Throwing Down The Gauntlet

I am having a bad day and just got done with a call with an acquiring bank and their PCI compliance coordinator.

What got me in a really foul mood was their demanding of my client that they take certain actions to better ensure the security of the acquiring bank’s transactions.  I do not know what it was, but their request just hit me wrong and I went on a rant.  However, after I was done, I started to think about it and said to myself, “Why not?”

My rant to this poor person revolved around why the card brands and acquiring banks do not expend their efforts to fix the credit card fraud problem instead of addressing the symptoms?  For the last ten years, the card brands have developed their various security programs that were merged together to form the various PCI compliance standards.  While these standards address the shortcomings of the existing processing environment, my impression is that the card brands are doing little, if nothing, to actually address the real problems.

How about we force the card brands to develop a truly secure credit card and related secure transaction processing?  Given the technology available today, one would think that with the right people involved, a secure credit card could be readily developed and at the same time, a secure transaction processing environment could be designed that does not allow the storage of cardholder data except at those points where it is required.  And at those points where cardholder data needs to be stored, these points are heavily secured, monitored and fortified against attack and the breaching of data.  Those projects alone would probably go so far as to reduce card fraud and breaches by 90% to 95%.

Yes, I know that such changes would not come quickly, but you might be surprised.  If a new, secure process and card was introduced and it provided the benefits that I think it likely would, a lot of merchants might actually have a reason to get on board and spend the money to fix the real problem.

So, how about it card brands and acquiring banks?  Are you up to the challenge?


2 Responses to “Throwing Down The Gauntlet”

  1. 1 scott
    January 27, 2010 at 4:04 PM

    It is so good to finally hear comments that are in line with my thoughts. I have been in this industry since 1985 and the merchant/acquiring side of the industry has always paid the cost of securing these transactions. Now the issuers have a product that is so easily counterfeited but they do not want to add cost to their business, so lets continue to have the merchants pay to keep the product secure.

    I do disagree, it is more the issuers than the card brands that are not moving to a more secure product. From a cost perspective, the amount of fraud is relatively low and they can not justify the cost of implementing a more secure product. The problem is that even if the percentage of total fraud is still a small slice of the total pie, the pie is getting so big that the size of the slice is significant. I am sure that every card holder in the USA has either been affected by skimming fraud or knows someone who has. If consumers lose faith in the system and stop using the product, what cost impact is that on the issuers and card brands, I am sure that cost is not considered when calculating the ROI to move to a new, more secure product.

    Consider this, the US treasury has changed paper currency three times since 1990 because the old currency was easy to counterfeit. Just imagine if the US government put the burden on the merchant to identify bad bills and take them out of circulation and if they didn’t they would be jailed.

    There is nothing wrong for the industry as a whole to make the system more secure but the card brands and issuers must start to move from this antiquated 1950’s technology.

    This could be corrected if the PCI DSS were to apply to issuers as well. EVERY issuer that issues cards with a magnetic stripe are not compliant with the PCI DSS. However, they are not penalized for it. The DSS states clearly that magnetic stripe data must never be stored, even if encrypted. However, every issuer stores the magnetic stripe in the clear. It is in a huge distributed database, I happen to have three records of that non-compliant database in my wallet as I speak. So lets see the issuers put in a system that protects sensitive card holder data like merchants, acquirers and service providers have to do.

  2. 2 Lyta April
    January 27, 2010 at 9:06 AM

    First, the card brands and banks will do nothing unless doing nothing costs them money. Someone at Visa got the bright idea: “Let’s continue to push the cost of the privledge of using our cards onto the merchant, by imposing a set of compliance rules on them. If they don’t like it, they can just stop doing business.” (Mastercard and the rest just said, “Damn, wish I’d have thought of that first!”)This absolves them from having to do anything because now the blame for an insecure system rests with the merchant, not the card holder or the card brands themselves.

    True, a lot of companies needed to come up to par with the security of their networks, mine included. Actually, as an IT person, it’s nice to have a club to beat Senior Management with for appliances and policies that I should have been able to implement long ago. Problem is, those who are hardest hit, are those who have little money, experience or time for all this (Level 4s) I’m sure that there are a lot of people filling out a SAQ D who don’t understand it, can’t afford it, and hope that the acquirer doesn’t look to closely. Does this really make the system, in its entirety, more secure? No. Even the consumer doesn’t care. Do they even notice a PCI stamp of approval or SSL Certificate stamp, etc.? Most of them could care less as long as the transaction is quick and the merchandise is received. So, who are we doing this for? The card brands – this way, if something goes wrong, they get to blame the merchant, instead of taking responsibility for, what is, in the end, their revenue stream

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

January 2010

%d bloggers like this: