Question

Think about how you would feel if there were no rules regarding how your credit card information was stored on merchants’ Web sites. Would you purchase items from the Web? Would the Internet be as big as it is today if we had no laws or information security policies regarding data that makes up an e-commerce transaction?

• Discuss the level of protection "External device use policy" provides in the context of above scenario:
• How would this policy help the situation described in your scenario?

Answer 1

Answer:-

Discuss the level of protection "External device use policy" provides in the context of above scenario:

The number has to be stored somewhere to perform the transaction and be there to make changes, like reversals or cancellations. It would not make any sense to make a law that prevented the card from being used for its purpose - to buy things.

How would this even work if the number is not stored?

Merchants allow the convenience of credit card number storage so you don't have to enter the number every time you buy something. I keep my credit cards in PayPal in a "wallet" as options so it's there when needed.

This is more to me an information age issue where we depend upon data to carry out our tasks.

At best the website must be https: to store your financial data for future use. I have encountered sites with questionable security enough to report to Barclay last year. (Got a "session cookie" error page after a transaction completed so I was not sure what happened.)

I have read that a new form of financial security is on the way in the form of a mobile phone chip which does away with the credit card altogether. I am guessing that you would prefer that system over a plastic card.

Credit cards are risky pieces of plastic online or offline. I see no difference really. Hackers can get to credit card numbers if they are skilled. Store clerks see your card details.

There is one other issue about storing credit card information online, and it has to do with how responsible a spender you are. If you are someone who spends more than you should — as in, not being able to pay your balance in full every month — you should not store your information.

It sounds silly, but the little bit of extra work necessary to enter your card information each time serves as that much more of an obstacle to overspending. It’s tempting enough as it is to just “charge it” because you don’t see the cash going from your hand to the merchant’s. However, if you don’t even have to type in those numbers, it pushes that purchase even further into abstraction, which is dangerous for the irresponsible spender.

How would this policy help the situation described in your scenario

One major issue today is that there is very legal safeguards and clear definition of ownership for your personal data. Medical data is fairly regulated via the Health Insurance Portability and Accountability Act (HIPPA), but there is virtually no standard for other areas such as social media, web browsing and shopping / lifestyle information.

I believe we need clear legal definitions for what constitutes private / protected information and strong penalties for breaking those laws. This should also include penalties for mishandling data. If you store credit card data or personal information there has to be a minimal level of due diligence required or you should be liable (civil & criminal) for damages.

I would like to see laws updated to include items like:

• Clear definition of protected classes of data. (Medical, banking, social media, web browsing, purchasing habits, location, biometrics)
• Updated definitions of what constitutes personally identifiable information. This should include the standard items (name, birth date, etc), but also more modern elements such as biometrics, device usage, location and even IP address.
• Collection of any personally identifiable information should be legally required to be opt in only by the person.
• Collectors of personally identifiable information should be required to define clear terms of service. This includes how it will be used, how long it will be stored and who it will be shared with. Any change to the terms of use should invalidate the right of use and require a re-opt in by the person.
• There should be a clearly defined process from individuals to revoke use of personally identifiable information and how collectors must dispose of this data.
• Clear legal guidelines for disclosure if this personally identifiable information is breached or exposed.
• Legal liability (civil & criminal) for mishandling protected classes of data.

I realize many of these things are more easily said than done, but it is possible. Some of these protections / guidelines exist today for medical and banking data. It would just take the will of the people to motivate legislators to apply this to more specific areas.