hings are getting dicey in the land of payments. So dicey, in fact, that some folks are raising the specter of government intervention. Legislation is possible; new regulations specifically targeting ISOs and processors are also possible.

Blame it on fraud. Blame it on offshore mobsters. Blame it on greed. It is probably a combination of these, plus a few other factors. The upshot is that people in Washington have taken an interest in the situation, and the mainstream media are pushing panic buttons.

You can bet this new-found attention isn't about to calm down any time soon.

The computer security breach at third party payment processor CardSystems Solutions Inc. and the potential loss of data on upward of 40 million credit and debit cardholders is but one of several security breaches that have attracted public attention this year.

In March, for example, Bank of America Corp. discovered the loss of data related to 1.2 million federal employees who carry SmartPay travel cards, which the bank issues under contract to the federal government. And there are a number of other examples.

But the CardSystems breach was far worse, because the information the cyber-criminals hacked from the company should never have been on its computers in the first place. Card Association rules are clear on this. At least, that's what we've been told.

However, as many are discovering, there hasn't been much enforcement of these rules.

"This incident is a clear sign that industry's efforts to self-regulate when it comes to protecting consumers' sensitive personal data are failing," Sen. Dianne Feinstein (D-Calif.) wrote in letters to executives at the major card brands.

"The fact that hackers could have accessed data on up to 40 million accounts because of a processor's failure to follow your own established rules makes me question the effectiveness and ability of self-regulation by your industry."

Feinstein is one of about a dozen lawmakers to introduce legislation during the current Congress that would set federal standards for disclosing computer breaches involving consumer data (such as Social Security and credit card account numbers).

It's not only Congress taking action, either. California, for example, has established strict steps that companies must take to notify consumers whenever their information is compromised. Other states are considering similar requirements.

Interestingly, although the public discussion of security breaches has intensified these last few months, instances of card fraud are decreasing, no doubt because of technology breakthroughs that make it easier to spot card fraud.

According to data from the four major card brands (Visa U.S.A., MasterCard International, American Express Co., and Discover Financial Services), losses from card fraud totaled about $788 million in 2004, down from $882 million in 2003.To put these numbers in perspective, consider that reported card fraud losses in the United Kingdom (a considerably smaller market than the United States) totaled about $665 million last year.

Of course, there's a huge difference between reported fraud losses and the potential for future losses, both tangible and intangible. Every time a consumer's data are compromised, there's the potential that someone will use that information for nefarious intents; maybe not today or tomorrow, but eventually.

That's why banks and card companies have to scramble to reissue cards when their systems are hacked and account information is compromised.

Banks incur a lot of costs when they reissue cards. Also consider the inconveniences to consumers: How many of us know of at least one person who has been caught without access to their debit or credit card while waiting for a reissued card?

Media scrutiny is also a factor: How many stories have we seen on newscasts or read in newspapers these last few months concerning identity fraud and security breaches?

Litigation, Litigation, Litigation

If all that weren't bad enough, there's the judicial factor: retailers suing banks over interchange, consumers suing the card Associations over issues such as foreign exchange charges, and disgruntled customers suing ISOs.

Let's be realistic. Few people, outside those of us who read publications such as The Green Sheet, even recognize that transaction acquiring and processing are lines of business. Even fewer know that regulated banks have but a small presence in this business.

Given the recent press over security breaches, Congressional action is likely.

In times like these, with an uncertain economy, war, and fears over national security, lawmakers and others in Washington want to show that they can take decisive action. Any action that they can spin as helping out the common folk is good decisive action to take in an election year, and next year is a national election year.

Banks Reasserting Interest

As for banks, they've been grousing for years over how much of the industry's payments franchise has been taken over by nonbanks. Given the situation that's unfolding, it wouldn't be surprising if some banks took the opportunity to get back into merchant acquiring. They might even start squeezing out nonbanks.

And not just big banks. Moneris Solutions, for example, recently announced that it has teamed with Fiserv, a leading provider of back-office processing services to financial institutions, to deliver merchant services through Fiserv's client banks. Most of Fiserv's clients are small to mid-sized community and regional banks.

Moneris, a joint venture of the Royal Bank of Canada and Bank of Montreal, already supports transaction acquiring services at 350,000 merchant locations throughout North America. The company operates from headquarters outside of Chicago.

Under the arrangement, Fiserv client banks can private-label merchant services offerings, as well as pick and choose the payment applications and back-office functions that Moneris supports.

"Program options range from fully outsourced to full-liability," the companies said in a statement released in late July. Stay tuned.

Patti Murphy is Contributing Editor of The Green Sheet and President of The Takoma Group. E-mail patti@greensheet.com .