The Security Conundrum : The Puzzle

by Patrick Gauthier PYMNTS.COM 4/20/10

Since the breach of Heartland Payment Systems, a certain malaise dominates the question: one can’t overlook the expenses incurred to achieve PCI compliance and question what’s next. Yet, somewhat surprisingly, the conversation on transaction security continues to revolve around some magic silver bullet. PCI, encryption, tokenization, dynamic data, EMV, CAP… the litany of product proposals if as long as the list of end to end strategies is short.

The importance of securing transactions is as old as commerce. It is not just a question of fraud losses but also one of trust in the system. As the 19th century American politician Henry Beecher stated “commerce dies the moment, and is sick in the degree to which men cannot trust each other”. From the perspective of consumer trust, transaction security is critical to merchants and bankers alike, which is neither lost on the regulators nor the litigators.

In the last ten years though, maintaining trust in the payment system has become an ever more complex exercise of guerilla war between payment service providers and criminals. Prior to the advent of e-commerce and the internet, fraud was mostly concentrated on lost & stolen, and counterfeit attacks. Counterfeiting was as much an art as a science, as demonstrated by the simplest form of skimming which involved rubbing two cards slowly against one another.

Today, the threat surface has increased exponentially as a function of the evolutions of commerce beyond face to face transactions, carried over ever more diverse infrastructure elements. If the exposure equation is a function of threat-counts times vulnerability times impact, one can easily appreciate the security conundrum faced by payment systems:

1. The variety of devices is exploding:
Long gone are the days of cards and POS owned and deployed by thefinancial institutions. From PCs to mobiles, to kiosks, to off premisesATMs, to SD cards… the ever increasing number and variety of commerceenabling devices makes it difficult to manage their compliance withsecurity standards developed by the payment industry. To put it inperspective, compare the fewer than 100 EMV chips certified by thepayment networks, to the more than 2000 models of mobile phonescurrently in use in the world. While attempts have been made tosimplify the problem thanks to Trusted Security Modules embedded inconsumer devices, issues such as the lack of standards on securehardware and middleware, or the difficulty to maintain the audit trailthroughout the supply chain are currently limiting their applicability.

2. Transaction types are multiplying:
Lifestyle evolutionsalong with new technologies have lead to a variety of changes inpayment acceptance. Beyond MOTO and e-commerce transactions, witnessthe growth, of unattended terminals from gas pumps to supermarkets; ofmicropayments aggregated to payment cards or third party billsthemselves settled through secondary payment transaction; of person toperson payments; or of cross border transactions in professional onlinemarketplaces... Each present different risk management profiles whichhave lead to patchwork of payments services

3. Authentication methods are bifurcating:
The growing numberof card payment use cases has lead to a fragmentation of theauthentication landscape. As I prepared this post, I used my Amazonpassword here; my iTune password there; my Verified by VisaPassCode from time to time; my CVV2/identity code more often; my zipcode at the pump (fortunately I don’t live in Canada and fill up in theUS!) and my address at a catalog merchant; my PIN at the ATM andmerchants where I forgot that a CheckCard is a credit card; my emailaddress for ACHtransfers; and even parts of my card swipe at airports check-incounters. Throughout, I left a contrail of identity and accounttelltales providing the criminal mind with as many potential attackvectors on the system.

4. Payment data is used in a growing number of applications:
Repeated industry studies since the CSSI breach have shown how theshadow of payment data extends far beyond payment applications. Loyaltyapplications transforming transaction information in points, behavioralsegmentation and other targeting tools are the most evident examples.Authentication and age verification, T&E reservations systems arebut examples of multiple other instances, many outside of the controland the knowledge of the payment industry.

5. More delivery intermediaries are participating:
Once upon atime a card would get swiped at a standalone POS, which dialed up anacquirer system for entry into the secure world of the paymentnetworks. Alas these are times are gone. Witness the TJX case and thevulnerability of the in-store/in-chain network; or map the many hopsthat card data will make in a Tier 4 e-commerce merchant, through acheckout provider, possibly to an ISO and acquirer, but also afulfillment agent, a third party customer service provider and why not,a combined loyalty program. Controlling the devices, network,applications and processes of each of these suppliers is a task ofHerculean proportion. While PCI attempted to solve this, its cottageindustry has itself become part of the equation as the Heartland caseso aptly showed.

6. Cost of compromises is escalating:
Beyond the cost of fraud,lies the cost of compromise management. Industry analysts estimate thatsingle digit percentages of compromised accounts are actually used infraudulent transactions. Nonetheless , issuers are put in a position ofhaving to remediate all of theses accounts. Reissuance, tighterauthorization controls, compliance with identity protection laws andregulations don’t just create direct costs, they also seed doubt in theminds of affected consumers, drive up customer services calls andcosts, and impact activation and usage of affected accounts. Oneindustry source recently told me the incremental cost of managing acompromised account was as high as $8 / year.

7. Attackers are becoming increasingly sophisticated:
20 years ago, card fraud was largely an art. Today it is a science and a business. Hackers gathered information from TJXfor close to 2 years before accounts were used for fraud. Around thesame time, fraudsters installed professional grade skimming devices onATMs in Canada. Criminals are also known to have created online marketplace for selling and trading compromised accounts. In the UK as EMVcards were deployed fraud shifted rapidly to online and cross bordertransactions. It is not that the payment networks have not labored tobuild their own set of tools and technology – witness thesophistication of neural networks and real time scoring systems – butthat would be attackers can ever more easily get access to knowledgeand technology to carry their deeds and are often organized in complexrings.

If your head is spinning, welcome to the club, where more than one Risk Management executive live, wondering what next “surprise” will cost his or her job. Not long ago Sun Tzu’s “The art of War” was a source of inspiration to business strategists. I would suggest that guidance for securing transactions may well be found in military writings on counteracting insurgencies. Fifty years ago Sir Robert Thompson, the father of modern counter-insurgency, described how only holistic strategies could countermand guerilla warfare. Translated into our context, this would means conceiving not only new technologies but also economic incentives, legal and regulatory tools, cross industry collaboration, public-private partnerships, empowerment of consumers and merchants, tied together with a heavy use of intelligence/information systems. The investment is anything but trivial. However this is not an academic issue: as the iPad’s growing number of novel apps suggests we continue to barrel down the path of an economy of bits and bytes. Securing electronic payments is fundamental to our future growth.