The Security Conundrum – Part 1: The Puzzle

In recent weeks I have picked a number of conversation threads on the on-going difficulties of securing transactions, such as the recent PYMNTS.com posts of Mohammad Khan and Jack Jania or the ANSI X9 call for new standards to secure debit transactions.

Since the breach of Heartland Payment Systems, a certain malaise dominates the question: one can’t overlook the expenses incurred to achieve PCI compliance and question what’s next. Yet, somewhat surprisingly, the conversation on transaction security continues to revolve around some magic silver bullet. PCI, encryption, tokenization, dynamic data, EMV, CAP… the litany of product proposals if as long as the list of end to end strategies is short.

In this two part commentary I will take a look at the growing challenges of securing payments, and some of the creative thinking I have recently encountered.
The importance of securing transactions is as old as commerce. It is not just a question of fraud losses but also one of trust in the system. As the 19th century American politician Henry Beecher stated “commerce dies the moment, and is sick in the degree to which men cannot trust each other”. From the perspective of consumer trust, transaction security is critical to merchants and bankers alike, which is neither lost on the regulators nor the litigators.

In the last ten years though, maintaining trust in the payment system has become an ever more complex exercise of guerilla war between payment service providers and criminals. Prior to the advent of e-commerce and the internet, fraud was mostly concentrated on lost & stolen, and counterfeit attacks. Counterfeiting was as much an art as a science, as demonstrated by the simplest form of skimming which involved rubbing two cards slowly against one another.

Today, the threat surface has increased exponentially as a function of the evolutions of commerce beyond face to face transactions, carried over ever more diverse infrastructure elements. If the exposure equation is a function of threat-counts times vulnerability times impact, one can easily appreciate the security conundrum faced by payment systems:

1. The variety of devices is exploding:
Long gone are the days of cards and POS owned and deployed by the financial institutions. From PCs to mobiles, to kiosks, to off premises ATMs, to SD cards… the ever increasing number and variety of commerce enabling devices makes it difficult to manage their compliance with security standards developed by the payment industry. To put it in perspective, compare the fewer than 100 EMV chips certified by the payment networks, to the more than 2000 models of mobile phones currently in use in the world. While attempts have been made to simplify the problem thanks to Trusted Security Modules embedded in consumer devices, issues such as the lack of standards on secure hardware and middleware, or the difficulty to maintain the audit trail throughout the supply chain are currently limiting their applicability.

2. Transaction types are multiplying:
Lifestyle evolutions along with new technologies have lead to a variety of changes in payment acceptance. Beyond MOTO and e-commerce transactions, witness the growth, of unattended terminals from gas pumps to supermarkets; of micropayments aggregated to payment cards or third party bills themselves settled through secondary payment transaction; of person to person payments; or of cross border transactions in professional online marketplaces… Each present different risk management profiles which have lead to patchwork of payments services

3. Authentication methods are bifurcating:
The growing number of card payment use cases has lead to a fragmentation of the authentication landscape. As I prepared this post, I used my Amazon password here; my iTune password there; my Verified by Visa PassCode from time to time; my CVV2/identity code more often; my zip code at the pump (fortunately I don’t live in Canada and fill up in the US!) and my address at a catalog merchant; my PIN at the ATM and merchants where I forgot that a CheckCard is a credit card; my email address for ACH transfers; and even parts of my card swipe at airports check-in counters. Throughout, I left a contrail of identity and account telltales providing the criminal mind with as many potential attack vectors on the system.

4. Payment data is used in a growing number of applications:
Repeated industry studies since the CSSI breach have shown how the shadow of payment data extends far beyond payment applications. Loyalty applications transforming transaction information in points, behavioral segmentation and other targeting tools are the most evident examples. Authentication and age verification, T&E reservations systems are but examples of multiple other instances, many outside of the control and the knowledge of the payment industry.

5. More delivery intermediaries are participating:
Once upon a time a card would get swiped at a standalone POS, which dialed up an acquirer system for entry into the secure world of the payment networks. Alas these are times are gone. Witness the TJX case and the vulnerability of the in-store/in-chain network; or map the many hops that card data will make in a Tier 4 e-commerce merchant, through a checkout provider, possibly to an ISO and acquirer, but also a fulfillment agent, a third party customer service provider and why not, a combined loyalty program. Controlling the devices, network, applications and processes of each of these suppliers is a task of Herculean proportion. While PCI attempted to solve this, its cottage industry has itself become part of the equation as the Heartland case so aptly showed.

6. Cost of compromises is escalating:
Beyond the cost of fraud, lies the cost of compromise management. Industry analysts estimate that single digit percentages of compromised accounts are actually used in fraudulent transactions. Nonetheless , issuers are put in a position of having to remediate all of theses accounts. Reissuance, tighter authorization controls, compliance with identity protection laws and regulations don’t just create direct costs, they also seed doubt in the minds of affected consumers, drive up customer services calls and costs, and impact activation and usage of affected accounts. One industry source recently told me the incremental cost of managing a compromised account was as high as $8 / year.

7. Attackers are becoming increasingly sophisticated:
20 years ago, card fraud was largely an art. Today it is a science and a business. Hackers gathered information from TJX for close to 2 years before accounts were used for fraud. Around the same time, fraudsters installed professional grade skimming devices on ATMs in Canada. Criminals are also known to have created online market place for selling and trading compromised accounts. In the UK as EMV cards were deployed fraud shifted rapidly to online and cross border transactions. It is not that the payment networks have not labored to build their own set of tools and technology – witness the sophistication of neural networks and real time scoring systems – but that would be attackers can ever more easily get access to knowledge and technology to carry their deeds and are often organized in complex rings.

If your head is spinning, welcome to the club, where more than one Risk Management executive live, wondering what next “surprise” will cost his or her job. Not long ago Sun Tzu’s “The art of War” was a source of inspiration to business strategists. I would suggest that guidance for securing transactions may well be found in military writings on counteracting insurgencies. Fifty years ago Sir Robert Thompson, the father of modern counter-insurgency, described how only holistic strategies could countermand guerilla warfare. Translated into our context, this would means conceiving not only new technologies but also economic incentives, legal and regulatory tools, cross industry collaboration, public-private partnerships, empowerment of consumers and merchants, tied together with a heavy use of intelligence/information systems. The investment is anything but trivial. However this is not an academic issue: as the iPad’s growing number of novel apps suggests we continue to barrel down the path of an economy of bits and bytes. Securing electronic payments is fundamental to our future growth.

In my next post I will compare and contrast in that light various proposals for securing payment transactions.

Agree / Disagree ? : Contact me at patrick.gauthier@faultlinecommerce.com or twitter/PRGauthier
Patrick Gauthier, is a payment industry executive with 20 years of experience in developing, selling and deploying around the world, new technologies for payment and commerce, most notably as Senior Vice President, Innovation at Visa International. He currently a provides management consulting services on mobile commerce and e-payments.