Skip Links

Tech debate - Credit card data security: Who's responsible?

By Phil Lieberman, president & CEO, Lieberman Software, and Henry Helgeson, co-CEO, Merchant Warehouse, Network World
February 11, 2010 12:01 AM ET
tech debate

Page 2 of 2

Credit card processing companies should not be further to blame
By Henry Helgeson, Co-CEO, Merchant Warehouse

A data breach at a credit card processing firm causes an enormous amount of financial and brand damage, so it is not necessary to punish the victims further. What the government needs to do is focus its efforts on the criminals and stop villianizing the victims. That said, the government has made it easier to deal with breaches and companies in our business can and must do a better job of protecting data.

What do you think?

Credit card processing companies work hard to protect data. The Heartland case was unfortunate, but not gross negligence. And when Heartland was breached it certainly had enough problems without having the government fining and penalizing them. But the silver lining is that this and other breaches have pushed the whole industry forward.

Consider the Data Breach Notification Act (S.139), which was introduced in the House on the heels of the Heartland breach and was recently passed. The law requires "all Federal agencies and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information". And it means we have to answer to one regulatory body rather than 51 (all the states and D.C.). If you have to follow 51 sets of regulations, you're spending more time on regulations than you are on developing your business.

And when Heartland went down we all said, "Wow, this can happen to us. We need to lock things down." The good news is there are solutions out there – such as end-to-end encryption – that can help. My company, Merchant Warehouse, was one of the first companies to deploy end-to-end encryption. With E2E encryption, cardholder data is encrypted at the point of swipe, transmitted over the network and securely stored in off-site servers. The data is tokenized, ensuring it is not usable if someone's network is breached.

There is another technology I believe will help tremendously in the future, and that is MagTek's MagnaPrint technology. It is inexpensive, effective and very efficient. It works like this: iron particles are sprayed onto the magnetic stripe on the back of a card in a random pattern, essentially giving each card its own fingerprint.

MagTek says examining the fingerprint and combining that information with the card number makes it possible to identify whether it's the original card or a duplicate. When you combine these two aspects, it is almost impossible for criminals to do anything but steal the actual card. Using the MagnaPrint technology would move us from the criminal that creates mass destruction by hacking in and stealing 100 million card numbers, to the petty criminal that's committing face-to-face crime we really can't do anything about

What haven't caught on in the states are the chip-and-pin cards. We tried this technology with several pilot programs, including the Atlanta Olympics in 1996, and it wasn't that successful. One, it's expensive, and two, it takes a massive change: new, more expensive cards have to be issued, merchants need to purchase new hardware, consumers need to change behavior, and the networks and processors, like Merchant Warehouse, need to adapt.

To effectively implement chip-and-pin cards from the issuance to the transactions themselves, you're talking about a massive overhaul of the system.

The reason chip-and-pin cards work well in other parts of the world but not in the U.S. is twofold. First, the U.S. had already accepted MagStripe as the industry standard while other countries were still developing their card infrastructure. And second, telecom in the United States is cheap, ubiquitous and very reliable. Chip-and-pin cards are popular in other parts of the world because they enable you to process transactions in areas where you might not be able to access dial-up.

Credit card processing organizations and merchants, under the Data Breach Notification Act, will now have an easier time in reporting breaches, as they will only need to report to one overseer. It’s now up to the industry to begin adopting the technology available in order to more securely lock down the sensitive, personal information that is transacted every day. Adopting these technologies will allow for more efficient and seamless business and a stronger faith in the financial system.

Merchant Warehouse is a premier provider of merchant accounts and credit card processing solutions.

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News