Don’t Legislate Technologies, Legislate Outcomes
Holding banks and companies responsible for fraud will motivate them to solve security’s toughest challenges
The strongest security mechanism in the credit card industry is not using firewalls or two-factor authentication or indeed any particular technology. Those things are key, as Gerhard Eschelbeck points out, but they only solve part of the problem.
The strongest security mechanism is actually the simplest: a Federal law that says customers cannot be held liable for more than $50 in fraud.
That simple rule means customers don’t have to care about all the details of security. Don’t get me wrong, those details are fascinating: I’ve spent my career working through them, and it’s gratifying when people take an interest. But we can’t expect most customers to read up on the latest weaknesses in SSL every time they make a purchase online. The details of security are too complicated, and change too quickly, for us to force consumers to protect themselves.
The virtue of pushing liability for fraud onto the banks and payment companies (like Square) is that we are precisely the ones who are in a position to solve the problem.
We can invest in fraud detection systems and new technologies like Apple Pay and chip cards, in order to reduce fraud losses. At the same time, by avoiding legislation requiring particular approaches, we ensure that companies are free to innovate and find new ways to do business. I fear that even the basic requirements that Michael Coates recommends in his post will be too prescriptive for some and not strong enough for others. As long as consumers are protected from any problems, though, does it really matter how companies protect the data?
If we want to get serious about protecting customer privacy, the best way is to push liability for breaches onto the companies hosting consumer data.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.