More ideas for payments security

There’s been plenty of hand wringing, nail biting, and finger pointing since the massive Target credit card data breach. Retailers, banks, and payment processors have variously lamented the state of U.S. card-based payments security. Proposed solutions abound.

While several of the suggested solutions will likely find adoption, none will be perfect. The security/threat dance will continue. Still, there was a particularly notable announcement on the week that has broader implications than most fixes that have been suggested.

Where the U.S. has lagged in technology

The first, obvious accusations flew over the U.S. lagging much of the rest of the world by up to a decade in its implementation of the EMV (Europay-Mastercard-Visa) smart-card standard. That American providers still use magnetic stripe cards is seen as primitive in comparison to the smart cards used elsewhere that combine chip and PIN technology. Smart cards tend to be more secure, but in markets where they’ve been adopted, thieves have focused on other vulnerabilities in the payments ecosystem, such as online purchases, to perpetrate their fraud—and theft has not necessarily been reduced.

Since the Target breach, the card associations have firmed up their plans to force conversion to EMV as early as October, 2015 (for retailers), and as late as October, 2017 (for gas stations) for retailers and banks to avoid liability in the case of fraud.

The quest for better identity verification

Attention has also turned to the usual search for more personal and secure means of verifying identity. Two of several biometrics solutions being floated include a system of point-of-sale (POS) wrist-vein recognition proposed by the startup PulseWallet and a voice recognition system from Nuance Communications being tested by U.S. Bank, the fifth largest bank in the U.S. With such biometrics as fingerprint identification being adopted more generally, it is not a stretch to expect some form of biometrics to soon reach the retail card payments system.

The move to watch is Payco’s token authorization system
But the move to watch is the endorsement by Payco (The Clearing House Payments Company) of a token authorization system. In forming an alliance, or ‘partnership‘ with major retail and financial trade associations, PayCo has expanded upon its considerable industry heft. While this system is no safer than the encryption it is based on, it removes the need for actual customer account information to be stored on retail systems, while fitting with the formats of current retail technology. More critically, it addresses security beyond retail POS terminals to broader online and advanced payment options. HSBC Bank USA this week became the latest bank to announce a trial of token-authorization technology.

NIST announcement is a reminder that payments security is still a broader issue

NIST this week also announced its framework for critical infrastructure cybersecurity. Essentially an articulation of middle-of-the-road best practices in security, the NIST framework will maintain credibility as long as it keeps current with the evolving concerns and solutions for keeping the broader realm of corporate data and interactions secure. Computerworld has enumerated six failures that led to the success of the Target attack, and today American Banker is reporting that Target security staff had urged a review of its payments security two months before the attack began.

The likely best solution

The best and imperfect answer to credit card and broader payment fraud will likely include the widespread adoption of EMV POS technology, a token authorization standard, and some form of biometrics. That is, some form of all of the above.

Some say that adopting EMV technology at this late date is investing in yesterday’s technology. Token authorization for payment accounts is the new element in the mix but Payco this week provided critical leadership on the technology. And biometrics, though finding increased application, are still evolving.

However quickly new technologies are adopted, widely established old technologies—such as credit card use in retail stores—are generally slow to fade. Yet a technology that only addresses POS processes is already inadequate to cover the scope of modern payments. Retailers will not like the cost of upgrading to EMV compatibility, but they will not want to turn away traditional credit card customers within the decade.

In short, all participants in the payment system should prepare for an all-of-the-above solution.