turn off your 16-digit card and issue you a new one.  If someone steals your fingerprints, your health history, or your SSN, it’s much harder to issue new data if it’s possible at all.

Where a payment card breach may affect you for a week or two, identity and health data compromises can affect an individual for many years.

One of many problems is how dependent the US health systems are on some portion of your Social Security number for identifying you.  It was not intended to take on that burden, especially in a digital age.  Your SSN was originally intended to show what federal benefits you were entitled to.  Now we tie all kinds of data to it, making it a rich target.  The fact that our health care system does not validate transactions beyond the initial payment exacerbates this and other problems.

There is no silver bullet at this point for resolving this type of impact to people’s lives; there are possible answers but each is costly, especially in an industry where people are already upset about cost.  Nothing is free and the cost to overhaul this type of identification and validate transactions (or choose a different model) is a major change that would be staggering in terms of effort.

Back from the rabbit trail, for these reasons and a few others, losing your payment card info in a breach is far less important than losing your PII or PHI.  One shouldn’t give you heartburn and the other … well, I’d suggest praying for peace if it bothers you because if I could be part of transforming that mess I would probably consider it the ultimate professional accomplishment.  It’s that huge an undertaking and it’ll take a lot of smart people not compromising but building a resilient and robust model that meets our global needs today with provisions for future changes.