Radical Ideas to Generate Credit Card Payments More Secure


Credit cards approvals aren't totally protected because the information these approvals rely on -- cardholder names, card numbers and expiration dates -- is static and relatively easy to collect.

Focusing on making payment approvals less vulnerable might be more effective than asking consumers, chips, or merchants to handle confidential, static cardholder details.

The Challenge Is Static Information

"The primary purpose of card payment protection is to make sure that payments authorized by the account holder are permitted," said Richard J. Sullivan of the Federal Reserve Bank of Kansas City in the 2010 Harvard University Workshop on the Economics of Information Security conference. "Vulnerabilities exist in the card payment approval process, however, that enable criminals to produce fraudulent card payments. Each one of these vulnerabilities is associated with one underlying cause of card payment fraud: an information intensive payment approval procedure. Criminals have started concerted efforts to collect and exploit this information, particularly by targeting electronic records."

Our products:

Magento 2 pos

Bigcommerce pos software

Woocommerce pos app

Shopify pos app

Commercetools Pos

MSI

At the moment, the payment card business relies on static unchanging info to generate payment approval decisions. This includes verifying the card number, the cardholder, and confirming the legitimate goals of the cardholder to make the purchase.

The approval-authentication part of the procedure might have a security code that's present together with the card, a pin number, or additional information like postal code or billing address. Unfortunately, a less than smart thief might obtain all this information by stealing a wallet. In a sense, the payment card industry (PCI) has made each and every customer accountable for the security of electronic payments. Should you lose your wallet, it is your fault criminals can get your debit or credit card accounts.

Likewise, if a payment processor or merchant's system is breached and tens of thousands of payment card numbers dropped, a criminal need only marry Facebook profile information with card numbers to thwart modern PCI security. And bear in mind, we're not necessarily talking about a network being hacked: Some 27 percent of payment card information loses at chips or merchants are caused by stolen computers, based on data from the Open Security Foundation. By comparison just 16 percent are caused by somebody hacking the network.

The PCI Security Standards Council, in the example above, would normally hold the processor or merchant responsible for shedding the vulnerable data, as opposed to addressing the issue of data vulnerability.

"The common underlying cause of the vulnerabilities is an information-intensive payment approval process and this reliance on information is growing," said Sullivan. "For instance, online payment approval has enabled automated checks against wider collections of data, like a cardholder's zip code or transaction history. More information will normally result in a more precise approval decision, which provides card issuers (and merchants) an incentive to continuously expand the information on which they rely. Criminals also have powerful incentives to collect and use this identical information to commit fraud. The incentives of both of these groups results in an escalating cycle which contributes to more resources on each side to protect or to undermine data"

In the long run, this is a race which offenders will win. So long as the data used in the approval procedure is static (unchanging) and saved, it can and likely will be compromised.

A Radical Change in Payment Card Security Is Needed

The payment card industry as well as the merchants that support it need to refocus attention not on attempting to procure credit card numbers, but instead on making the approval process less vulnerable. It shouldn't be a merchant's or a customer's responsibility to safeguard the card info, instead the information used should be inherently secure.

Ideally, payment card numbers need to be in a position to be published publicly, customers need to be able to glue a credit card number on a billboard, with no burglar having the ability to utilize that information to make unauthorized purchases.

Ever-Changing Card Numbers

One approach is to utilize ever-changing or disposable card numbers. Some banks issue disposable card numbers for online purchases. The concept is that the card number is only valid for a relative brief window of time, say an hour. Even if lost, it would be tricky to exploit the card number given the time constraint.

Combining the technology behind Dynamics Inc.'s powered cards and things such as the Secure Remote Password protocol -- or similar -- the notion of putting ever-changing card numbers into or onto a concrete credit or debit card is extremely feasible with no progress in technology and, by some estimates, relatively less investment than continuing the static-information arms race which Sullivan describes.

Dynamic Pins or Security Codes

Remembering that the thing is that approval information is static and relatively simple to collect, another approach is to use dynamic pins or safety codes. Again these codes are constantly changing and restricted in terms of how long they were successful.

Algorithms may be used to concurrently generate hooks in a point of sale and to the cardholder. Those pins could be contrasted. After 30 minutes, a new pin may be required.

Do Away With Cards

It might also be sensible to use mobile devices or biometrics -- like the use of physical features as facial features and voice or retinal scans -- in combination with lively, pin-generating systems to eliminate cards and credit card numbers from the equation entirely.

Summing Up

This guide has sought to (1) describe that payment cards won't ever be really secure so long as the approval process is dependent upon static data; (2) a radical refocusing from information security to secure information is required; and (3) that technology exists now to interject dynamic data into the payment approval procedure.

Additionally it is worth noting that PCI Security Standards Council will most likely need to be pressured into radically altering its focus, because it's almost no incentive to take responsibility for making cards protected as it can simply force customers or merchants to seek to safeguard information.

"Slow adoption and disputes within the design of the PCI DSS imply that development of this standard is just one sided, favoring issuers over merchants," Sullivan said, noting that this was a concern for policy makers because the exemptions' one-sided approach undermines supreme payment card safety.


Comments

Post a Comment

Popular posts from this blog

Payments, Payment Rails and Blockchains and the Metaverse

  Source: https://www.matthewball.vc/all/metaversepayments The Metaverse was positioned throughout this primer as both a successor state for the mobile internet and a platform that allows humans to enjoy leisure, work, and exist in the larger world.   A thriving economy is key to the success of this vision.   And we know what makes for a thriving economy: competition and a constant cycle of disruption/displacement, a large number of profitable enterprises (especially small-to-medium businesses), capital mobility, strong consumer spending. I have discussed the technologies that contribute to this result in Section VI .   But, I neglected to mention one of the most crucial interchange tools and standards: payments rails and related services.   These technologies allow and manage money flow throughout the economy. They also define the "cost of doing business", for all workers and consumers.   They're already a problem battleground for hegemony within the emerging Metaverse.
Read more

Here are 9 reasons why real estate agents fail

  Here are 9 reasons why real estate agents fail One of the most shocking statistics in the real-estate industry is the fact that between 85% and 90% of agents quit within five years.   This means that if you are in a prelicensing group of 10, nine out of the 10 will no longer be in the same industry five years from now.   We have examined the nine most common reasons real estate agents fail and how to avoid them. 1.   Failure to account for upfront expenses Agents in real estate are independent contractors and not salaried employees.   Even if you are employed by a brokerage, this means that you are the sole owner of your business.   This means that, while some brokerages offer perks such as advertising or marketing, most of your expenses must be paid for.   A typical real estate agent will spend an average  $11,500  per year on business expenses. Top performers often spend more.   This includes everything, from leads to insurance, advertising and marketing costs to travel. Real estat
Read more

HOW TO INTEGRATE YOUR POS SYSTEM WITH A WEBSITE

Ecommerce and POS integration was not something many mom and pop retailers gave much thought about 10 or 15 years back. Today, it's something all retail store owners need to take into consideration if they want to bring their business to the next level. If you're strictly a brick and mortar store, make this year the year you begin your online store. With worldwide ecommerce sales expected to reach more than $4 trillion by 2020, there's no reason why some of that money can not be yours. Especially when technology has made it simpler and less expensive than ever to have an online presence and webstore to support your physical one. Ecommerce and POS integration can look like a lot of technical nonsense that leaves retailers like you scratching your head in confusion, but it's not. Simply put, an integration is a term used to describe the way two different businesses locate a shared communication path and combine their respective technologies to create a more comprehensiv
Read more