I totally agree, but I think in this case they are saying it's cheaper for the company, which is what really matters in this context (since they're comparing it to how much the company would pay for security).
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.
Good point about what the article was comparing. I missed that.
I guess I'm just sour that articles like this tend to gloss over what is often the most important impact of a security breach--the end-users' data and privacy--and instead focus on easy-to-report numbers.
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.