It may surprise a few people, but I’m just not worried about my credit card being stolen. In fact, I refuse to worry about it.
That may sound like heresy for someone who is supposed to know a little bit about information security.
Yes, my wife and I shop at Target and Home Depot and TJMaxx, all of whom have had major, highly-publicized security breaches involving stolen credit card information. We shop in person and online at numerous additional retailers, most of whom, I assume, store my credit card information somewhere in their IT shops.
But I still refuse to worry about my credit card being stolen.
Each time there is a high-profile event, the media goes berserk talking about the large numbers of stolen credit cards. They breathlessly interview experts about how a person can protect their credit card information. The experts talk about canceling your credit cards right away if you think yours has been stolen. Invariably there are discussions online about how at risk our credit card information is.
This scares a lot of people, not just little old (and not so old) ladies like my 80-year-old mother, who was quite concerned about the Target breach a little over a year ago. In addition to general fear and angst, the way the media talks about stolen credit cards has led some people to refuse to use credit cards online!
I’m here to tell you that the fear and angst is largely misplaced!
Saying that I have no worry about stolen credit card information is only a slight exaggeration. I do worry about the hassle having to get a new credit card and updating all of my online bill payments. Other than that, though, I sleep pretty well at night.
I sleep well because I understand the concept of security risk. Risk has two components.
- The first is probability — in this case the probability that a loss will occur.
- The second is the size of the loss. Loss is measured in dollars. How much will it cost you should a particular event occur resulting in a loss?
Calculating risk from these two components (for our purposes) is done by multiplying the probability of a loss times the estimated dollar size of the loss.
Let’s Do the Math
Let’s apply this concept to the risk associated with someone stealing your credit card. I’m not sure of the exact probability of a specific credit card being stolen and used fraudulently, but as we are about to see, it doesn’t matter.
I feel fairly confident that the actual risk of any one specific credit card being stolen and successfully used for fraudulent purchases is probably less than 1%. However, for the sake of this exercise, let’s just assume that it is 75% or even 100%.
How much might a stolen credit card cost you personally? By law, the most it can cost you is $50! This is often left out of the media hype or quickly mentioned at the very end of a story.
In practice, most folks never even have to pay the $50.
Credit card companies don’t want consumers to reduce or stop their usage of credit cards. Retailers want to avoid the potential of making customers even angrier because they’re out $50 in addition to the hassle associated with having a credit card stolen. So the credit card companies, issuers, and the retailers tend to work out agreements on who pays how much of fraudulent usage charges including the $50 consumers are legally liable for.
Therefore, you can reasonably expect your out-of-pocket cost to be $0.
100% probability X $0 loss = 0
In other words, the financial risk of having my credit card stolen is essentially…nothing!
But Shouldn’t We DO Something?
As mentioned before, there is a cost for my time and frustration associated with canceling and getting a new credit card. That’s why I am careful not to leave my credit card out in the open, to ensure I use only SSL connections when purchasing online, and so on. But any effort to mitigate risk beyond these common-sense things is not worth the hassle.
Why? The probability of loss is primarily associated with a business’s credit card database being stolen, so anything else I might do would have little or no impact on probability of loss. The cost to me of a loss is already virtually zero. Therefore, there is essentially no benefit in doing anything more.
The Risk for Businesses
On the other hand, the risk is higher for businesses that accept credit cards, whether or not they process the transactions themselves.
It’s even higher if they store credit card information.
Nefarious individuals aren’t interested in stealing a single credit card. They want the big haul. The pot at the end of the rainbow. They want databases with millions of credit card numbers. Therefore, the probability of business being attacked and suffering a security breach resulting in the loss of all credit card information is relatively high. Certainly much higher than it is for any individual.
Combine that with the potential cost associated with a successful breach, now you’re talkin’ some big bucks!
Legal costs alone will probably be in the millions of dollars depending on the number of cards stolen. Add to that the cost of covering at least a percentage of the cost of fraudulent purchases and identity theft insurance and free credit card monitoring for each customer whose data was stolen.
I saw various estimates of the cost to Target in the $150 million range.
But our personal credit cards are a completely different story. Hopefully I’ve made the case for why no individual should get too worked up about the possibility of having personal credit card information stolen.
I know I don’t lose any sleep over it.