For those of us involved in the prevention of credit card fraud, the EU Data Protection regulations are extremely important. In January 2012, the EU justice commissioner announced proposed changes that would oblige organizations to notify both victims and relevant authorities within 24 hours if their personal data is lost or stolen. Such rigorous changes will provoke extreme reactions both for and against. Amid all the shouting, however, the voice of the consumer has been almost entirely drowned out.
It is understandable that organizations are not anxious to broadcast the news of a security breach. If customers hear that an organization has lost their data, word spreads fast and the reputational damage to a brand can be immense. This was demonstrated when US supermarket chain, Schnucks, experienced a data breach between December 2012 and March 29, 2013. During this time, card details from approximately 2.4 million customers were exposed, with the retailer first learning of the leak on March 14, 2013. News of the breach travelled across the globe, resulting in inestimable damage to brand reputation, with class action law suits since being filed against the company in Illinois and Missouri.
Many companies would prefer to suffer the financial consequences and keep quiet. There is also much grumbling about the cost of implementing the proposed EU rules – even from the Information Commissioner’s Office, which is responsible for enforcing personal data regulations in the UK.
The same kind of protest was heard when the Payment Card Industry (PCI) regulations were first introduced in 2004. Companies blamed the banks for using it to make money and lamented the work that would be required to bring their IT systems up to scratch.
It’s time to remember that it is the protection of the individual that is at the heart of the data protection laws, just as it was for the PCI regulations. Each of us has the right to expect our personal data to be treated with respect. If we feel that our details, financial or otherwise, are not safe in the hands of a business, we will walk away. Trust is an essential factor in a thriving economy.
Government figureheads have a moral duty to push these changes through and to implement them once they have been finalized. At present, credit card fraud is rife, yet it often escapes public awareness. Too many organizations would still rather avoid the cost of complying with PCI regulations to protect their customers’ information, safe in the knowledge they need never tell their customers if a breach occurs.
Largely, the PCI standard has been a success. When it was created, card fraud was on the rise, consumer confidence was at risk and it was in everyone’s interest to create a safe environment for commerce. In spite of the difficulties, the initially daunting task of separating card data from individual identities was solved through tokenization. New technology made it possible for card data to by-pass company infrastructure completely, removing businesses from the scope of PCI DSS altogether. The cost of adhering to the regulations has reduced considerably, and levels of card fraud have dropped dramatically.
We can expect to see a similar surge of innovation in response to the new EU Data Protection regulations as companies find new ways to cope. Already, in an echo of tokenization, ‘pseudonymity’ has been considered as a means to separate the identity of individual consumers from the valuable data about their shopping habits. More solutions will surely follow.
The EU changes are designed to protect the consumer, and instead of complaining about the problems they will bring, we should embrace the challenge. If we want the public to have confidence in the digital society, and to continue to grow the online economy, then we need to make it a safer place. And if organizations fail to safeguard their customers’ personal information, they must be held to account.
Tim Critchley is CEO of Semafone and an experienced director of technology start-ups. Prior to joining Semafone, he was COO at KnowledgePool Group, the UK’s leading provider of managed learning services. He also spent six years with database marketing specialist, Conduit Communications, before co-founding Pogo Technology, an innovative start-up that launched one of the first web-browsing handheld devices in the UK through Carphone Warehouse.