Community
In the early 2000s when the internet was still young, Visa, MasterCard and the other major payment card schemes had a choice. They could create a system that made using credit/debit cards on the internet safe, or they could rely on the unguessability of the card number. As we all know: they chose the latter.
In 2004, with online fraud becoming an issue, the five major card schemes, Visa, MasterCard, American Express, Discover, and JCB (Japan Credit Bureau), formed the Payment Card Industry Security Standards Council (PCI SSC) and later that year, in an effort to secure card numbers, they produced the first version of the PCI DSS (Data Security Standard).
So was born a multi-billion dollar industry built around protecting the card numbers of the large card schemes. Protection which is paid for by every merchant that accepts card payments and every processor who supplies the technology and, indirectly, by every card holder. Merchants, processors etc. must recoup their PCI DSS compliance cost or their businesses wouldn’t be viable, hence they increase the cost of the goods and services which they offer consumers. This is all because the card schemes shied away from implementing effective security from the beginning.
The card schemes failed to face up to the major security problems when there was still time to do something about it. Back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised, highlighted the inadequacy of trying to protect the card number and keep the secret.
It is hard to overestimate the size of the effort that is required to protect the ridiculous secret of the card number! Every call centre must ensure that representatives cannot write down a card number, the phone call recording systems that they use must have cutouts so that the card number and CVV are not accidentally recorded. The computer systems and networks which card storing, processing and transmitting software runs on must be audited annually to ensure PCI DSS Level 1 certification. The cost incurred by companies to become and remain PCI DSS compliant can be very high. Depending on the level of card transactions which a company processes, annual costs can range from $50k – $250k for audits and to remain compliant. However, becoming compliant initially can cost up to $1 million.
These costs are born from the inadequacies in the systems provided by the card schemes and are paid by all those who use these flawed systems.
The card schemes do not bear any of the risks associated with their inefficient systems. The risk of data breaches sits with the merchant. 90% of data breaches impact small merchants, which on average costs each more than $36k. The cost to larger companies can be vast. In 2013 Target was the subject of a data breach at its bricks-and-mortar stores in the US. 40 million credit/debit cards became subject to potential fraud after malware was introduced into the POS terminal system at almost 1,800 stores. The total cost to Target has exceeded $300m. Home Depot had a similar data breach in 2014, when hackers infiltrated its self-service check-out terminals at its 1,900 plus stores. 56 million cards were compromised, costing the company in excess of $179m to date.
Such is the value of the secret.
Is this a secret that is possible to keep? In short, No. The usual 16 digit card number is made up of 6 digits called an Issuer Identification Number (IIN) which is assigned to the financial institution which issues the card – the Issuer. The Issuer will often use the next 2 digits to define the card programme (defining the cardholder’s transaction fees and limits). The last digit is a check digit and is derivable from the first 15. Therefore, there are only 7 digits that must be guessed.
If you have access to a 10 million strong bot-net, exactly how many guesses do you think it would take to guess every single possible card number within one card program? Answer, 1. With a bot-net of that size you could guess each and every possible card number within one card program with one guess from each bot.
So what is the alternative?
To create a new payment network that is fit for the modern age and doesn’t involve cards. IMPOSSIBLE! I hear you cry? Not so. There is a way, and it will fix many of the other ills facing the banking industry today while it’s at it.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Kunal Jhunjhunwala Founder at airpay payment services
22 November
David Smith Information Analyst at ManpowerGroup
20 November
Konstantin Rabin Head of Marketing at Kontomatik
19 November
Ruoyu Xie Marketing Manager at Grand Compliance
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.