New Credit Card Security in America

Every time I speak at a PCI event someone in the audience asks when America will get more security controls for credit cards themselves. It is a valid question. The cards have not changed much in decades, while the threats clearly have grown exponentially. The most often cited reason I hear for America’s lack of security controls in cards is the cost of changing the infrastructure that reads them. Perhaps this was best expressed as a business decision where the cost of fraud was measured against the cost and benefits of securing the infrastructure. The balance has now tilted and Computerworld reports on new security measures as reinforcements for PCI.

Fifth Third is testing the use of magnetic-stripe technology to create unique digital fingerprints for each card. Dan Roeber, vice president and manager of merchant PCI compliance at the bank, said it has distributed about 1,000 new card readers to retailers that haven’t been told about the pilot project. The readers use data from the magnetic stripe on the back of cards to create a “DNA picture,” which is matched against baseline information during the transaction authorization process, Roeber added during a panel discussion at the Visa conference.

The argument for this first technology is that it avoids key management issues for end-to-end encryption, which many companies are still afraid to implement.

The pilot at OfficeMax involves a challenge-and-response technique being used to help authorize card transactions. The retailer is asking shoppers for information such as their ZIP codes, the last four digits of their phone numbers or their three-digit area codes. The responses are then matched against previously submitted answers, said William Van Orman, OfficeMax’s treasurer.

That sounds reasonable, except it is based on a clumsy system of managing secrets, very similar to the fear of key management in the prior case. ZIP codes, phone numbers, area codes…the easier the information to manage the less value in terms of secrecy.

A third option is advanced payment management services. I was recently called by the fraud-alert service to verify charges on my account. Although the service is nice, it seems rather expensive to have a personal call take place. That is why automation will soon take this over and we should see transaction “alerts” pushed in real-time to mobile devices. Imagine instead of taking your receipts home and plugging them into quicken manually, you get instant confirmation on your mobile accounting software when you use your credit card. If you do not recognize the charge, you can respond with a fraud alert notice yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.