Wednesday, October 31, 2007

Retail, Protected Consumer Information, and Whole Disk Encryption

There has been a lot of discussion around retailers pushing back on the PCI (Payment Card Industry) Data Security Standards group. The claim is that merchants should not have to store credit card data at all. Instead credit card transaction clearinghouses would be the only location where that data would be retained; any current need (transaction lookup, disputes, etc.) would be handled by the payment card processors on a per-request basis.

I really like this idea.

In risk management, there are generally two methods to protecting assets: 1) spend more to prevent threats to the assets, 2) spend more to reduce the numbers/value of the assets. We see a lot of the former (think: anti-virus, anti-spyware, anti-threat-du-jour). We rarely see examples of the latter, but this is a perfectly logical approach.

Dan Geer gave us a great analogy: as threats increase, perimeters detract. A suburban neighborhood is OK with a police car every so many square miles, but an embassy needs armed marines every 50 feet of its perimeter. We can take Dr. Geer's analogy and make a war in everyone's neighborhood-- the local retailers/e-tailers-- or we can reduce those assets to specific locations where they can best be monitored and protected. It just makes sense.

It's also a simple game of economics. The consumer passes the risk to the credit card issuers who pass the risk onto the merchants. If consumers in the US hadn't transferred risk to the credit card issuers (courtesy of US Law limiting credit card fraud to a whopping $50 consumer liability), we would likely not see widespread use of credit cards in the US today. What consumer would stand for getting into greater debt if the card was lost? Likewise, we now are at a turning point with merchants, since card issuers are trying to transfer the risk onto them. Shuffling the risk (by shuffling the custody of confidential credit card data) back to the issuers makes perfect sense. Don't forget the credit card issuers have been in a perfect place all of these years: charging merchants a fee per transaction and charging interest to consumers who maintain a debt beyond 30 days. Since they can double-dip in the economics equation, it makes the most sense for them to take the responsibility.

2 comments:

shannon said...

i actually just found out recently that companies that accept credit cards are not allowed to keep copies of the information if it contains all 16 digits of your credit card number.

which really makes me wonder how many companies out there have my info... i know of at least three hotels i've stayed at in just as many years that took PHOTOCOPIES of my credit cards. it seems impossible to enforce these credit card laws.

if you have to pick a responsible party when it comes to credit card fraud, it should CERTAINLY be the issuer. i've heard of banks that carry merchant accounts being held responsible, and that makes absolutely no sense. this credit card fraud problem, i think, might get worse before it gets better...

Tim MalcomVetter said...

Shannon,

I wish that were the case, but unfortunately (as someone who has advised retailers on PCI security) the PCI DSS standards allow for storage of the entire credit card number. These are excerpts from requirement 3 ...

3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
...
3.2.1 Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere).
...
3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions
...

Now, a lot of organizations that have a business need to store credit card numbers have found other ways to do that, such as using cryptographic hashes as indexes. And yes, they do have some real business value in knowing how many individual credit card numbers were used for purposes like sales metrics and customer loyalty programs.

Also keep in mind these are not "laws". These are rules that the Visa, Mastercard, et al, impose on anyone who uses their service. It's self regulation.