In the early 2000s when the internet was still young, Visa, MasterCard and the other major payment card schemes had a choice. They could create a system that made using credit/debit cards on the internet safe, or they could rely on the unguessability of the card number. 3D Secure (3DS), the internet authentication protocol, was introduced to help protect online business and cardholders against online fraud.
The technology is sound and could eliminate a significant proportion of online fraud, but it has been implemented half-heartedly. There are two main issues resulting from this:
1). Implementation of the protocol has been left to individual card issuers, which have tended to create an inconvenient user experience, which merchants have identified as reducing their sale conversion rates.
2). The card schemes have encouraged online merchants to adopt the protocol, but along with issuers have not enforced its adoption.
Cardholders often have a choice to shop online at merchants which don’t enforce 3DS over those that do. Merchants have to find the right balance between fraud prevention and converting visits into sales. However, if cardholders don’t have a choice, i.e. 3DS was mandatory, they would put up with it. After all, PayPal has never had any problems or customer resistance to user authentication requests when making an online payment. Why should this be a deal-breaker for the banks? PayPal users have always been required to login with a username and password, they have no choice.
3DS 2.0, released in October 2016, seeks to address the first of these issues, providing a solution which can be implemented consistently across multiple platforms and digital media. However, it does not appear that the second issue has been addressed. If 3DS is not enforced by an online merchant, card security is effectively left to the unguessability of the card number.
In 2004 the five major card schemes, Visa, MasterCard, American Express, Discover, and JCB (Japan Credit Bureau), formed the Payment Card Industry Security Standards Council (PCI SSC), an independent entity that governs the standards relating to the payment card industry. In December 2004 the PCI SSC released the first version (1.0) of a unified Payment Card Industry Data Security Standard (PCI DSS).
So was born a multi-billion dollar industry built around protecting the card numbers of the large card schemes. Protection which is paid for by every merchant that accepts card payments and every processor who supplies the technology and indirectly by every consumer. Merchants, processors etc. must recoup their PCI DSS compliance cost or their businesses wouldn’t be viable, hence they increase the cost of the goods and services which they offer consumers. This is all because the card schemes shied away from implementing effective security from the beginning.
The card schemes failed to face up to the major security problems when there was still time to do something about it. Back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised, highlighted the inadequacy of trying to protect the card number and keep the secret.
It is hard to overestimate the size of the effort that is required to protect the ridiculous secret of the card number! Every call centre must ensure that representatives cannot write down a card number, the phone call recording systems that they use must have cutouts so that the card number and CVV are not accidentally recorded. The computer systems and networks which card storing, processing and transmitting software runs on must be audited annually to ensure PCI DSS Level 1 certification. The cost incurred by companies to become and remain PCI DSS compliant can be very high. Depending on the level of card transactions which a company processes, annual costs can range from $50k – $250k for audits and to remain compliant. However, becoming compliant initially can cost up to $1 million. These costs are born from the inadequacies in the systems provided by the card schemes and are paid by all those who use these flawed systems.
The card schemes do not bear any of the risks associated with their inefficient systems. The risk of data breaches sits with the merchant. 90% of data breaches impact small merchants, which on average costs each more than $36k. The cost to larger companies can be vast. In 2013 Target was the subject of a data breach at its bricks-and-mortar stores in the US. 40 million credit/debit cards became subject to potential fraud after malware was introduced into the POS terminal system at almost 1,800 stores. The total cost to Target has exceeded $300m. Home Depot had a similar data breach in 2014, when hackers infiltrated its self-service check-out terminals at its 1,900 plus stores. 56 million cards were compromised, costing the company in excess of $179m to date.
Such is the value of the secret.
Is this a secret that is possible to keep? In short, No. The usual 16 digit card number is made up of 6 digits called an Issuer Identification Number (IIN) which is assigned to the financial institution which issues the card – the Issuer. The Issuer will often use the next 2 digits to define the card programme (defining the cardholder’s transaction fees and limits). The last digit is a check digit and is derivable from the first 15. Therefore, there are only 7 digits that must be guessed.
If you have access to a 10 million strong bot-net, exactly how many guesses do you think it would take to guess every single possible card number within one card program? Answer, 1. With a bot-net of that size you could guess each and every possible card number within one card program with one guess from each bot.
So what is the alternative?
To create a new payment network that is fit for the modern age and doesn’t involve cards. IMPOSSIBLE! I hear you cry? Not so. See my upcoming blog on payment networks…