Thursday, March 20, 2008

Credit and Debit card security

One of the largest challenges facing the credit card industry today is the proliferation of technology and the ubiquitous nature of the credit and debit card. The nature of the technology used yields significant effects around the associated data security and the ability to protect the consumer’s data from fraudulent activity. The industry has created a standard known as the Payment Card Industry (PCI) compliance standard which mandates that any merchant who accepts credit cards must meet a minimum standard of compliance or face fines. Visa, MasterCard and American Express all have published their individual specifications. The PCI program is an overall reaction to the theft and hacking of credit card data. A recent example of hacking is found in the theft of 4.2 million credit and debit card numbers from Hannaford’s of Maine. As can be seen in the article from the Lincoln County News on Hannaford the trust is eroded for the customer in the credit card company as well as in the organization who had their data compromised. Hannaford also has a statement that clearly identifies its compliance to the PCI standards.

A new piece of technology that is being introduced by many of the credit and debit card companies is the built in RFID (Radio Frequency Identification) tag. This technology allows the user to be in proximity of a scanner and eliminates the need to ‘swipe’ the card and sign on a receipt or pin pad. MasterCard has some fairly common commercials on the use of this type of technology which they call “Paypass”. This technology is being hacked fairly easily with the purchase of a credit card RFID reader on EBay for $8.00 and then using a simple terminal program to begin reading credit card information without actually viewing the card. This NY Times article shows how easy it is to read credit card data by being in proximity of the card and the Engadget / BoingBoing article shows how a hacker has done this and suggests stainless steel wallets for everyone.

Consumers value the convenience offered by vendors who accept credit and debit cards and they are here to stay. The technology and data security issues will have to be addressed and the credit card issuing companies are taking steps to ensure the protection of consumer. RFID is fraught with privacy challenges that are only just beginning to surface. More marketing attention should be placed on the PCI and privacy compliance. Unfortunately most companies’ privacy statements are buried at the websites reviewed by this author. Vendors and credit card companies need to take a more proactive stance with consumers before confidence is completely eroded.

-End of Ramble


Lucid Guy said...

Ordinary buddy, your glass is definitely half empty. While you make good points about the opportunities for fraud and identify theft, electronic payments are the way of the future. Just as we have adapted our security for other things of value, we will adapt our electronic security as well. Personally I use my debit card for everything since it is so darn convenient. One path to the future is to use a blend of technologies applied where appropriate. Credit, Debit, RFID, Stored Value, and NFC (near-field communication) payment methods should be viewed as complimentary and not as competition. NFC will one day enable your cell phone or pda to make payments as they do in Europe and Asia. NFC also offers greatly enhanced security over RFID. However, NFC is exactly what it says, "near-field". It's communication distance is inches not feet. Combined and applied where appropriate, I believe a successful electronic payment strategy can be obtained.

Ordinary Guy said...

What you are negating is the fact that RFID is affected by multipathing. Have you ever picked up a radio station from across the state? Or the United States? That's multipathing. The radio waves bounce everywhere making it very dangerous for radio transmission security. That is why 'touch' devices and optical devices such as smart chips and bar code scanners work well. I am staring at my AMEX Blue card with it's dangerous RFID chip in it thinking how easy it would be to steal the data.

Don't get me wrong, I don't think we should not use electronic forms of payment... but there must be an independent user verification, much like your PIN code today. Scan and run devices as they are touted with RFID are dangerous... and easy to steal.

Anonymous said...

I, for one, was horrified when we got that new paypass card in the mail. I described some of the possible fail features built-in, the girlfriend said meh.