Retail payment systems are in the throes of a revolution. Alternative forms of payment are emerging, offering new flexibility to consumers both inside the store and in new shopping channels, and causing a shift from cash and checks as the primary tender in favor of credit and debit, stored value and gift cards, and even innovative payment structures like PayPal and eBillMe. New payment form factors are fast emerging too, most notably contactless payments using the mobile phone as a digital wallet. What’s fascinating about emerging payment types and form factors is that consumers are leading the charge; simply put, consumers are adopting new ways of paying for things faster than retailers can implement them.

Just as digital information has been an important enabler for businesses to scale globally, so too has digital payment data enabled global payment capabilities. Anyone who travels internationally has experienced the beauty of this when using a Visa or Amex card to pay for the hotel. But the risk has also grown globally, triggering international law enforcement efforts. For example, in October 2010 a United States District Of Columbia indictment of a Russian international credit card trafficker resulted in that person’s arrest in France. After the arrest, U.S. Assistant Attorney General Lanny A. Breuer stated: “Cyber criminals who target U.S citizens should not fool themselves into believing they can elude justice simply because they commit crimes outside of our borders. As this and so many other cases demonstrate, working hand in hand with our partners around the globe, we will do everything in our power to bring these criminals to the United States to answer for their alleged crimes. “

Since retailers represent a huge source of digital payment data, they continue to be targets of an ever-emerging array of scams designed to steal digital payment data. That has given rise to what’s known in the industry as PCI DSS (Payment Card Industry Data Security Standards), which does two things: mandates a set of data security standards, and significantly shifts the risk of a hack onto retailers. As retailers continue to address issues associated with PCI Compliance, projects follow a roadmap developed by the PCI Council, an independent standards group. To recap the roadmap, retailers first need to eliminate risky duplication of sensitive data, then address breach prevention, then enable breach detection, and finally to implement end-to-end encryption of all sensitive data. But it’s important to note that compliance is dictated by commercial entities (the payment networks) and not by governments.

In the meantime, as the news media sensationally points out, the bad guys methods are increasingly sophisticated and continue to be extremely hard to detect. So everyone should expect that the complexity of the deterrent will continue to grow, just as the complexity of the threat does.

All of which might cause one to muse, “if we could start all over again, what would it look like? “ RSR noted in a 2009 report entitled Closing the Sale with the Connected Consumer — The Future of Retail Payments that:

“Payment data security issues are both a symptom and a cause of payment technology challenges today. On the cause side, retailers are challenged to keep up with incremental changes to their payment infrastructure, responding to minor changes made over a long period of time. But those changes accumulate, pulling retailers away from the original, clean architecture of their payment systems. As one retail CIO noted, his payments infrastructure is 20 years old, but he theorized that very little of the original code is left, thanks to the incremental changes his company has made to keep up with VISA. This piecemeal approach results in a tangled web of supporting technology that requires a huge business case to unwind ‐ one that could be difficult to find in the current climate. Additionally, the pace of new demands to meet ever‐emerging security threats continues to increase with no end in sight, and retailers must devote resources to their payments infrastructure for maintenance, rather than looking into innovations. “

In the industry’s struggle to secure non-cash payment forms, all solutions are relative to the last, greatest, threat. Perhaps it’s time for the players in the payment ecosystem to pull out a blank piece of paper, and brainstorm the question, “what’s the best way to ensure consumers’ security, no matter how they pay for goods and services? ” But when having that conversation, all the participants should be represented – and that means the consumer too. Organizing such a conversation would definitely require a higher power. Perhaps instead of only cooperating on international data theft law enforcement, governments should cooperate on international data theft prevention. In these days of small government sentiment, such a recommendation might seem out of step with the general public sentiment.

But as Grandma used to say, “An ounce of prevention is worth a pound of cure! “