PetManimal writes "A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the author of the last article, it's a good thing:
"The main reason PCI exists is that there are tens of thousands of merchants who don't understand the basics of information security and weren't even taking the very minimum steps to secure their networks and the credit card information they stored.
... PCI pushes that burden downstream and forces merchants to take on a preventative role rather than a reactive role. They have to put in a properly configured firewall, encrypt sensitive information and maintain a minimum security stance or be fined by their merchant banks. By forcing this to be an issue about prevention rather than reaction, the credit card companies have taken the bulk of the financial burden off of themselves and placed it on the merchants, which is where much of it belongs anyways.