Increased Credit Card Security Means Increased Compliance Risks and Liabilities for Businesses

Steven Minsky | Dec. 8, 2015

Here at LogicManager, we’ve spent a lot of time considering issues related to cybersecurity. To find a new way in which a cybercriminal has exploited electronic vulnerabilities, all you need to do is skim today’s newspaper, which will almost inevitably report a data breach or fraud-related scandal. An evolving set of threats means incident likelihood is increasing, and generally, cybersecurity risks have serious impacts – meaning such risks have very high inherent indices, or combinations of impact and likelihood.

Risk mitigation methods are evolving just as rapidly as the security threats they’re designed to counteract (see our blog posts on “Avoiding Insider Trading with Cybersecurity and ERM,” and “OCC Targets Cybersecurity and AML Deficiencies” for more information).

One of the newest security measures adopted in the United States is an obligatory changeover to credit cards with embedded microchips that are very difficult to replicate.

Newly implemented securities are obviously meant to mitigate risks – and to some extent, they do – but ironically, they can also have the potential to create a whole new subset of compliance risks that businesses must deal with. As of October 1st, 2015, if retailers haven’t adopted the technology to read chip-embedded credit cards, they expose themselves to compliance risks and potential liability. They could also be responsible for reimbursing any funds hackers steal from customers, something card-issuing banks used to cover.

Bob Gereke, a business owner in Manhattan, is doing all he can to comply with upcoming deadlines and avoid shouldering a burdensome liability, according to NPR. In order to comply with the requirements, Gereke will have to acquire equipment capable of reading the new cards, which are inserted rather than swiped. Gereke is not alone, considering every business capable of accepting credit cards is trying to do the same thing; high demand for the technology means it might not arrive until December, 2015. The unfortunate delay, even though out of the business owner’s control, “will potentially leave him on the hook for fraud.”

To compound the dilemma, many small businesses aren’t even aware of the new risk, says Holly Wade of the National Federation of Independent Business. Businesses face a few scary hurdles, including “‘higher costs, more liability in their business, and not knowing what they need to do to comply.’” Credit card chips have steadily been getting more and more news coverage, but other risks might not get the same exposure. This means it’s vital for companies large and small to, firstly, maintain a risk-based compliance management system to streamline how risks and requirements are identified, assessed, and evaluated for potential impact on the business.

A risk-based compliance management software can help make sense of where risk mitigation efforts are worth the investment, as blindly applying the latest technology can often leave a small to mid-sized business not only in the hole financially, but poorly protected from vulnerabilities.

While embedded chips do add another layer of security, they can’t completely prevent identity theft and fraud; the axiom, “Where there’s a will, there’s a way,” holds especially true when it comes to hackers. Gerenke, like thousands of other business owners, is feeling the pressure of these new compliance risks. “‘It’s another thing we have to deal with,’” he says. “‘There’s so many.’”

Gerenke is right. A constantly changing compliance landscape is riddled with potential pitfalls, and it is up to business owners to find a solution that can help identify and mitigate their biggest vulnerabilities.

Risk-Based Compliance

Discover how to implement risk-based compliance at your organization by downloading our complimentary eBook!


About the Author:

Steven is a recognized thought leader in ERM, CEO of LogicManager, and co-author of the RIMS Risk Maturity Model. Follow him on Twitter at @SteveMinsky