Through a short but unexpected chain of relationships I was asked yesterday to appear this morning in a brief interview on Scott Fitzgerald’s show on WPTF 680 AM. To be honest, whether or not to say yes was something of a quandary. On the one hand, I couldn’t turn up anything specifically negative about the host and the chain of relationships involves a much-loved former boss; on the other, this is a right-wing AM talk radio station that plays Sean Hannity, for gods’ sakes.

After some thought and a discussion with The Boyf I decided that, given that the topic itself – securing credit card data and protecting personal information – is fairly apolitical and the tone of the thing seemed to be educational rather than advocating a particular point of view, well, what the hell, right? I did a little reading up on the big TJX breach, as that was apparently going to be the topic that morning, and wrote down a few thoughts in case my brain was fuzzy at 7:10am.

The experience itself was nice enough. The host was polite, the interview was brief, I didn’t say ‘um’ every other word and I got to say the thing that made me ultimately decide to do this: that there is no such thing as “security.” As I said to the host (after trying it out a couple of times on KJ, bascha and The Boyf last night), our society has become convinced that “security” is some attainable state of the absence of risk but in truth “security” is the ongoing process of trying to find a balance between risk and convenience.

It’s childish and silly of me but I really relished saying that to an audience of security-obsessed wingnuts.

The only thing I don’t understand is why the host asked me how 9/11 had changed network security. It hasn’t. I didn’t get a chance to bring this up but the truth is that 9/11 didn’t change a damned thing about network security – at least not in the markets where I’ve worked – because 9/11 was a physical attack, not an electronic one. The big engines of change have been government regulation, the very market interventions that free market righty types find so abhorrent. I’ve seen more clients make positive changes to their networks and their policies as a result of SarbOx, HIPAA and the FFIEC than anything else.

The host asked how a person can protect their credit card data and I said, in all honesty, that we can’t. The truth is that once your financial data is in a store’s hands it is out of yours. Period. If that data is compromised then they have to notify you but they don’t have to tell you how or by whom or anything else. In fact, there is a disincentive to inform. TJX’s (eventual) openness about how the theft was done led to lawsuit upon lawsuit. During the time span that the big, multi-store heist in question was being executed my bank sent me three (3) new copies of my credit card and I’ve never known exactly why. Was my information in that data? Probably so; I’ve shopped at Barnes & Noble plenty of times.

The example I gave them was that if one wants to make sure one’s credit or debit card data is never stolen from, say the grocery store, then one had better always pay in cash. It’s not that simple, though. Paying in cash means remembering to go to the cash machine and knowing exactly how much one will spend at the store. That also requires protecting one’s PIN from prying eyes at the ATM, keeping one’s wallet from ever getting stolen and then, even then, if one’s data is stolen directly from the bank, well… so much for all that effort.

The payment card industry has a set of protocols it requires called the PCI DSS (Payment Card Industry Data Security Standard). It’s a good start but it is only that: a start. It covers some basic common sense benchmarks but these are as basic as making sure default passwords aren’t left on vendor-provided cash registers and other equipment. It’s bare-bones at best. The truth is that payment data theft is a problem for which the market is not ever going to correct. The use of cards is way too profitable for everyone involved. Stores, the banks that issue the cards, the payment card providers themselves, payment processors, everyone involved makes way too much money off cards to ever give them up or to make them too inconvenient to use. No store is going to react warmly to someone walking in off the street and asking how that store protects credit card data. No store ever advertises that customer data is more secure with them than with their competitors.

So what do we do? There isn’t much we can do without accepting a high level of inconvenience. Sure, there are options – get prepaid cards to use for online shopping, but read up on the fraud protection for those cards first just in case it’s not as good as your normal credit card. Get a secured credit card. Get a credit card with your picture on it. Keep tabs on your account activity online – weekly, not monthly. Request a copy of your credit report once per year if not once per quarter. Write a check instead of using the card; check data can also be stolen but it’s harder to get at one’s cash with check data. Better yet, use cash. There are ways in which the TJX heist was very clever – they combined elements of physical theft (geographical proximity and physical access to the store) with an electronic intrusion (computer security is often contemplated only as a means of preventing distant attacks) – but ultimately war-driving and cracking WEP aren’t exactly innovations and the theft overall follows the same pattern used in all such cases: the thieves cast the widest possible net and took the easiest pickings. The only thing to do is to make one’s self a less attractive target surrounded by lower-hanging fruit.

None of these make the stores protect our data any better, though, and nothing ever will. Most of these ideas are only useful to protect against identity theft which could be much more easily and thoroughly protected by a couple of basic regulatory changes – require photos be included in credit reports and require automated notification if one’s credit report is accessed for any reason, two things that would cost the credit bureaus some money and save everyone else a lot of headache. Even regulation will at best discourage such carelessness in the retail sector. Ultimately the only option we have is to stare into the abyss and decide for ourselves how much we want that TV or that t-shirt.

So what do I do?

I use my card all the time. I hardly ever have more than a couple of dollars on me in cash. It’s just too convenient. I make up for it by monitoring my account and my credit record and trusting that I’ll be able to get refunds for any fraudulent activity. So far, so good. That’s “security” for me: the amount of risk I’m willing to tolerate balanced against the convenience I desire. Anyone who tells you “security” is anything else believes they can make a buck off it if they tell you enough times.