Credit card data security: Who's responsible?
About a year ago security at Heartland Payment Systems Inc. was breached and information affecting more than 100 million credit cards stolen. Was it Heartland's fault, or should the credit card companies shoulder more of the responsibility?
Phil Lieberman, CEO of Lieberman Software, argues that Heartland met its legal obligations and the breach was not the company's fault, but rather due to the lack of smart card technology that credit card issuers refuse to issue in the United States.
Henry Helgeson, CEO of Merchant Warehouse, argues that it's the job of merchant account providers like his company (and Heartland), to take the security measures necessary to prevent breaches, but enhancing existing cards could help.
Last year's infamous Heartland breach should be a wakeup call that it is time for credit card issuers to step up and address the security issue that exists in this country with respect to protecting customer information.
A perfectly good solution is being used in other countries to minimize Card Not Present (CNP) fraud and card cloning: smart cards. This solution is not available to American consumers, merchants or credit card processors because card issuers have not been mandated by the U.S. government to implement it.
The current environment for both merchants and credit card processors with respect to security and liability represents a Catch-22. A perverse set of conflicting agendas and disproportionate power has created an insecure financial environment for credit card processing. Card issuers are able to transfer all liability for credit card losses to merchants and processors even though they have the ability to stop almost all losses from fraud and account disclosure.
Because card issuers are not liable for losses that stem from their use of static cards (which are much cheaper than Smart Cards), they have chosen not to modernize their card infrastructure. That punishes merchants and processor companies such as Heartland which can do nothing to protect what cannot be protected: static credit card numbers and static CVV codes (the three- or four- digit numbers printed on the card).
For the merchants and processors, the lack of investment in Smart Card technologies by card issuers has left everyone with the unsound security strategy of "hope".
Every day merchants and processors hope criminal hackers don't target them, their systems, or their employees, knowing that if hope runs out they will pay for any breaches, even though no fundamental and permanent solutions are available for them to fight back. The credit card issuers don't care about the cost of compromised cards because they can simply fine everyone else with arbitrary judgments and without government oversight.
In the case of the Heartland breach, where intruders hacked into the systems used to process 100 million payment card transactions per month for 175,000 merchants and recorded credit card and CVV numbers from an internal data stream, Smart Card technology would have rendered the whole endeavor useless.
Smart Cards generate unique one-time only responses to financial transaction requests from the banks that issue the cards, so the data stolen would no longer be valid. The cards are also locked with a PIN code, so even the physical loss of cards is a non-event. The data transmitted should be encrypted, but it does not have to be because the data stream is only good for one transaction. Attempts to use the same data a second time simply does not work.
While the industry has embraced the PCI-DSS security standards in an effort to safeguard sensitive customer credit card information, unfortunately PCI-DSS does not deal with sophisticated attacks, nor does it provide any sort of safe-harbor for those that implement it.
To protect against sophisticated attacks, all organizations conducting credit card transactions must implement more complex security strategies and technologies such as network sensors, heuristic traffic analysis, and conduct constant security auditing of their systems, traffic and personnel. And even if all of these efforts are undertaken, there is still no safe harbor.
The solution to Heartland-type problems is simple. First, mandate Smart Card technology for all credit card transactions and bring the United States into conformance with all other countries with respect to stopping fraud at its source: static credit card numbers.
And second, transfer the liability back to the credit card issuers unless the merchant and processor are culpable in the breach due to malfeasance. Culpability should be decided by a court of law.. Let the government, not the credit card issuers, decide whether fining merchants and processors is the correct course of action. This will remove the perverse incentive system that allows credit card issuers to run insecure systems and transfer their liabilities to others.
If the U.S. government were to mandate that credit card issuers be responsible for losses due to fraud that inherently stems from the use of static credit cards, the transition to Smart Card technology would be a de facto decision and this type of crime and liability would be eliminated in less than a year. Until the government mandates a change in liability and an improvement in technology, the beating of the innocent (Heartland and others) will continue.
Lieberman is president & CEO of Lieberman Software, which provides privileged identity management and security management solutions that automate IT administration tasks, increase control over computing resources, reduce vulnerabilities, improve productivity and help ensure regulatory compliance. He can be reached at firstname.lastname@example.org.~~
A data breach at a credit card processing firm causes an enormous amount of financial and brand damage, so it is not necessary to punish the victims further. What the government needs to do is focus its efforts on the criminals and stop villianizing the victims. That said, the government has made it easier to deal with breaches and companies in our business can and must do a better job of protecting data.
Credit card processing companies work hard to protect data. The Heartland case was unfortunate, but not gross negligence. And when Heartland was breached it certainly had enough problems without having the government fining and penalizing them. But the silver lining is that this and other breaches have pushed the whole industry forward.
Consider the Data Breach Notification Act (S.139), which was introduced in the House on the heels of the Heartland breach and was recently passed. The law requires "all Federal agencies and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information". And it means we have to answer to one regulatory body rather than 51 (all the states and D.C.). If you have to follow 51 sets of regulations, you're spending more time on regulations than you are on developing your business.
And when Heartland went down we all said, "Wow, this can happen to us. We need to lock things down." The good news is there are solutions out there – such as end-to-end encryption – that can help. My company, Merchant Warehouse, was one of the first companies to deploy end-to-end encryption. With E2E encryption, cardholder data is encrypted at the point of swipe, transmitted over the network and securely stored in off-site servers. The data is tokenized, ensuring it is not usable if someone's network is breached.
There is another technology I believe will help tremendously in the future, and that is MagTek's MagnaPrint technology. It is inexpensive, effective and very efficient. It works like this: iron particles are sprayed onto the magnetic stripe on the back of a card in a random pattern, essentially giving each card its own fingerprint.
MagTek says examining the fingerprint and combining that information with the card number makes it possible to identify whether it's the original card or a duplicate. When you combine these two aspects, it is almost impossible for criminals to do anything but steal the actual card. Using the MagnaPrint technology would move us from the criminal that creates mass destruction by hacking in and stealing 100 million card numbers, to the petty criminal that's committing face-to-face crime we really can't do anything about
What haven't caught on in the states are the chip-and-pin cards. We tried this technology with several pilot programs, including the Atlanta Olympics in 1996, and it wasn't that successful. One, it's expensive, and two, it takes a massive change: new, more expensive cards have to be issued, merchants need to purchase new hardware, consumers need to change behavior, and the networks and processors, like Merchant Warehouse, need to adapt.
To effectively implement chip-and-pin cards from the issuance to the transactions themselves, you're talking about a massive overhaul of the system.
The reason chip-and-pin cards work well in other parts of the world but not in the U.S. is twofold. First, the U.S. had already accepted MagStripe as the industry standard while other countries were still developing their card infrastructure. And second, telecom in the United States is cheap, ubiquitous and very reliable. Chip-and-pin cards are popular in other parts of the world because they enable you to process transactions in areas where you might not be able to access dial-up.
Credit card processing organizations and merchants, under the Data Breach Notification Act, will now have an easier time in reporting breaches, as they will only need to report to one overseer. It’s now up to the industry to begin adopting the technology available in order to more securely lock down the sensitive, personal information that is transacted every day. Adopting these technologies will allow for more efficient and seamless business and a stronger faith in the financial system.
Merchant Warehouse is a premier provider of merchant accounts and credit card processing solutions.
Read more about wide area network in Network World's Wide Area Network section.