Comment by still_grokking
3 years ago
Banks don't have much initiative for investments in IT security. They have insurances.
That's why IT sec all around banking is just the bare minimum required by regulations.
Those sec-specs are also usually at least one decade behind the state of the art… And they get updated only extremely seldom as this would cause "a lot of paper work" at the banks, so the banks are always against any changes to that regulations; and if something changes finally it takes the banks again at least half a decade to adapt to those changes; they can do it like that as the time windows to comply are usually set to be very long, because you know, it's really a lot of paper work…
I suspect it is the credit card company rather than the banks that have the power to fix this, but yes the incentives seem wrong.
They have successfully shifted liability for the problem to banks and merchants.
Instead the innovation has gone into things like Paywave which reduces payment friction.