About a year ago security at Heartland Payment Systems Inc. was breached and information affecting more than 100 million credit cards stolen. Was it Heartland’s fault, or should the credit card companies shoulder more of the responsibility?
What do you think?
The experts: Phil Lieberman, CEO of Lieberman Software, argues that Heartland met its legal obligations and the breach was not the company’s fault, but rather due to the lack of smart card technology that credit card issuers refuse to issue in the United States.
Henry Helgeson, CEO of Merchant Warehouse, argues that it’s the job of merchant account providers like his company (and Heartland), to take the security measures necessary to prevent breaches, but enhancing existing cards could help.
Last year’s infamous Heartland breach should be a wakeup call that it is time for credit card issuers to step up and address the security issue that exists in this country with respect to protecting customer information.
A perfectly good solution is being used in other countries to minimize Card Not Present (CNP) fraud and card cloning: smart cards. This solution is not available to American consumers, merchants or credit card processors because card issuers have not been mandated by the U.S. government to implement it.
The current environment for both merchants and credit card processors with respect to security and liability represents a Catch-22. A perverse set of conflicting agendas and disproportionate power has created an insecure financial environment for credit card processing. Card issuers are able to transfer all liability for credit card losses to merchants and processors even though they have the ability to stop almost all losses from fraud and account disclosure.
Because card issuers are not liable for losses that stem from their use of static cards (which are much cheaper than Smart Cards), they have chosen not to modernize their card infrastructure. That punishes merchants and processor companies such as Heartland which can do nothing to protect what cannot be protected: static credit card numbers and static CVV codes (the three- or four- digit numbers printed on the card).
For the merchants and processors, the lack of investment in Smart Card technologies by card issuers has left everyone with the unsound security strategy of "hope".
Every day merchants and processors hope criminal hackers don’t target them, their systems, or their employees, knowing that if hope runs out they will pay for any breaches, even though no fundamental and permanent solutions are available for them to fight back. The credit card issuers don’t care about the cost of compromised cards because they can simply fine everyone else with arbitrary judgments and without government oversight.
In the case of the Heartland breach, where intruders hacked into the systems used to process 100 million payment card transactions per month for 175,000 merchants and recorded credit card and CVV numbers from an internal data stream, Smart Card technology would have rendered the whole endeavor useless.
Smart Cards generate unique one-time only responses to financial transaction requests from the banks that issue the cards, so the data stolen would no longer be valid. The cards are also locked with a PIN code, so even the physical loss of cards is a non-event. The data transmitted should be encrypted, but it does not have to be because the data stream is only good for one transaction. Attempts to use the same data a second time simply does not work.
While the industry has embraced the PCI-DSS security standards in an effort to safeguard sensitive customer credit card information, unfortunately PCI-DSS does not deal with sophisticated attacks, nor does it provide any sort of safe-harbor for those that implement it.
To protect against sophisticated attacks, all organizations conducting credit card transactions must implement more complex security strategies and technologies such as network sensors, heuristic traffic analysis, and conduct constant security auditing of their systems, traffic and personnel. And even if all of these efforts are undertaken, there is still no safe harbor.
The solution to Heartland-type problems is simple. First, mandate Smart Card technology for all credit card transactions and bring the United States into conformance with all other countries with respect to stopping fraud at its source: static credit card numbers.
And second, transfer the liability back to the credit card issuers unless the merchant and processor are culpable in the breach due to malfeasance. Culpability should be decided by a court of law.. Let the government, not the credit card issuers, decide whether fining merchants and processors is the correct course of action. This will remove the perverse incentive system that allows credit card issuers to run insecure systems and transfer their liabilities to others.
If the U.S. government were to mandate that credit card issuers be responsible for losses due to fraud that inherently stems from the use of static credit cards, the transition to Smart Card technology would be a de facto decision and this type of crime and liability would be eliminated in less than a year. Until the government mandates a change in liability and an improvement in technology, the beating of the innocent (Heartland and others) will continue.
Last year’s infamous Heartland breach should be a wakeup call that it is time for credit card issuers to step up and address the security issue