According to the Nilson Report, Global Credit card and debit card fraud resulted in losses amounting to $21.84 billion during 2015. Losses have increased every year since 2002. While the majority of these losses are charged to the card issuers, the cost is passed along to the consumer in the form of interest charges and fees. (See sources and other statistics at WalletHub.)
Moreover, we have seen the growth of an illegal industry attacking and stealing personally identifiable information, and monetizing that information using credit and debit card account numbers, ATMs, and e-commerce. In the market place of this industry it is possible to buy active primary account numbers and authenticating data. The size and complexity of this industry makes it all but impossible to estimate its cost to the legitimate economy.
Given the number of enterprises collecting, communicating, and retaining this data, some leakage is inevitable. However, it is the ability to monetize the data that supports the illegal trade and which motivates many of the active attacks. While we have seen some arrests and convictions in the illegal industry, many of these attacks and the fraudulent use of the data are going unpunished.
It is the author's assertion that one means of reducing this illegal trade is to reduce the storage and use of primary credit and debit card account numbers. Specifically we propose the elimination of the primary account numbers on the face of the card, the magnetic stripe, in the transaction, and in storage on merchant sites; all of these uses to be replaced by physical and digital tokens. In most cases, the Payment Authorization Number (PAN) should be a digital token rather than the primary account number. We assert that the financial technology and payment card industries already know how to do this, that there are demonstration projects ongoing, and that much of the necessary infrastructure to do this is already in place.
The new Apple credit card is an example of a physical token that hides the primary account number. Contactless EMV cards and mobile wallets are examples of digital tokens at transaction time. While the current practice is to put the primary account number in the clear, both in text on the face of the card and on a magnetic stripe, this is for purposes of backwards compatibility, is archaic and unnecessary, and, in the light of the problem outlined above, should be eliminated.
Some merchants have already replaced the primary credit card account number in their customer record with a digital token. While this may add a little cost it reduces the risk of attacks against their systems and that the account number can be compromised in a breach.
PayPal, Masterpass, AmEx Express Pay, Apple Pay, and Visa Checkout are all examples of services for authorizing e-commerce payments without the use of the credit or debit card account numbers. These systems not only guarantee the merchant payment but transfer the cost and risk of authenticating the customer name and address to the service provider. While the services may marginally increase the transaction cost to the merchant, this is more than offset by the reduction of risk. These services also reduce the risk to the consumer of the leakage and fraudulent use of his account numbers.
We recommend the following:
The elimination of the magnetic stripe from all newly issued credit or debit cards
The use of one-time Payment Authorization Numbers (PANs) throughout the payment system
The replacement of primary account numbers with one-time payment authorization numbers in e-commerce
The replacement of primary account numbers with digital tokens in merchant systems storage
The replacement of mag-stripe and PIN at ATMs with EMV
Preference for digital wallets at point-of-sale and ATMs
The elimination of the primary account number in text on the face of cards
Prefer EMV cards with biometrics for convenience and security
These recommendations are intended to address the systematic problems in the retail payment system. They are independent of one another and each can be implemented, in whole or in part, by itself. However, they do compliment one another and collectively are necessary to the greatest effectiveness. The first is the most important and the only one for which there are no trials or demonstrations. Every little bit will help.
We recognize that implementation of these recommendations will take time but it is urgent and should be done within 3-5 years. While we believe that these recommendations are self-justifying, we recommend that mechanisms like the Payment Card Industry Data Security Standards and California and New York legislation be used to add motivation as necessary
This blog is not about the security topic de jour but rather about a context and perspective in which to view and respond to the events of the day. It is about:
Rules and Tools
It responds to my observation that security is a space in which intuition and good intentions do not serve us well and in which rational thinking is difficult. There are many variables, some of which are un-identified. Even for the identified variables, the range of possible values, much less the exact or current value, may be unknown, or even unknowable. So, this blog will stress making hard decisions in the face of uncertainty.
Bill Murray is a management consultant and trainer in Information Assurance specializing in policy, governance, and applications. He is Certified Information Security Professional (CISSP) and chairman of the Governance and Professional Practices committees of (ISC)2, the certifying body,
He has more than fifty years experience in information technology and more than forty years in security. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication Information System Security Controls and Procedures.
He has been recognized as a founder of the systems audit field and by Information Security Magazine as a Pioneer in Computer Security. In 1999 he was elected a Distinguished Fellow of the Information System Security Association. In 2007 he received the Harold F. Tipton Award in recognition of his lifetime achievement and contribution. In 2016 he was inducted into the National Cyber Security Hall of Fame. In 2018 he was elected a Fellow of (ISC)^2.