[Posted by Ed Kountz]
Earlier this month, MasterCard became the first payments brand to publish the amounts it fines merchants for PCI compliance violations. The move, while not radical in itself, is one more indication of efforts to add teeth to data compliance practices that violate the PCI data security standard.
For the record, initial events of non-compliance at level 2 and 3 merchants have been raised, to $25,000 and $10,000 respectively, according to a letter recently mailed to members. In addition, the framework through which MasterCard assesses the severity of noncompliance events now incorporates escalating penalties, for subsequent violations that occur within a given calendar year.
The more violations, the higher the penalties.
For eBusiness managers, the move is one more piece of evidence that the world is changing, when it comes to enforcing data security requirements (and penalizing violations, when they occur).
As fraudsters become more sophsticated and as the penalties for data compromise increase (both in financial and brand-risk terms), eBusiness managers are, increasingly, also in the trust and security business.
But when it comes to effective security of online data, there are really two related issues.
The first is whether the data is, in fact, physically secure. And while overall efforts at data security continue to increase, spurred in part by the negative brand and reputation impact of such events as the Heartland Payment Systems breach, the true measure here is whether existing data security efforts can keep a step or two ahead of the increasingly-sophisticated efforts of fraudsters.
While the headlines might suggest the good guys are losing, a bit of good news—recent survey data indicates that the overall rate of data compromise leading to financial losses, as experienced by the universe of online users, actually held steady between 2007 and 2008.
But those elements are only half the story. The other side of the equation is whether consumers actually trust the eBusiness channel, and if not what can be done to effectively manage those perceptions. While tied indirectly to actual data security, managing and responding to perceptions is a separate issue.
I consider this issue in an upcoming report. That report, “US Data Compromise and Online Trust Update: Consumer Trust Concerns Still Hindering eBusiness Adoption,” looks at consumers’ trust levels of the eBusiness channel as they relate to internet data security, and the impact of these attitudes on consumers’ transactional behaviors online.
In sum, while there may be progress on actual data security, perceptions of Internet data security show a persistent lack of trust that is keeping many online users from transacting online. Given the essentially anonymous nature of the Web, this is perhaps not surprising. But as the report lays out, resolving this trust gap will be essential in maximizing adoption and usage of the Internet as a transactional channel, and in enabling eBusiness managers to reap the widest benefits when it comes to serving more customers, more frequently and cost-effectively, via the self-service channel of the Internet.