Friday, 9 November 2012
The Death of PCI: Two-Factor Online Payments
Back in September 2007, I attended the inaugural Payment Cards Industry Security Standards Council (PCI SSC) Community Meeting in Toronto. These were the days before PCI was big business, there must of been only a couple of hundred people at the event in a typical down town Hotel in Toronto. PCI was still finding its feet, the PCI SSC Board members spent most of the event being grilled by delegates brimming with questions about the PCI standard, and it is fair to say some delegates weren't happy chappies at all. I took the opportunity of asking SSC Board members several questions myself, looking back today some of my questions could be seen as rather naive, given who is behind setting up the PCI SSC and why.
I asked why PCI SSC doesn't just regulate the card issuers, challenge them with a standard to secure the cards and cardholder data to a higher degree, instead of passing the buck onto to everyone else in the industry. I explained how in Europe we had just started using a new two-factor authentication system, Chip and Pin, which was already dramatically cutting face-to-face card fraud (known as cardholder-present transactions). I argued they just needed to replicate the two-factor authentication for when we couldn't prove a person (cardholder) was in possession of a payment card, specifically with telephone, online and perhaps mail order payments (known as cardholder-not-present or MOTO payments). My point was the industry should be focusing on updating the plastic card technology itself, which had been standing still for decades with its 1970s magnetic strip holding sensitive card data on the back, wasn't it time to evolve the technology and make the cardholder data itself worthless, in order to combat card fraud more effectively?
Of course these questions and points all fell onto deaf ears, as the PCI SSC is about regulating cardholder data beyond the card issuers, passing the failing and fraud cost of weakly secured plastic cards onto the Payment Processors and Retailers, that need to process them for payments. The one big downside to PCI DSS, is companies are paying to protect someone else's data, as cardholder belongs to the card brands (i.e. Visa, MasterCard, Amex), and not to the cardholders. My gripe is companies invest more in protecting someone else's data better than they do their own confidential information, and more importantly more than other people's personal sensitive data. This often leads to their information security budgets being plundered by PCI programmes in order to protect card brand's data at the expensive of protecting citizen's personal data.
Five years on from that Toronto meeting, it is clear for many years now, that Chip & Pin (EMV) works in cutting cardholder present fraud, every Information Security professional knows the benefits in using a two-factor authentication system. Only now has North America finally started to push Chip & Pin for cardholder present transactions following the European success, could the penny have finally dropped? Are card brands and card issuers now seriously thinking about using two-factor authentication to protect online transactions from fraud as well?
To secure online transactions in the same way as Chip & Pin, you need to ensure the cardholder is in possession of their card. This can be accomplished by using a unique number generator onto a thin LCD screen on the card itself, this card number. This one time number can be generated using a timed encryption sequence which creates a unique number valid only for a limited time. This number can be keyed in or spoken by the cardholder, and so used to corroborate the payment card itself is in possession of a cardholder. Further the security could be seriously ramped up by first requiring the cardholder to type in their PIN on the card itself before generating the number. This gives a two-factor authentication for online and telephone payments (MOTO), both proof of possession of the card (something you have), and the cardholder must know their PIN number (something you know), well recently both Visa Europe and MasterCard have announced new cards that do just that.
MasterCard's Two-Factor Payment Card
Most card consumers don't want gimmicky pictures of themselves on their payment cards, we want two-authentication for all our card payments, not just at the checkout. Why? because consumers actually do care about having their accounts hit by fraudulent transactions, and do want to be decently protected, as when all is said and done, all consumers foot both the card fraud bill and the retailers PCI bill. These new generation of cards present dealing with the root cause of the card fraud problem, the weakly secured plastic itself, and has to be the best way forward.
Death of PCI
For retailers, if all cards switched to two-factor authentication completely, it could finally mean they don't need to protect cardholder data, certainly not to the same degree at present, which really could spell the death of PCI. We'll have to wait and see before this 'not new' technology takes off in the industry, but I don't think PCI DSS will be around a decade from now.