I recently came across another blog posting titled “When Will The PCI SSC And Card Brands Stop The Mobile Payment Insanity?” After reading the posting, I thought I’d ask a different question. When Will The PCI SSC amend its mission to STOP FRAUD and not just “proactively protect customer account data”?
The data they want to protect is already published for the world to see. It’s static and “in-the-clear” on the front and back of the cards issued to consumers by almost every card issuer in the world. Anyone with a few brain cells and access to Google and eBay can easily acquire the knowledge to build/modify/purchase their own reader to capture a card’s static data and use it for fraudulent purposes, like a Card Not Present Internet transaction or to create a counterfeit card to replicate a Card Present transaction.
PCI’s mandates for encryption cannot stop these threat vectors. So why does anyone think that having certified readers will really solve the problem? How can a consumer tell the difference between a PCI Compliant Device and a Non-compliant device? Are they going to check the PCI web-site prior to swiping, inserting or tapping their card? As long as the “human-factor” plays into the overall transaction process/security, the bad guys will find a way to easily exploit the certification process.
Consider this…Create a counterfeit card with the stolen data gathered by one of these non-PCI compliant devices and then use that card at a merchant who has a fully protected PCI certified system using all of the latest E2EE, SRED, and PTS standards and what will those technologies/standards do for that merchant to STOP the fraud?–NOTHING!
Encryption is but one layer of security and anyone who thinks the PCI SSC getting into the business of certifying everything under the sun at considerable time and cost to the manufacturers and businesses who ultimately pay into the “cottage industry” created by the PCI SSC, is a victim of a massive scam perpetrated by the card brands, the PCI SSC and the issuers who continue to allow static, clear-text card data to be placed on every card issued and then used for authorization purposes. A system using some form of Transaction Authentication is what is required to solve these problems. Where is the PCI SSC on this subject?
Let’s not kid ourselves or any of the readers of this blog to think the “insanity” is coming from those getting into the business of Mobile Payments (hardware or software). The “insanity” is coming from the PCI SSC, its five founders and together, their collusion so they can deflect the responsibility onto the merchants for protecting the static data that is revealed at the moment the cards are issued to consumers and physically accepted by merchants. It is insane to suggest that consumers and merchants benefit from anything the PCI SSC does when the bad guys don’t play by the same rules and they can easily steal the data from the card in spite of PCI certified devices being used by merchants.
Fraud is like a water balloon. You can squeeze it with protective measures like encryption, but it just moves around where there is no pressure to stop it. If the bad guys can’t steal it from the merchants because their terminals encrypt the data, they will find other ways to socially engineer the information away from the consumer because the customer account data is already “in-the-clear” on their card. Once the bad guys have the customer account data, they can then use that data to commit fraud. As an industry, we should aim to STOP the fraud. If we allow ourselves to be misled by insane mandates that do nothing to stop fraud and only provide a false sense of security to those that “foot the bill”, then why would anyone want to follow the PCI SCC down the rabbit hole?
If we want to stop the fraud, we MUST find ways to stop the theft of customer account data. Encryption cannot stop theft of customer account data, but I will agree that it can make it more difficult to steal. However, that is not enough deterrence for the bad guys. The ONLY practical way to stop the theft of customer account data is by eliminating its redemption value and thereby removing the incentive to steal it in the first place. The ONLY practical way to remove the incentive to steal it is to make the data dynamic. Dynamic data is only good for one transaction in time and it cannot be re-used. Moreover, the next transaction will rely on different data that cannot be predicted. Transaction Authentication goes far beyond encryption and delivers real value to those looking to solve the problem of fraud. I find it troubling that the PCI SSC has no apparent interest in solving the fraud problem. After all, if they did that, then why would they need to exist at all?
