Radical Ideas to Generate Credit Card Payments More Secure
Credit cards approvals aren't totally protected because the information these approvals rely on -- cardholder names, card numbers and expiration dates -- is static and relatively easy to collect.
Focusing on making payment approvals less vulnerable might be more effective than asking consumers, chips, or merchants to handle confidential, static cardholder details.
The Challenge Is Static Information
"The primary purpose of card payment protection is to make sure that payments authorized by the account holder are permitted," said Richard J. Sullivan of the Federal Reserve Bank of Kansas City in the 2010 Harvard University Workshop on the Economics of Information Security conference. "Vulnerabilities exist in the card payment approval process, however, that enable criminals to produce fraudulent card payments. Each one of these vulnerabilities is associated with one underlying cause of card payment fraud: an information intensive payment approval procedure. Criminals have started concerted efforts to collect and exploit this information, particularly by targeting electronic records."
Our products:
At the moment, the payment card business relies on static unchanging info to generate payment approval decisions. This includes verifying the card number, the cardholder, and confirming the legitimate goals of the cardholder to make the purchase.
The approval-authentication part of the procedure might have a security code that's present together with the card, a pin number, or additional information like postal code or billing address. Unfortunately, a less than smart thief might obtain all this information by stealing a wallet. In a sense, the payment card industry (PCI) has made each and every customer accountable for the security of electronic payments. Should you lose your wallet, it is your fault criminals can get your debit or credit card accounts.
Likewise, if a payment processor or merchant's system is breached and tens of thousands of payment card numbers dropped, a criminal need only marry Facebook profile information with card numbers to thwart modern PCI security. And bear in mind, we're not necessarily talking about a network being hacked: Some 27 percent of payment card information loses at chips or merchants are caused by stolen computers, based on data from the Open Security Foundation. By comparison just 16 percent are caused by somebody hacking the network.
The PCI Security Standards Council, in the example above, would normally hold the processor or merchant responsible for shedding the vulnerable data, as opposed to addressing the issue of data vulnerability.
"The common underlying cause of the vulnerabilities is an information-intensive payment approval process and this reliance on information is growing," said Sullivan. "For instance, online payment approval has enabled automated checks against wider collections of data, like a cardholder's zip code or transaction history. More information will normally result in a more precise approval decision, which provides card issuers (and merchants) an incentive to continuously expand the information on which they rely. Criminals also have powerful incentives to collect and use this identical information to commit fraud. The incentives of both of these groups results in an escalating cycle which contributes to more resources on each side to protect or to undermine data"
In the long run, this is a race which offenders will win. So long as the data used in the approval procedure is static (unchanging) and saved, it can and likely will be compromised.
A Radical Change in Payment Card Security Is Needed
The payment card industry as well as the merchants that support it need to refocus attention not on attempting to procure credit card numbers, but instead on making the approval process less vulnerable. It shouldn't be a merchant's or a customer's responsibility to safeguard the card info, instead the information used should be inherently secure.
Ideally, payment card numbers need to be in a position to be published publicly, customers need to be able to glue a credit card number on a billboard, with no burglar having the ability to utilize that information to make unauthorized purchases.
Ever-Changing Card Numbers
One approach is to utilize ever-changing or disposable card numbers. Some banks issue disposable card numbers for online purchases. The concept is that the card number is only valid for a relative brief window of time, say an hour. Even if lost, it would be tricky to exploit the card number given the time constraint.
Combining the technology behind Dynamics Inc.'s powered cards and things such as the Secure Remote Password protocol -- or similar -- the notion of putting ever-changing card numbers into or onto a concrete credit or debit card is extremely feasible with no progress in technology and, by some estimates, relatively less investment than continuing the static-information arms race which Sullivan describes.
Dynamic Pins or Security Codes
Remembering that the thing is that approval information is static and relatively simple to collect, another approach is to use dynamic pins or safety codes. Again these codes are constantly changing and restricted in terms of how long they were successful.
Algorithms may be used to concurrently generate hooks in a point of sale and to the cardholder. Those pins could be contrasted. After 30 minutes, a new pin may be required.
Do Away With Cards
It might also be sensible to use mobile devices or biometrics -- like the use of physical features as facial features and voice or retinal scans -- in combination with lively, pin-generating systems to eliminate cards and credit card numbers from the equation entirely.
Summing Up
This guide has sought to (1) describe that payment cards won't ever be really secure so long as the approval process is dependent upon static data; (2) a radical refocusing from information security to secure information is required; and (3) that technology exists now to interject dynamic data into the payment approval procedure.
Additionally it is worth noting that PCI Security Standards Council will most likely need to be pressured into radically altering its focus, because it's almost no incentive to take responsibility for making cards protected as it can simply force customers or merchants to seek to safeguard information.
"Slow adoption and disputes within the design of the PCI DSS imply that development of this standard is just one sided, favoring issuers over merchants," Sullivan said, noting that this was a concern for policy makers because the exemptions' one-sided approach undermines supreme payment card safety.
Comments
Post a Comment