Credit cards approvals are not completely secure because the information those approvals rely on — cardholder names, card numbers and expiration dates — is static and relatively easy to gather.
Focusing on making payment approvals less vulnerable may be more effective than asking consumers, processors, or merchants to manage confidential, static cardholder information.
The Problem Is Static Information
“The primary aim of card payment security is to ensure that only payments authorized by the account holder are allowed,” said Richard J. Sullivan of the Federal Reserve Bank of Kansas City at the 2010 Harvard University Workshop on the Economics of Information Security conference. “Vulnerabilities exist in the card payment approval process, however, that enable criminals to make fraudulent card payments. Each of these vulnerabilities is related to one underlying cause of card payment fraud: an information intensive payment approval process. Criminals have begun concerted efforts to collect and exploit this information, especially by targeting electronic records.”
At present, the payment card industry relies on static unchanging information to make payment approval decisions. This includes verifying the card number, the cardholder, and confirming the valid intentions of the cardholder to make the purchase.
The approval-authentication portion of the process might include a security code that is present with the card, a pin number, or additional information like postal code or billing address. Unfortunately, a less than clever thief might gain all of this information by stealing a wallet. So in a sense, the payment card industry (PCI) has made each and every consumer responsible for the security of electronic payments. If you lose your wallet, it’s your fault criminals can access your credit or debit card accounts.
Likewise, if a payment processor or merchant’s network is breached and thousands of payment card numbers lost, a criminal need only marry Facebook profile data with card numbers to thwart modern PCI security. And remember, we are not necessarily speaking about a network being hacked: Some 27 percent of payment card data loses at processors or merchants are the result of stolen computers, according to data from the Open Security Foundation. By comparison only 16 percent are the result of someone hacking the network.
The PCI Security Standards Council, in the example above, would generally hold the processor or merchant responsible for losing the vulnerable data, rather than addressing the problem of data vulnerability.
“The common underlying cause of these vulnerabilities is an information-intensive payment approval process and this reliance on information is growing,” said Sullivan. “For example, online payment approval has allowed automated checks against wider sets of information, such as a cardholder’s zip code or transaction history. More information will generally lead to a more accurate approval decision, which gives card issuers (and merchants) an incentive to continuously expand the data on which they rely. Criminals also have strong incentives to gather and use this same information to commit fraud. The incentives of these two groups results in an escalating cycle that leads to more resources on each side to either protect or to compromise data.”
In the end, this is a race that criminals will win. As long as the information used in the approval process is static (unchanging) and stored, it can and probably will be compromised.
A Radical Change in Payment Card Security Is Required
The payment card industry and the merchants that support it need to refocus attention not on trying to secure credit card numbers, but rather on making the approval process less vulnerable. It should not be a merchant’s or a consumer’s responsibility to protect the card information, rather the information used should be inherently secure.
Ideally, payment card numbers should be able to be published publicly, consumers should be able to paste a credit card number on a billboard, without a thief being able to use that data to make unauthorized purchases.
Ever-Changing Card Numbers
One approach would be to use ever-changing or disposable card numbers. Some banks already issue disposable card numbers for online purchases. The idea is that the card number is only valid for a relative short window of time, say an hour. Even if lost, it would be difficult to exploit the card number given the time constraint.
Combining the technology behind Dynamics Inc.’s powered cards and things like the Secure Remote Password protocol — or similar — the idea of placing ever-changing card numbers into or on a physical credit or debit card is very feasible without any advancement in technology and, by some estimates, relatively less investment than continuing the static-information arms race that Sullivan describes.
Dynamic Pins or Security Codes
Remembering that the problem is that approval information is static and relatively easy to collect, another approach would be to use dynamic pins or security codes. Again these codes would be always changing and limited in terms of how long they were effective.
Algorithms could be used to simultaneously generate pins at a point of sale and to the cardholder. Those pins could be compared. After 30 seconds, a new pin might be required.
Do Away With Cards
It may also be reasonable to use mobile devices or biometrics — such as the use of physical attributes as facial features and voice or retinal scans — in combination with dynamic, pin-generating systems to remove cards and credit card numbers from the equation completely.
This article has sought to (1) explain that payment cards will never be really secure as long as the approval process depends on static information; (2) that a radical refocusing from information security to secure information is required; and (3) that technology exists now to interject dynamic information into the payment approval process.
It is also worth noting that PCI Security Standards Council will probably have to be pressured into radically changing its focus, since it has almost no incentive to take responsibility for making cards secure when it can simply force consumers or merchants to seek to protect information.
“Slow adoption and disputes over the design of the PCI DSS suggest that development of the standard is one sided, favoring issuers over merchants,” Sullivan said, noting that this was a concern for policy makers since the issuers’ one-sided approach undermines ultimate payment card security.