I was drafting a post last week on credit card security when I read Rich’s piece on How Market Forces Can Fix PCI. Rather than looking at improving PCI-DSS from a specification-centric perspective, he presented some ideas on improving its effectiveness through incentivizing auditors differently. A few of the points he raised clarified for me why looking at market drivers such as this are the only way we are going to understand the coming security changes to this industry. It’s a good post and highly relevant given the continuing rises in notable breaches and PCI compliance costs for merchants. But more than anything else, for me the post solidified why I think we are having the wrong discussion about the advancement of payment security. We are riding a 20th century credit card processing system that was great at the dawn of the POS terminal, but is simply broken from a security perspective for ‘card not present’ and Internet electronic commerce situations.
Adrian Phillips of Visa was recently quoted as saying “… PCI-DSS has proven to be a highly effective foundation of minimum security standards when properly implemented across all systems handling cardholder data.” That phrase is laced with caveats, and it should be, because if you follow PCI-DSS closely, you hit the minimum set of requirements for basic security with significant investment. It’s not that I am against PCI-DSS per se, it’s just that we should not need PCI-DSS to begin with. We have gotten so wrapped up in the discussion on securing this credit card data and the payment system that we have somewhat forgotten that the merchant does not need this information to conduct commerce. We are attempting to secure credit card related information at a merchant site when it is unnecessary to keep it there. The payment process for merchandise should be considered two separate relationships: One between the buyer and the issuing bank, and the other between the issuing bank and the merchant. Somewhere along the way the lines were blurred and the merchant was provided with the customer’s financial information. Now the merchant is also required to keep this data around for dispute resolution, spreading the risk and cost of securing customer financial information. If I were looking for ways to make my business more efficient, I would be looking to get rid of this effort, responsibility, and expense ASAP!
Merchants must investment massively to prop up the security on a flawed system. If the pace of fraud and breaches continue, sheer economic force will push merchants for an alternative rather than suffer along with increasing expenses and risks. As Brian Krebs recently reported, there has been a 95% increase in the number of credit and debit card fraud cases, with no specific indicator showing a slowdown.
My point with this entire rant? I think we are starting to see the change happening now. Rich’s argument that market forces could improve PCI audits is entirely valid, and we could see slightly improved site security. But if market forces are going to materially alter the security situation as a whole, it will be in the slow erosion of vendors participating in the system we have today, in favor of something more efficient and cost effective. First with Internet commerce, and eventually with POS. Securing credit card data is an expensive distraction for merchants, which directly reduces profits. While many large companies offset this expense with revenue from data mining, the credit card number no longer needs to be present to successfully analyze transaction data. If I was running a commerce web site site I would certainly be looking to external payment processing service like PayPal to offload the liability and need to be party to the credit card data. And as PayPal’s fee structure is on par with more traditional credit card payment services, you get the same service with reduced liability. Looking at the number of small and mid-sized merchants I see using PayPal, I think the trend has already begun and will continue to pick up speed. I am also seeing new payment processing firms spring up with payment models more agile and appropriate to electronic commerce.
I had an email exchange with the CTO of a security vendor on this subject the other day, and the question was raised “Will there be EMV-like smart cards in our future? I doubt it. That type of security helps half of the equation: authenticating the buyer, and given current implementations, only at POS terminals. It does not stop the data breaches or resultant fraud. EMV was a very good proposal that never took off, and while it could be helpful with future efforts, a more likely authentication mechanism will be something like Verisign authorization tokens. This form of authentication (user name/password plus One Time Password) may not be perfect, but far in excess of what we have for credit card processing today, and requires very little modification for Internet transactions.
If market forces are going to drive payment processing security forward, I think this is a more plausible scenario. As always, current stakeholders will strive to maintain the status quo, but cheaper and better eventually wins out.
Reader interactions
5 Replies to “How Market Forces Will Alter Payment Processing”
@Adrian, No problem. You should also check out Eve Maler’s series on the “ProtectServe” protocol [1] that defines a simple protocol and use cases for fulfilling this type of interaction.
Nick
[1] http://www.xmlgrrl.com/blog/archives/2009/04/02/protectserve-draft-protocol-flows/
@Nicholas – OMG! Thanks for the link! I am working on another post on this topic right now, but I like the term ‘Vendor Relationship Management’ a lot more than what I was thinking of. And it’s good to see someone else sees this issue. My bent is this becomes an even greater issue with security in the cloud as eCommerce is no longer a single vendor, but a chain of vendors responsible for shopping, checkout, payment processing, shipping, customer communication, fulfillment, promotions and customer satisfaction. And they ALL share your information. I’ll get this up on the site later this week.
In response to your comment, I would also love to have my Id be my IP. That way I can share on an as wanted/as needed basis, and tie an expiration date to it. That helps with privacy. I am still looking for an economic motivator for them to flush old data. That way, even if I shared it, it could be known that the accuracy of the data they keep is dubious. It’s been shown that approximately 40% of data in databases used for data analysis is obsolete and skews the analysis.
Thanks again for the comment!
-Adrian
Excellent post.
IMO, this is closely related to some of the forward-looking concepts in the world of Identity Management. Specifically, Vendor Relationship Management [1]. As you said, eventually the cost of collecting and hording our sensitive information has to reach the point of being cost prohibitive except for a select few companies that specialize in maintaining and securing this information. On a personal level, I often dream of the day when my ID (identity) becomes my own IP. I would love to make a small cut on the money being spent on collecting information related to my identity by the data warehousing companies. Heck, I could even validate their assumptions about my preferences to ensure that they accurately profile my behavior. While that may ultimately be a pipe dream because of the market forces at play in monetizing my “consumer audit trail”, at the very least my credit card data need not be replicated unnecessarily.
Nick
[1] http://cyber.law.harvard.edu/projectvrm/Main_Page
What is amazing with PCI is how vendors have fought back about how they don’t want to store information.
My experience at many different companies is that they traditionally have never gone back to look at what information they need to keep. The unwritten rule is “keep it forever, just in case”. I have seen a company move information from one system to another and change the access permissions to “no-one has access” and there it stayed for years. Disk space is cheap.
I bet (a case of beers) that if there was no PCI DSS in place that every vendor would keep credit card details for all transactions for every customer forever, just in case. It is only now that they are forced to apply “pretty-good” security restrictions on the data that the price is no longer negligible so they are fighting to get rid of the information.
Its like Moses on Mount Sinai when G-d presented the ten commandments to him –
“I have this tablet with 5 commandments on it. Do you want it?”
“How much is it?”
“Its free”
“I’ll take two.”
Getting business to understand that protecting information costs money and getting rid of some information is a quick win is half the battle won. I think PCI has done that for some companies and the only issue that I have with PCI is that it is not applied to all information.
Excellent post! You hit the nail right on the head with this one. The debate about the effectiveness of PCI is mainly irrelevant. For more on my thoughts on the topic check out this post at Oreilly: http://broadcast.oreilly.com/2009/06/beautiful-trade-rethinking-e-c-1.html