Credit card data security: Who's responsible?

By Phil Lieberman, president & CEO, Lieberman Software, and Henry Helgeson, co-CEO, Merchant Warehouse, Network World |  Security, data breach

If the U.S. government were to mandate that credit card issuers be responsible for losses due to fraud that inherently stems from the use of static credit cards, the transition to Smart Card technology would be a de facto decision and this type of crime and liability would be eliminated in less than a year. Until the government mandates a change in liability and an improvement in technology, the beating of the innocent (Heartland and others) will continue.

Lieberman is president & CEO of Lieberman Software, which provides privileged identity management and security management solutions that automate IT administration tasks, increase control over computing resources, reduce vulnerabilities, improve productivity and help ensure regulatory compliance. He can be reached at

Credit card processing companies should not be further to blameBy Henry Helgeson, Co-CEO, Merchant Warehouse

A data breach at a credit card processing firm causes an enormous amount of financial and brand damage, so it is not necessary to punish the victims further. What the government needs to do is focus its efforts on the criminals and stop villianizing the victims. That said, the government has made it easier to deal with breaches and companies in our business can and must do a better job of protecting data.

Credit card processing companies work hard to protect data. The Heartland case was unfortunate, but not gross negligence. And when Heartland was breached it certainly had enough problems without having the government fining and penalizing them. But the silver lining is that this and other breaches have pushed the whole industry forward.

Consider the Data Breach Notification Act (S.139), which was introduced in the House on the heels of the Heartland breach and was recently passed. The law requires "all Federal agencies and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information". And it means we have to answer to one regulatory body rather than 51 (all the states and D.C.). If you have to follow 51 sets of regulations, you're spending more time on regulations than you are on developing your business.

And when Heartland went down we all said, "Wow, this can happen to us. We need to lock things down." The good news is there are solutions out there – such as end-to-end encryption – that can help. My company, Merchant Warehouse, was one of the first companies to deploy end-to-end encryption. With E2E encryption, cardholder data is encrypted at the point of swipe, transmitted over the network and securely stored in off-site servers. The data is tokenized, ensuring it is not usable if someone's network is breached.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question