Thursday, 8 October 2009

How the Payment Card Industry could stop Card Fraud

If the payment card industry, the card schemes such as Visa and MasterCard, and merchants really desired to dramatically reduce payment card fraud, it can be simply done.
Today, by far the biggest problem with payment card security (credit and debit cards), is the little black magnetic stripe on the back. This magnetic stripe holds the full card details unprotected. This information is referred to as “track 2 data” within the payment card industry. The problem is this magnetic stripe track 2 data can be easily read with a "cheap to buy" magnetic stripe reader (see picture above), allowing fraudsters to “skim” card details quickly in a variety of ways, for instance placing covert magnetic stripe readers on ATMs (see picture below).
Track 2 data is also held in plain text on some payment devices and payment processing applications which store this information. Once track 2 data falls into the hands of card fraudsters, they simply create clone cards by replicating the magnetic stripe, and then use the cloned card in the same way as the original card holder uses the original card, of course only at those places which accept magnetic stripe swiping. Making card payment using the magnetic stripe reading is increasingly rare in Europe, however elsewhere in the world it is still used, and sometimes even without a signature.

Using a magnetic stripe to store card data on our plastic is an out dated technology, in Europe where "Chip and Pin" has now been widely adopted, using a chip to read the card data instead of the magnetic stripe increases security. The chip is difficult to clone and holds card information encrypted, so making it difficult for the bad guys to “swipe skim” the card data, and it is extremely difficult to create a clone working "chip" on a card. The issue is there are places like the United States where they haven’t adopted the securer chip technology and are intent on continuing to use the insecure magnetic stripe for the foreseeable future, meaning all payment cards around the world still need to keep the magnetic stripe on the back to be used globally accepted. As a result UK payment cards which still have their magnetic stripe track 2 data stolen, are still being cloned but used in places like the Thailand, where card magnetic stripe swiping is still the way to pay.

One of the arguments for the non-full adoption of chip technology in places like the US, is merchants don’t want to front the cost of replacing their card readers, well that doesn’t wash with me, most merchants in Europe managed to adopt chip reading technology fairly rapidly without any major hassles, and in general merchants continue to replace their card readers over a period of time anyway. So I don’t see why a “phased in” approach wouldn’t be acceptable on a world wide basis. During my recent trips to the United States I have encountered a general shift in the type of payment card readers to touch screen card devices, but they are still using magnetic stripe swiping to read the card. But this demonstrates there is always a continued evolution of card reading devices being deployed by merchants.
I don't want to even muddy the water by talking about the extra security using a PIN with the chip to provide two factor authentication at the cash register, that’s great for increasing security too, but my main point is about using a chip to read the card instead of a magnetic stripe.
I believe removing the magnetic stripe from all payment cards and card processing terminals would result in a drastic reduction in card fraud, which specifically targets “card holder present” transactions. A “card holder present” transaction is where the card holder and payment card are both physically present when making payment, for instance making a payment at the cash register.

What about card holder not present transactions? These transactions are where it is impossible to tell whether the cardholder is present and in actual possession of card when making a payment, for instance an internet transaction or a telephone payments, where it is impossible for the merchant or payment processor to know whether the buyer is typing his card details in from the actual card or it's a frauder using skimmed card information. Sure the 3 digit security code helps with this, but the bad guys have ways around this.

In the UK following the introduction of Chip and Pin in 2005, there was a dramatic shift in the types of payment card fraud, in that the card fraud dramatically swung to “card holder not present” fraud, mainly internet transactions opposed to fraud at the cash register, mainly because cloning cards and their magnetic stripe became a waste of time for the fraudsters, as merchants moved to using chip only payment transaction processing.

There is an answer to securing “card holder not present” transactions which is simple and just requires an update in the card technology used. This technology has been available for quite a while now and involves the addition of a digital authentication system to the actual payment card.
I have seen many proto-types of this technology, such as the EMUE card (featured in the pictures), which displays a uniquely generated LCD number on the card, which is then typed in by card holder when making a “card holder no present” transaction, such as an internet payment. The system checks the number is valid and if it is, this proves the card is actually present as the payment is made. In addition there is a PIN entry on the card which is used to create the generated number, proving the actual card holder is also present. This type of card effectively would turn all “card holder not present” transactions into “card holder present” transactions. This card is not more bulker than a normal card, so still works in ATMs.
If the payment card industry took these steps, not only would this dramatically reduce card fraud by vast amounts in my view, but it would remove the security burden of protecting card holder data. Payment processors and merchants must  comply with the 260 security requirements of the Payment Card Industry Data Security Standard (PCI DSS), I question whether PCI DSS would even be required to oversee the protection of card holder data if the measures I have talked about was globally adopted, because the bad guys wouldn’t be able to commit much fraud with payment card information anymore, meaning card holder data would no longer require to be protected.

I don’t believe I’m saying anything radical here, or indeed anything new, as always any thoughts and comments on this is always appreciated. I can say I have raised these points with leaders in the global payment card industry, as yet no one has given me good reason why this wouldn’t work. The excuse I tend to be given is the fraud rates aren’t at a sufficient rate to bring about these sorts of changes in security. Some might say the payment industry are happy taking the fraud hit, and passing on the fraud costs on to merchants and ultimately consumers through PCI DSS related costs and fines, while the inconvenience to customers who actually get hit with fraudulent transactions on their credit card and bank statements, mainly due to no fault of their own, is of little conscience.

Information Security is often a game of cat and mouse, with the good guys introducing security measures and bad guys finding ways around the security measures, then the good guy’s introduction new security measures and so on. The question is, has the payment card industry stopped playing the security game of cat and mouse? The answer is within the magnetic stripe on the back of your payment card.


Anonymous said...

This is my first trip to your site, but you do a great job and have very interesting and practical materials. I will be back, often.

Rizwan said...

I am visting your site first time great work please make it more aggresive and also add some extra material

global payments said...

How the Payment Card Industry could stop Card a great post...really very interesting....
I like it very much.........
Thanks for this informations,.....
Smart post.....