I recently ran across an excellent post on this topic regarding the fact that even though Reg. E does not currently regard corporate and municipal accounts the same as consumer accounts, they do, in fact, pose the same risk to the financial institution. As the original post on Krebs’ site points out, why should the proposed changes to Reg. E stop at municipalities? Corporate accounts are being targeted as well, and recent corporation vs. FI court cases are being decided (or quietly settled) in favor of the corporation. FI’s would be wise to regard remote capture devices and ACH/Wire origination devices as de-facto extensions of their own network. Once the true risk of these remote devices is understood, how many FI’s would find the residual risk acceptable?
The only alternative is to implement additional controls (beyond a strong contract) designed to educate the customer on security basics, and monitor the security status of their devices.
Safe Systems has addressed this here, and plans to add FI and merchant training to the package in the near future.