In the early 2000s when the internet was still young, Visa, MasterCard and the other major payment card schemes had a choice. They could create a system that made using credit/debit cards on the internet safe, or they could rely on the unguessability of
the card number. As we all know: they chose the latter.
In 2004, with online fraud becoming an issue, the five major card schemes, Visa, MasterCard, American Express, Discover, and JCB (Japan Credit Bureau), formed the Payment Card Industry Security Standards Council (PCI SSC) and later that year, in an effort
to secure card numbers, they produced the first version of the PCI DSS (Data Security Standard).
So was born a multi-billion dollar industry built around protecting the card numbers of the large card schemes. Protection which is paid for by every merchant that accepts card payments and every processor who supplies the technology and, indirectly, by
every card holder. Merchants, processors etc. must recoup their PCI DSS compliance cost or their businesses wouldn’t be viable, hence they increase the cost of the goods and services which they offer consumers. This is all because the card schemes shied away
from implementing effective security from the beginning.
The card schemes failed to face up to the major security problems when there was still time to do something about it. Back in 2005 after the first major card breach at
Card Systems International, when 40 million cards were compromised, highlighted the inadequacy of trying to protect the card number and keep the secret.
It is hard to overestimate the size of the effort that is required to protect the ridiculous secret of the card number! Every call centre must ensure that representatives cannot write down a card number, the phone call recording systems that they use must
have cutouts so that the card number and CVV are not accidentally recorded. The computer systems and networks which card storing, processing and transmitting software runs on must be audited annually to ensure PCI DSS Level 1 certification. The cost incurred
by companies to become and remain PCI DSS compliant can be very high. Depending on the level of card transactions which a company processes, annual costs can range from $50k – $250k for audits and to remain compliant. However, becoming compliant initially
can cost up to
$1 million.
These costs are born from the inadequacies in the systems provided by the card schemes and are paid by all those who use these flawed systems.
The card schemes do not bear any of the risks associated with their inefficient systems. The risk of data breaches sits with the merchant.
90% of data breaches impact small merchants, which on average costs each more than
$36k. The cost to larger companies can be vast. In 2013
Target was the subject of a data breach at its bricks-and-mortar stores in the US. 40 million credit/debit cards became subject to potential fraud after malware was introduced into the POS terminal system at almost 1,800 stores. The total cost to Target
has exceeded
$300m.
Home Depot had a similar data breach in 2014, when hackers infiltrated its self-service check-out terminals at its 1,900 plus stores. 56 million cards were compromised, costing the company in excess of
$179m to date.
Such is the value of the secret.
Is this a secret that is possible to keep? In short, No. The usual 16 digit
card number is made up of 6 digits called an Issuer Identification Number (IIN) which is assigned to the financial institution which issues the card – the Issuer. The Issuer will often use the next 2 digits to define the
card programme (defining the cardholder’s transaction fees and limits). The last digit is a check digit and is derivable from the first 15. Therefore, there are only 7 digits that must be guessed.
If you have access to a 10 million strong bot-net, exactly how many guesses do you think it would take to guess every single possible card number within one card program? Answer, 1. With a bot-net of that size you could guess each and every possible card
number within one card program with one guess from each bot.
So what is the alternative?
To create a new payment network that is fit for the modern age and doesn’t involve cards. IMPOSSIBLE! I hear you cry? Not so. There is a way, and it will fix many of the other ills facing the banking industry today while it’s at it.