When your credit card is stolen, the terrorists win!
“In his 2002 autobiography, the Bali nightclub bomber specifically referred to online credit card fraud and carding as a means to fund terrorist activities, and encouraged his followers to use this method to obtain financing,” said Chairwoman Yvette Clarke (D-NY) during a March 31, 2009 Homeland Security Hearing “Do the Payment Card Industry Data Standards Reduce Cybercrime?”
For those of you not up on your Payment Card Industry (PCI) security standards, it’s a set of requirements that merchants who accept credit cards must meet in order to continue accepting credit cards. Generally, these include IT best practices (such as keeping software current and loaded with anti-virus), protecting sensitive data (such as encrypting credit card #’s) and keeping all facilities physically protected. The requirements are segmented into 12 overall areas with over 200 sub-requirements. Over the years, these requirements have been generally lauded.
The Homeland Security hearing was an open discussion on the effectiveness of these standards. Having had a hand in helping to PCI certify a number of clients (and act as primary architect for them), I understand how basic these really are – and I understand how easily they could be thwarted. There is a strong recommendation by the panel to supplement these requirements with an equally strong push back from retailers to not further burden them. (For example, the CIO of Michael’s talked about requirements that all employess sign an attestment to their understanding of the security requirements. This doesn’t make sense for seasonal or transitory retail workforces.)
I’m a strong advocate for more intrusion detection at the system level. But, I suspect fraud mostly occurs at the human level – like most major security breaches. As we continue to fight the overseas contingency action (formerly known as the Global War on Terror), we need to not only protect the economic viability of individuals but the overall safety of our country. So, what can we do to help enforce security?
I think the best solution is to mandate that all payment processors and banks return authorization tokens whenever a credit card is accepted at the point of sale (either on-line or in-store). The retailers should NEVER have to keep credit card information on file (either encrypted or otherwise). In the case of chargebacks (i.e., returns or customers refusing to pay the transaction), the retailer should only have to supply the authorization token to prove that the transaction took place. In 2006, we took this approach with a major on-line retailer using the token service provided by CyberSource. It was more expensive, but it made PCI certification a snap.
The big advantage to this approach is that the retailers don’t have the burden of all the PCI requirements. I’m sure that many of them fail to detect intrusions and/or keep a sufficiently secure environment (including employee hands-off!). Only the payment processors or banks would need to keep the secure environments, and, in the case of breach, only one company would need to understand the scope of the intrusion to alleviate the economic exposure.
