“One of the thing that concerns us about the suggestion that we need to harden the Act to require certain technologies is that technologies change,” Johnson says. “If we mandated certain technology to defeat skimming, we would not know how long that technology would stand the test of time before the perpetrators find ways to defeat it. This is an arms race with the folks that want to commit fraud. We do not feel it’s advisable to legislate technology.”
Lefler offers one option for regulation that he feels is on the horizon for the financial industry: “We could create a regulatory environment that will require the banking industry to develop what I call a R.A.M.S. strategy — risk analysis, mitigation strategy — approach,” Lefler says. “Before a new product is offered, the financial company has to, by legislative mandate, do an analysis of risks, including security risks, and develop mitigation strategies to deal with those.
“Take portable ATMs for example,” Lefler continues. “They would have to analyze what the security risks are related to establishing ATMs at grocery stores, gas stations and parking lots. Then they would have to define what their mitigation strategies are. And they would have to put controls in place to manage the scale of risk that would impact those machines and the customers using them. If the banks failed to determine that the risk existed and did not develop a mitigation strategy, the regulators would then come in to legally mandate the issue.”
This type of approach would avoid the sticky problem of legislating technology and potentially make regulation an easier pill to swallow for all parties.
Chris Swecker is emeritus faculty for the Security Executive Council (SEC) and former head of Corporate Security at Bank of America. Prior to joining Bank of America, Mr. Swecker was assistant director of the Criminal Investigative Division and acting executive assistant director for Law Enforcement Services at the FBI.
Marleah Blades is senior editor for the Security Executive Council, a risk mitigation research and services organization for security and risk executives from corporations and government agencies responsible for corporate and/or IT security. The Council is dedicated to developing tools that help lower the cost of security programs, making program development more efficient and establishing security as a recognized value center. For information, visit www.securityexecutivecouncil.com/?sourceCod