If you read tabloid newspapers, you’re probably used to journalists working themselves–and their readers–up into frenzies on the slimmest of excuses. But you expect the somewhat more sober ladies and gentlemen of the fourth estate who write for some of the nation’s (and the world’s) greatest papers to be immune to the temptations of sensationalism.

Not so, it seems. Because The New York Times, The Washington Post and The Modesto Bee (no, really) all carried stories about the recent hacking of Citi’s credit card account database that could have come from Harold “the-end-of-the-world-is-nigh” Camping’s pen.

Credit card companies highly secure

So let’s try to put this story into perspective:

1. Only about 1 percent of Citi’s customers were affected: roughly 200,000 people out of the estimated 154 million Americans who have credit cards.
2. Citi says that only names, account numbers and contact information such as email addresses were potentially compromised.
3. Customers’ social security numbers, dates of birth, and card expiration dates were not accessed.
4. Critically, card verification value (CVV) numbers (the three digit code on the signature strip that is usually required for “card not present” transactions) were also not accessed.
5. Fraudsters lacking a card, an expiration date and a CVV are unlikely to get very far.
6. Even if someone did manage to charge a transaction to your card, your liability is capped by law at $50, and, in reality, it seems inconceivable that Citi wouldn’t fully compensate you.
7. Citi says that it “has implemented enhanced procedures to prevent a recurrence of this type of event.”
8. It is also issuing new cards to those at risk.

Credit card regulation rears its head

On Thursday, The New York Times described a number of legislators as “outraged” by the Citi hacking, and reported that some are planning new credit card regulations that would enforce higher standards of security across the industry. Now, this blog is generally–though by no means invariably–supportive of regulation when it protects the interests of vulnerable holders of credit cards. But how sensible would it be to use the law in this instance?

To start with, it’s credit card companies, rather than consumers, that are more likely to be the victims of hacking. They’re the ones whose money is on the line. And, secondly, it’s tough enough to draft laws that have definable goals without trying to legislate for the vague aspiration of improving anti-hacking measures.

With IT security being a cat-and-mouse game that’s constantly played at dizzying speeds, successfully creating an act of Congress to address the issue is likely to prove about as effective as a drunk trying to contain a vodka spill by encircling the rapidly spreading puddle with thumb tacks. That mixed metaphor is, of course, based on the premise that dizzy and drunk cats can use thumb tacks, which seems unlikely given that, if they could, Mark Burnett would most certainly have already snapped up the concept’s reality television rights.

Credit report monitoring

None of this is intended to understate the importance of foiling identity thieves by keeping personal information as secure as possible. However, it may be that you’re much more vulnerable to such theft through your own careless use of your cards and personal information than through your credit card companies being victims of hacking incidents. If you haven’t already, read “10 ways to avoid being a victim of credit card crime” for key strategies to protect yourself.

In particular, those who are nervous of identity theft can consider closely monitoring their credit reports on a continuing basis through services such as Equifax Credit Watch Gold with Score Power and TransUnion-Three Bureau Credit Monitoring. These can alert you to a threat before it becomes too serious, and are likely to be way more effective than any new credit card regulation that Congress can devise.

Published 06/13/11 (Modified 04/20/12)