When card data sells for $1 on the dark web and passport data for $65, it screams that personal data is what the fraudsters really want. Intel Director Michelle Tinsley tells Karen Webster why locking down personal data – especially across a growing number of connected devices – is where the industry needs to focus – and right away.
The act of scanning a passport at an airport check-in kiosk may seem relatively harmless. But consumers might feel differently if they knew that their highly valuable passport data was being sent in clear text to the TSA.
As in it passes, unencrypted, across a digital network – ready for enterprising fraudsters to siphon away.
Pretty scary, huh?
And it should be scary for everyone in and around the payments industry as well.
While the focus tends to be on protecting cardholder account data, as it should, a consumer’s personal data has become much more valuable to the fraudsters. It can be used to create digital identities that can defraud the entirety of the financial services ecosystem.
The truth is, fraudsters aren’t just after financial data anymore – the more personal information they can gather, the more havoc they can wreak.
It’s a truth that Michelle Tinsley, Director of Mobility and Payment Security at Intel, says must drive a lot more focus and attention on the need to protect a cardholder’s personal data with the same bit of rigor as protecting their credit and debit card account data.
“It’s shocking to me that today a stolen passport is worth $60 on the dark web and a stolen credit card is only worth $1,” Tinsley noted.
Data delivers value — especially for the fraudsters
Tinsley explains that the financial services ecosystem is straddling the blessing and the challenge of the connected devices that can create such value for consumers.
The blessing: the ability to create a whole new level of “intimacy with the customer” and more streamlined operations that can deliver a better merchant and shopper experience. To take advantage of this opportunity, retailers strive to collect more and more data about both the shopper and the products they are looking at or buying. Payments are an important component, but retailers are also very focused on using these new technologies and connections to “not only win the pocketbooks of consumers, but their hearts and emotions as well,” Tinsley observed.
The challenge: this wealth of new data, which we could easily call a fraudster’s dream, falls outside of the “cardholder data” purview that most merchants have invested into protect. This unprotected data may be manna from heaven for fraudsters, but it could be deadly for both merchants and consumers.
The further challenge is balancing the retailer’s desire to have a payment happen securely, but how secure payments will fit into a “slick, new, seamless experience that reflects the brand’s image,” Tinsley said, that also now captures lots of personal information about the retailer’s customers.
That’s why Tinsley said that Intel’s IoT strategy is to build in security upfront and architect those cardholder data protections as an integrated part of the payments security solution. The goal is to safeguard any data that might flow from any connected endpoint to another.
Tinsley emphasized that this set of activities must also address the security of payments transactions at the same time it safeguards the wide range of new information that IoT technologies will introduce. Not terribly easy since it must also dovetail with the inherent complexity and legacy that is built into today’s payments systems — and a set of activities that Tinsley requires creating a new ecosystem to help keep all parties to the transaction – and their data – safe.
“A retailer wants to reduce complexity – they want to have security built in but they also don’t want to start managing eight or nine different types of security protocols,” Tinsley said.
Intel’s Data Protection Technology (DPT), Tinsley explained, is the foundation that Intel is using to create the ecosystem that can keep IoT data safe. DPT is a software product that is injected at the POS to create a secure tunnel with the peripherals to identify any data field that needs to be encrypted and encrypting it right at the instant the data comes in.
The vision, she said, is to have DPT serve as the industry-level architecture that’s not just available through Intel on Intel-powered devices, but a network of Managed Service Providers who can be equipped to deliver it on non-Intel technology.
The aim, Tinsley said, is to simplify IoT security and make sure it’s done in a flexible way that can accommodate updates as malware and other threats to security surface.
“The industry needs a flexible framework and an architecture that can keep growing as IoT gets deployed,” Tinsley emphasized, without interfering with the consumer experience that retailers want to enable with their customers.
Tinsley said Intel is working with all different aspects of an organization, including the marketing and operations teams, to loop them in on Data Protection Technology as not just a security solution, but one that enables a much better level of customer experience as well.
“Any great IoT solution should be secure – it shouldn’t create new vulnerabilities or diminish the consumer experience in any way,” she added.
Tinsley noted that as devices and systems get more connected, there’s an even greater risk that all of that data that flows across those connections won’t be as secure as it should be. Her concern is that the existing financial services and merchant ecosystems are not as well-equipped as they could be to address all of the data security vulnerabilities that IoT will enable – and that retailers will want to enable.
Tinsley said the path forward is to ensure all areas where IoT security is needed are safeguarded in a way that’s both seamless and frictionless.
“You don’t have to wait for a POS upgrade to start getting that IoT security now and enable those better experiences,” Tinsley added.