First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating.
But while U.S.-based payment processors focus on end-to-end encryption, the UK, France and other European countries are finding some success in reducing fraud by deploying chip and PIN technology. There are initial costs. The process focuses on replacing traditional credit card terminals with smartcard technology. Banks must reissue credit cards with embedded chips that authenticate using a PIN. The process helps verify a card as authentic by checking the PIN a customer enters against the PIN stored on the card.
Last month I had harsh words for the effectiveness of the PCI standard's efforts. My major issue with PCI DSS is that it imposes a wide range of security technology and process requirements on the retailer, credit card processor, and bank supply chain without regard to the unique needs of each business, and without the credit card industry recommending commensurate changes for an insecure business process. Considering, institutions are taking initiatives with pilot security programs, particularly leveraging European experiences with early encryption.
Chip and PIN represents one such area of innovation that uses the application of cryptography at the card swipe as a possible solution to data loss at retail sites. If the remote site does not have sensitive data in clear text, its security burden is dramatically lessened. As we have seen from the Gonzalez indictment, retail outlets create a massive attack surface for payment cards and are easily accessible by hackers.
Fraud data compiled from the UK Payments Administration based on chip and PIN credit card technology introduced in 2004 suggests success with credit card theft at the point of sale, with implications that could map to potential compensating controls approaches in the US. The figures compiled by the organization show the costs associated with lost or stolen card fraud dropping from about $185 million in 2004 to about $88.1 million in 2008.
Banks deploying chip and PIN card technology have made mistakes that could be corrected before point-of-sale encryption takes off in North America. For one, applying password guidelines to PINs would make it more difficult to use a stolen card number. It is surprising that the credit card folks would be non-compliant with their own PCI DSS standard by allowing four-digit PINs. If an attacker tried the last four digits of the persons telephone number, they would probably be right half the time. But I digress. The data does indicate that encrypting data at the swipe has a positive impact on credit card security.
PCI DSS compliance targets businesses that have large databases of credit card information, such as card processors and large merchants. However, PCI DSS is not a total panacea for credit card fraud and does not address fraud of transactions where a card is not used (e.g. Web and telephone transactions), which is a huge business problem for the credit card industry. Security vendors such as RSA and First Data are to be commended for teaming up to find a more secure process for conducting credit card transactions.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.