Friday, August 30, 2019

Recommendations on Retail Payment System Security

According to the Nilson Report, Global Credit card and debit card fraud resulted in losses amounting to $21.84 billion during 2015.  Losses have increased every year since 2002.  While the majority of these losses are charged to the card issuers, the cost is passed along to the consumer in the form of interest charges and fees.  (See sources and other statistics at WalletHub.)

Moreover, we have seen the growth of an illegal industry attacking and stealing personally identifiable information, and monetizing that information using credit and debit card account numbers, ATMs, and e-commerce.  In the market place of this industry it is possible to buy active primary account numbers and authenticating data.  The size and complexity of this industry makes it all but impossible to estimate its cost to the legitimate economy.  

Given the number of enterprises collecting, communicating, and retaining this data, some leakage is inevitable.  However, it is the ability to monetize the data that supports the illegal trade and which motivates many of the active attacks.  While we have seen some arrests and convictions in the illegal industry, many of these attacks and the fraudulent use of the data are going unpunished.  

It is the author's assertion that one means of reducing this illegal trade is to reduce the storage and use of primary credit and debit card account numbers.  Specifically we propose the elimination of the primary account numbers on the face of the card, the magnetic stripe, in the transaction, and in storage on merchant sites; all of these uses to be replaced by physical and digital tokens.  In most cases, the Payment Authorization Number (PAN) should be a digital token rather than the primary account number.  We assert that the financial  technology and payment card industries already know how to do this, that there are demonstration projects ongoing, and that much of the necessary infrastructure to do this is already in place.  

The new Apple credit card is an example of a physical token that hides the primary account number.  Contactless EMV cards and mobile wallets are examples of digital tokens at transaction time.  While the current practice is to put the primary account number in the clear, both in text on the face of the card and on a magnetic stripe, this is for purposes of backwards compatibility, is archaic and unnecessary, and, in the light of the problem outlined above, should be eliminated.  

Some merchants have already replaced the primary credit card account number in their customer record with a digital token.  While this may add a little cost it reduces the risk of attacks against their systems and that the account number can be compromised in a breach.  

PayPal, Masterpass, AmEx Express Pay, Apple Pay, and Visa Checkout are all examples of services for authorizing e-commerce payments without the use of the credit or debit card account numbers.  These systems not only guarantee the merchant payment but transfer the cost and risk of authenticating the customer name and address to the service provider.  While the services may marginally increase the transaction cost to the merchant, this is more than offset by the reduction of risk.  These services also reduce the risk to the consumer of the leakage and fraudulent use of his account numbers.  

We recommend the following:

  • The elimination of the magnetic stripe from all newly issued credit or debit cards
  • The use of one-time Payment Authorization Numbers  (PANs) throughout the payment system
  • The replacement of primary account numbers with one-time payment authorization numbers in e-commerce
  • The replacement of primary account numbers with digital tokens in merchant systems storage
  • The replacement of mag-stripe and PIN at ATMs with EMV
  • Preference for digital wallets at point-of-sale and ATMs
  • The elimination of the primary account number in text on the face of cards
  • Prefer EMV cards with biometrics for convenience and security

These recommendations are intended to address the systematic problems in the retail payment system.  They are independent of one another and each can be implemented, in whole or in part, by itself.   However, they do compliment one another and collectively are necessary to the greatest effectiveness.  The first is the most important and the only one for which there are no trials or demonstrations.  Every little bit will help.

We recognize that implementation of these recommendations will take time but it is urgent and should be done within 3-5 years.  While we believe that these recommendations are self-justifying, we recommend that mechanisms like the Payment Card Industry Data Security Standards and California and New York legislation be used to add motivation as necessary


  1. The security recommendations are sound, but you're dealing with an old school bureaucratic industry where change are painfully slow. The issues lies in updating all the endpoints (merchant terminals/software), procedures, training, etc.

    1. I agree. However, the US is behind the rest of the world. On the one hand, we are ahead of the rest of the world in that most of our transactions now take place online. On the other, we were almost a decade behind the rest of the world in both EMV and contactless. Both of these may be the result of the role of the third/party acquirer/processors.

      All that having been said, switching online merchants from acceptance of card numbers and unverified names and addresses to check-out proxies (e.g., PayPal, Apple Pay, Click to Pay) seems like an easy lift. Getting rid of Primary Account Numbers on card faces and mag-stripes only marginally harder. Both of these would be efficient measures in reducing the cost of fraud. Even "an old school bureaucratic industry" ought to be able to manage one or both of these.

  2. I note that BBVA in Spain is following Apple's lead with a card without a Primary Account Number. We can only hope that other issuers will follow their lead.