The comments followed the jailing of former IT engineer Sunil Mahtani last week after he was found guilty of masterminding the largest credit card fraud scam investigated in the UK so far.
Mahtani stole more than £2m, by downloading details of nearly 9,000 credit cards while working for a ticket-processing firm and then encoding the details onto cloned credit cards to fund hundreds of illicit shopping trips.
The case is one of many “wake-up calls” that companies have ignored, so legislation is necessary, said Avivah Litan, vice-president of the financial services group at Gartner.
“The’ big stick’ seems to be the only answer,” she said. “They should punish service providers which let financial information be compromised, whether that is the merchant, payment processing firm or other third party.”
The credit card providers are not blameless. With some “pretty basic security measures”, the fraud would have been easily avoided, she said.
“Simply encrypting the data on the cards would have prevented this case,” Litan said. “All the big credit card companies have security policies, but they are just not enforcing them.”
Recent US research revealed that the number of victims of identity theft in 2002 was 81% higher than the previous year, and the number of incidents reported so far this year suggests that this will continue to grow.
The survey, from consultancy Harris Interactive, said that more than 13 million Americans have fallen victim to identity theft or fraud since January 2001.
Although 62% of the victims did not incur any cost, 38% did have out-of-pocket expenses. The average cost for such victims since 2001 was $740 (£459).