Monday, December 5, 2016

Why do we have bad security?

Because it costs a lot, and the rational decision is to have worse security than we'd like.  Visa gives fuel stations 3 more years to install credit card chip readers because of the cost of the program:
Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion. 
“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.”
Credit card fraud from pull pumps is around 1% of all card fraud., which is about $16B world wide.  At $4B for the upgrade, mathematics says that fraud would need to be $400B a year for the expense to be justified.  What the delay will allow is for station owners to plan a technology refresh for their pumps (something that will be in the works anyway) and so the cost of the chip readers will be a minimal portion of the overall upgrade, rather than the whole thing.

This situation is actually quite a good view into the workings of the "security as risk management" approach.  Yes, the technology exists.  Yes, security will be better after this is implemented.  No, there's no way to justify the cost of an immediate upgrade.  Yes, there will be a cost to carry if you don't upgrade immediately.  No, that doesn't make an immediate upgrade the right decision.

1 comment:

Rick C said...

There are still retail places not using chip readers, either. McDonald's, for example (at least here in Dallas) I don't think even has chip-capable readers yet. I think Burger King is the same way. The convenience store I mostly frequent installed chip-capable readers a long time ago, but isn't using them yet, although they say the change will happen at some point.

Any place (say, Jason's Deli) that takes your card will still be swiping it, too, in my experience.