Information is valuable. Data elements that can be used to represent information inherits the value of the represented information. Consider your social security number. Even if not written, the knowledge of your number (the information) has value. When expressed in a digital or other format
as data, the data then has value as it represents the information. While some data may be more valuable than other data, the fact remains that every piece of information has some inherent
value. Over 70 years ago, when the local post offices were working with the newly established Social Security Administration to assign Social Security Numbers to all Americans, it surely never crossed their minds that decades later the information could be used for nefarious purposes such as identity theft. Rather, the government was attempting to establish a process through which benefits could be distributed in an orderly, repeatable, and verifiable manner. Nonetheless, in today's environment one's Social Security Number has become the "crown jewel" of personal information. The ubiquitous identifier has become a chief target of identity thieves.
Perhaps the Social Security Number is too obvious an example. Take, then, your mother's maiden name. This seemingly innocuous piece of information can be extremely valuable in combination with other data. Carding sites charge a premium for payment card and banking information that includes "mother"s maiden name." Having this information not only may allow someone to access account information, it may even let some ill-intentioned individual establish new accounts or change addresses on existing accounts.
Today's identity authentication techniques seem to have taken this into account by creating security questions that my vary from site to site. They may ask questions such as, "Where did you meet your spouse?" or "What"s your favorite car?" While this does tend to diminish the importance of some data, it increases the value of other information. For example, if you happened to know that the author's favorite car was a 1977 Camaro SS you may be able to access certain accounts. Certainly discussing one's affinity for cars does not give rise to the same level of alarm that would arise should someone inquire as to your social security number. The security, then, surrounding the answers to these new security questions is significantly reduced compared to the care one takes when discussing identifying numbers.
This discussion is increasingly relevant as the value of data has been a source of hot debate over the past several years. The general notion is that the card brands are responsible for giving value to cardholder data and must therefore be responsible for devaluing the data. The merchants, according to this train of thought, are helplessly caught in the middle of the card brands that create cardholder data and the criminals that steal it and use it fraudulently. Advocates of this position advance the theory that since merchants were not responsible for the value of the data, they should not be responsible for protecting the data and are being unfairly held accountable. There are two significant drawbacks to this theory: 1) Card brands did not "give" the data value and 2) the merchants are not inanimate entities that have no stake in the protection of cardholder data.
As has already been mentioned, all data has inherent value. Even if the card brands, issuers and other stakeholders were to somehow devalue cardholder data, assuming they provided the value in the first place, the value would simply transfer to another category of data. Cardholder data and car keys represent a good comparison. Cardholder data (PAN, CVV2, etc.) acts as the mechanism by which a transaction is processed. A car "key" acts as the mechanism to allow a person to start and drive a car. For this reason, biometrics an an excellent example of this value transfer. Car makers have been determined to "devalue" keys in the same way that card brands have been urged to devalue payment card data. To achieve this, many carmakers have integrated biometric locks or
ignitions in their newer model cars. This has given rise to a new trend of "biometric spoofing" and, more frighteningly, to carjackings, which are arguably more dangerous to the individual than simply having their car stolen. Using the same argument that would blame the card brands for giving data value, one can then argue that car and computer manufacturers can be blamed for giving fingerprints value and must therefore be held accountable for reducing the value associated with that biometric feature.
As to the second theoretical obstacle, the responsibility of the merchants, the position has been posied that because the merchants did not give the value data they should not be held liable for it. The argument here simply does not hold water. Consider the following premise. Your friend has asked for a small loan of about $200. You've known the person for some time so you agree. While he's walking to the bank to deposit the money that you've loaned him, he is mugged,the money is taken, and during the mugging your friend is injured. What's more, he walked through the worst part of town on his way to the bank and was holding the money in his hand, plainly visible. Your position is that your friend still owes you the $200 because it was in his possession although it was only borrowed from you and as such the debt of $200 (not the actual bills) was still owed to you. He didn't have to walk to the bank and he surely should have taken more precaution about securing the funds until he could deposit it. Your friend insists that since he didn't get to use the money, he shouldn't have to pay it back. Additionally, your friend states that since you lent him money that had value to criminals the injury he sustained is your fault and thus you are responsible. After all, it wasn't his fault that he didn't get to use the funds or that the money was stolen and he was injured. The scenario that plays out with respect to merchants and cardholder data is similar.
Each merchant has a business and knows that to increase customer conversion the business can accept credit and other payment cards. This is a measured choice on the part of the merchant - choose not to accept the liability of protecting cardholder data and purposefully limit customer growth or accept the liability along with the benefits of growing the company's customer base. With the emphasis the media places on data breaches and the protection of consumer data there is no defensible argument to be made that a merchant was not aware of the value of cardholder data. The merchant has made a reasoned decision to accept payment card transactions and must accept
the responsibility that accompanies those transactions.
The debate serves no purpose but to engender ill-feeling among those in the industry. The finger-pointing mentality hinders progress and does little to assuage customer concerns about the protection of the data. On a related note, it does little to dissuade the government from passing legislation that does not accurately reflect the workings of the industry, resulting in overly burdensome regulation. The fact remains that the data has value and everyone in the industry has a responsibility to do their part in its protection. As a whole, the payments industry has made tremendous strides in the protection of data. Continuing to debate who placed the value on what and who must protect it serves only to turn back the progress. 
|
