The Evolving Security of Credit Cards

Another breach of consumer credit card information was reported by Hudson’s Bay, the owner of Lord and Taylor and Saks stores.  Hudson’s Bay said “it was the victim of a security breach that compromised data from payment cards that had been used at some stores in North America, and that it had “taken steps to contain the breach.”  Hudson’s Bay made no mention of how many cards nor how the breach was “contained.”

Hudson’s Bay was not alone.  In the same week, Panera Bread announced that the personal information of some loyalty program customers had been left exposed on its website for 8 months.  Delta Airlines and Sears announced that a contractor providing customer services exposed credit card information from hundreds of thousands of customers about six months ago.  Sears and Delta offered the usual meaningless apologies, hoping that few customers would be attacked through their exposed credentials.

Far too often, incompetent contractors and slovenly corporate security leaves consumers exposed to cybercrime, despite solid progress in credit card payment technology.

Signature and no real time electronics. Not long ago, standard merchant practice was to take a credit card impression, then ask for the customer’s signature on that impression.  If the signature was compared with the signature on the back of the card, the merchant sometimes discovered a mismatch.  But often, fraud was detected only after batches of the credit card slips were physically presented to the merchant’s bank.

Real time electronics, magnetic stripe.  When magnetic stripes were added to cards, the stripe contained card and cardholder information.  That information along with the transaction amount was transmitted to the card issuer for authorization. If the merchant asked for a signature, that slowed purchase processing but added a veneer of security.

Real time electronics, magnetic stripe and PIN.  Some card issuers used magnetic striped cards and required customers to manually enter with a PIN at a credit card checkout keypad.  The PIN was sent along with the magnetic stripe-stored information.  Pins can add to security but forgotten PINs can slow progress in the checkout line.

Real time electronics, chip and sometimes PIN.  By 2012, card issuers began including a “chip” (small computer) in their cards.  They included a magnetic stripe to be backward compatible with merchants who lacked chip processing gear at the checkout. The chip interacts with the cardholder’s bank using “a dynamic cryptogram” to validate the card and cardholder account, but it does not verify that the person presenting the card is the authorized user.   Inclusion of a PIN cuts the chance of card use by a fraudster.  Unlike US card networks, most European credit card networks require a PIN.  Merchants can undermine security if they retain records of pins where they can be stolen by hackers.

Card Not Present.  Merchants usually accept an unseen credit card for an online, mail or phone purchase.  To increase the odds that an online purchaser is actually who he/she claims to be, they either require the purchaser to have a pre-existing account, or to tediously enter information (full name, address, billing address, phone number and email address), which the merchant can electronically crosscheck against the name offered.  It’s not a perfect vetting, but it will reduce the success rate for fraudsters who have not done enough research.

Visa reports that “Although only 59 percent of US storefronts have terminals that accept chip cards, fraud has dropped 70 percent from September 2015 to December 2017 for those retailers that have completed the chip upgrade.”  A 70 percent reduction in card fraud probably justifies revamping the electronics at checkouts.

The growth of online purchases, (using Card Not Present payments) calls for progress in protecting consumers.  Protection can come from adopting a second or third factor authentication for online purchase transactions.

Biometric tools (finger print, or an iris scan) may offer another layer of authentication but they require specialized image capture equipment at the cardholder’s location.  Few laptops and smartphones include fingerprint readers.

Additional authentication can come from geolocation.  For example, the card issuer can detect that a cardholder-owned mobile device is present at the point of sale.  Or, for a Card Not Present transaction, the card issuer can send a one-time pin to the card holder’s mobile phone and require that the purchaser give the merchant that one-time pin to complete the purchase transaction.

Mobile phones’ role need not be limited to providing location information.  Mobile phones can securely transmit personal information and access online bank accounts.  We should expect that smartphones will soon become a secure substitute for credit cards, but merchants will still need to secure their records.

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin