Banks v. Merchants

One rift between interest groups which has emerged in the world of information security is between merchants and banks. The basic conflict is driven by banks' fear of exposure based on acts (or failure to act) by merchants. This leads to banks imposing standards (e.g., the payment card industry data security standard) on merchants, who are then faced with the prospect of struggling to comply with what seem to be mercurial and/or contradictory mandates. The result, predictably, is frustration for all sides, such as was shown in a recent panel discussion sponsored by Symantec (described in this article). That frustration has also manifested itself in more problematic ways, such as noncompliance by merchants who feel that they are too expensive or too unwieldy (as blogged here).

However, it seems that that frustration also has the potential to lead to positive change. For example, in response to complaints by merchants, the payment card industry is changing the way its data security standard will be defined in the future (blogged about here). Similarly, in response to concerns from banks, states are considering laws which would shift the cost of cleaning up after data breaches to the entities who cause them (one such proposal is described in this article). The lesson from all this? First, if you have concerns about data security, regardless of what type of organization you represent, you're not alone. Second, if you express your concerns, there's a real possibility that they will be addressed, as both public and private organizations have shown themselves to be responsive to feedback and criticism.