Yesterday’s front-page Wall St. Journal article about TJX (”How Credit Card Data Went Out Wireless Door”, May 4, 2007) takes a disappointing, though expected, turn at the end. Referring to proposed credit card security legislation, they write: “One bill in Massachusetts would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached.” The context suggests that by companies, they mean companies that aren’t card-issuing banks, namely downstream entities like merchants (e.g. TJX) and payment processors (e.g. CardSystems).

This sounds great on paper, particularly to an audience whose demographic I’m guessing includes everyone with a vested interest in the banking industry. Who doesn’t get warm fuzzies when they read about financial slackers being legislated into good behavior?

But who exactly are the credit card security slackers? I’d bet my bottom blue chip dollar that it’s the same slackers who slack in other crucial parts of their business. Some merchants slack. Some payment processors slack. (For instance, those who in 2004 themselves didn’t comply with PCI/DSS, at the same time they were enforcing compliance upon their downstream merchants.) And, in breaking news, some banks slack.

None of this is about security. It’s about pushing liability for credit card fraud as far downstream as possible. Card issuers have been pining to do that for decades, and they’re using PCI/DSS as political means to do it. In a crafty move, they’ve even created a new downstream tributary: PCI/DSS auditors. Auditors see it coming.

Card issuers ought be more careful about this. For one, nobody has secure technology. (For the zillionth time, security is an abstract concept; all tangible technology can be penetrated.) When enough issuers have been penetrated, the very integrity of PCI/DSS will be undermined. That means liability shifts upstream again. For two, merchants - the majority of whom are not slackers - already shoulder huge fraud burden. If they’re forced to carry a lot more, they’ll have no choice but to also start shoving downstream. And the only thing downstream from merchants is card holders.

Don’t get me wrong. Liable parties should be held accountable. PCI/DSS should exist. It’s a great standard, simultaneously pragmatic and lofty, as I can attest from driving compliance efforts at Amazon.com.

The truth of the matter is, there are really good ways to fix the weakest links in credit card security. And the card issuers have got to be losing sleep over it, since some of them are downright simple and affordable relative to complying with PCI/DSS. Problem is, those solutions transfer virtually all of the liability off merchants and onto themselves.

Smart merchants will eventually figure some of these solutions out, band together, and do something about it. Merchants, here’s a hint: you don’t really need to know my credit card number.