Regarding PCI, and disclosure of data breaches.
My credit card recently got cancelled as a preventative measure, because of some random disclosure. Supposedly my card wasn’t actually disclosed, but since I’ve done business with that merchant they want to be safe. The merchant notifies Visa, Visa notifies the bank, bank cancels card (and should have notified me—but that’s beside the point).
This bothered me a little bit, and I wanted more details. I fully expect to get my credit card stolen on a semi-regular basis, but would like more visibility and accountability where possible. Basically– I just want to know how it got compromised. The merchant could have done everything right and by the book, but still gotten knocked over; and that’s ok! It could also have been a blatantly obvious hole in their security, which should have been prevented. That might be ok too, depending on their response to the issue. I’d like to be able to make a conscious decision whether to continue business with a vendor based on their security culture, as that’s a good indicator of whether I will have issues in the future. Not to mention– I don’t want to support companies that don’t seem to care about consumer privacy.
I thought that PCI required public disclosure of a breach to customers, at a minimum… but I have no idea who the merchant was. Is there some funny clause that they don’t have to publicly notify, if they just make sure Visa/Amex/etc get all the cards cancelled? Shouldn’t Visa or the bank be able to give affected customers that information? At face value, it seems a little squirrelly, unless I’m overlooking something. How can we expect retailers to care about security, not just in the eyes of compliance, if there’s not true accountability?
That would seem to inhibit a generation of rugged consumers, that assess who they share information with based on security posture. I whole heartedly believe such a culture would inhibit organizations to be more positive and visible with their security stories. Supply and Demand.
This sent me on a massive search for resources. It took me a while, and I even thought to create my own community website to aggregated data breach information for consumers. Turns out that already exists in several places.
So, here are some good resources for those who wish to proactively scout out and support organizations with a good security history. I think there’s more of this to come in the future, but these websites are a great start:
Posted on March 15, 2013