The rash of credit card breaches over the past couple of years should serve as a wakeup call that credit card issuers need to step forward and address the need to protect customer information in the US.
A perfectly sound solution to minimize Card Not Present (CNP) fraud and card cloning is already being used in other countries: smart cards. However, the smart card solution is not available to American consumers, merchants or credit card processors because card issuers have not been mandated by the U.S. government to implement it.
The current security and liability environment for both merchants and credit card processors is a classic Catch-22. Conflicting agendas have created an insecure financial environment for credit card processing. Card issuers can transfer liability for credit card losses to merchants and processors, even though the card issuers have the ability to stop almost all losses due to fraud and account disclosure.
Because card issuers are not liable for losses that stem from the use of static cards (which are less expensive than smart cards), they have chosen not to modernize their card infrastructure. That decision punishes merchants and processor companies ( the Heartland breach a couple years ago is the perfect example) that are almost powerless to protect what cannot be protected: static credit card numbers and CVV codes (the three- or four- digit numbers printed on your credit card).
The “Hope” Strategy
Every day merchants and processors hope criminal hackers won’t target them, knowing that if hope runs out they will pay for the breaches, even though no fundamental solutions exist to help them fight back. Credit card issuers don’t care about the cost of compromised cards because they can simply fine others with arbitrary judgments and without government oversight. Meanwhile, smart card technology could make many of these attacks useless.
Smart cards generate unique one-time only responses to financial transaction requests from the banks that issue the cards, so any stolen data would no longer be valid. The cards are also locked with a PIN code, so even the physical loss of a card is a non-event. The data transmitted should ideally be encrypted, but even if it’s not, the data stream is only good for one transaction. Attempts to use the same data a second time simply will not work.
While the industry has embraced PCI-DSS in an effort to safeguard sensitive customer credit card information, PCI-DSS unfortunately does not deal with sophisticated attacks, nor does it provide any sort of safe-harbor for those that implement it.
To protect against sophisticated attacks, organizations conducting card transactions should implement more complex credit card security strategies and technologies including network sensors, heuristic traffic analysis, and constant security auditing of systems, traffic and personnel. But even if all of these efforts are undertaken, there is still no safe harbor.
The solution is simple. First, mandate smart card technology for all credit card transactions and bring the US into conformance with other countries in regard to stopping fraud at its source: static credit card numbers.
Second, transfer liability to the credit card issuers, unless the merchant or processor is culpable in the breach due to malfeasance. Culpability should be decided by the courts. Let the government, rather than the credit card issuers, decide whether fining merchants and processors is the correct action.
If the U.S. government were to mandate that credit card issuers are responsible for losses stemming from the use of static credit cards, the transition to smart card technology would be a de facto decision, and this type of crime would be eliminated in less than a year.
What’s your opinion on who is responsible for credit card breaches and what can be done to fix the problem? Leave a comment below. You can also follow my company on Twitter: @liebsoft.