Skip to main content

"How is PCI Like the Common Cold?"

Dear Editor:

Scientific studies find there are more than 100 different viruses that cause the common cold. There are at least as many different ways to attack a credit card transaction network. From the point where the card is initially swiped, processed through an electronic point-of-sale (EPOS) system, transmitted over an authorization network, and finally stored on an application server, there are hundreds of ways to compromise the integrity of the transaction. Every attack point has a different vulnerability, and the fraudster only needs to find one weak spot to compromise the health of the process.

Colds are usually caused by someone forgetting to cover their nose and mouth during a sneeze or by opening a door previously touched by an infected person. Likewise, credit card fraud is usually aided by trusting users, careless network administrators or inattentive cashiers. PCI DSS (Data Security Standard), the Payment Card Industry's security standard, will prove as elusive at preventing cardholder data loss, as is a cure for the common cold.

Credit card security attacks may come at any time and from many sources. A recent PCI DSS training session identified some of the common attacks on cardholder networks. Some of the high-tech attacks come from skimmers attached to card readers and, more commonly, a form of attack called sequel injection. The instructor made the statement that "80 percent of all attacks, by incident, are aimed at Level 4 (small) merchants."

The card associations (Visa, MasterCard, Discover and American Express) could be commended for creating standard guidelines that should be followed by anyone storing any personal information, including cardholder data. Although PCI DSS has not been presented as a 100 percent solution, the standards offer sensible and practical guidelines against the most frequent and understood attacks.

PCI guidelines will surely evolve over time as fraudsters find new ways to infect the process. Merchants large and small are taking the required action to adhere to standards. The recent Hannaford case (a security breach at the Delhaize-owned supermarket chain earlier this year) demonstrates how vulnerable large merchants can be. The company made the effort to obtain PCI compliance yet was still compromised. Small merchants should do their part as well; however, they generally lack the sophistication to understand what PCI means, much less comply with the requirements. Small Level 4 merchants already bear an unfair burden in the PCI process and will need to rely heavily on vendors. EPOS vendors are helping inoculate the situation and more are meeting the Payment Application Best Practices (PABP) standard. Perhaps it is time for issuers to move to secure stripe cards (offered by such firms as QSequre and Privasys) that offer a more sensible and effective layer of protection for their customers.

Perhaps the cure is to cut your nose off; after all, that is where colds usually attack. Silly answer? Maybe. If a credit/debit card number was only used once then thrown away -- or simply valid for a single use before changing with the next use -- it would have no value to a fraudster. Several firms already offer this technology. These solutions seem to have the most promise at being "the cure" for card fraud.

However, one constraint to these solutions is the expense to issuers, as card production costs would increase from pennies per card to much more. Recent estimates suggest the cost to reissue a card for banks is $15 and the loss to merchants is as much as $197 per card. Perhaps the initial cost of fraud-resistant physical credit cards is not that expensive. Viable secure stripe solutions already exist and credit card issuers should pursue these options. It seems a small price to pay to protect themselves and their customers. Eliminate the source and the disease could be nearly eradicated.

-- George Odencrantz, vice president of IT & Greg Iverson, marketing manager; Sinclair Oil Corp.
X
This ad will auto-close in 10 seconds