An Open Letter
to The Payment Industry
Doug Bergeron is half-right.
Recently, Verifone’s Doug Bergeron called on Square, a start up company that provides a free credit card reader to small businesses and individuals, to recall its products because they are insecure and pose a great threat to the payment industry. Bergeron argued that encrypting readers were more secure. On that point, he is right. However, both the Square product and Verifone’s lack another essential ingredient in the battle against fraud, and that is an authentication feature.
The Square product has no encryption. It transmits the magnetic stripe data image to the phone, through the audio jack, where the Square application decodes the image and translates it into actual cardholder data. The application then sends the data over the Internet for processing.
Unlike Square, the comparable Verifone product has encryption in the “sleeve like” device that attaches to the phone. The cardholder data is encrypted in this device before it enters the phone.
It’s true the Square product is far less secure. Since there is no encryption, a hacker who has received a free Square card reader can look at the stripe’s image and translate it to real card data. This is what Verifone said it had done in less than an hour. We can confirm what Verifone had to say on this subject. In fact, a college student developed a similar program and delivered it to MagTek. It is so easy to do, undoubtedly many other intelligent students and enterprising hackers have discovered this flaw and are exploiting it today. There are probably hundreds of rogue applications out there that are very capable card skimmers.
Personal card information can be captured by Square readers and transmitted within minutes to card cloning centers, whereas the Verifone product impedes this type of fraud. However, both products will read a cloned card and send the data off for authorization. This is a far larger fraud problem, which encryption cannot solve.
We, as consumers do not get a great deal of added protection because Verifone uses encryption. The fact is cards can be cloned in too many other places. There are false front ATMs, tampered gas pumps, rogue POS terminals, large databases, and pocket skimmers. When cloned cards are used to commit fraud, we all suffer.
Although most card issuers will stand behind the legitimate cardholder and offer $0 liability for transactions that originate from counterfeit or cloned cards, there are other consequences, which cause consumers untold aggravation, including affidavits, police reports, credit report monitoring, endless phone calls, bounced checks, and lost wages. No one can adequately console or compensate the consumer for this kind of anxiety and hassle.
Cardholder data on the magstripe is not encrypted. It’s virtually identical to the data printed or embossed on the card. It can be easily copied from one card to another. Skimming and data breaches simply cannot be prevented. There is a better solution: cloned cards can be recognized and rejected. The problem with both Verifone and Square readers is that neither can determine if a card is counterfeit, because they both lack an authentication mechanism. Verifone believes itself noble for providing encryption in its readers, but ironically, it will encrypt and protect both genuine and counterfeit cards equally well.
True consumer protection demands that the payment community authenticate the payment card and the data on it. With the means to determine that a card is genuine and the account data has not been altered, fraud can be stopped in its tracks, saving billions of dollars annually. If fraudsters cannot use the pirated data, the fun and profit are removed from the equation along with the incentive to steal it. Dynamic authentication does just that. It makes stolen data useless to criminals. Encryption, while useful cannot carry the day.
Ellen Richey, the Chief Enterprise Risk Officer at Visa, Inc. has called for dynamic authentication and a multi-layered approach to payment security. In a recent statement she said, “Instead, the solution is to adopt dynamic data authentication technologies: technologies that rely on dynamic data elements which – even if stolen – cannot be used in the next transaction and therefore cannot be used to commit fraud. By introducing dynamic data elements and using technology to authenticate those data elements in real time, we can create point-of-sale environments that contain no information valued by criminals and therefore are no longer the targets of criminal attacks.”
This type of security is available today, to protect magstripe transactions, without radical changes to our payment system, and without a move to an “EMV Chip and PIN”system. The ordinary magnetic stripe cards in your wallet today carry dynamic card data, which can be read, authenticated and used to stop fraud in real time. The only change required is a minor modification to the small read module inside the Verifone and Square readers. The industry can take advantage of dynamic authentication now without changing anything about the card itself, how it’s manufactured or the cost to manufacture it.
Price Waterhouse Coopers in its Emerging Technology Research report to the Payment Card Industry Security Standards Council noted that authentication by “dynamic payment card data has the potential to eventually eliminate the need for PCI-DSS.” PCI-DSS is a security standard, widely thought to be ineffective, capricious, expensive, and despised by merchants. The council’s mission is to ensure compliance to its standard, rather than combat fraud. We, as an industry must align and strive to combat fraud.
Fraud is the problem, not skimming and data breaches. As an industry, we have the power to stop the fraud and make stolen cardholder data useless by means of dynamic authentication. Encryption is good, but by itself, not enough to protect cardholders.
Doug Bergeron is an industry leader. He knows it will take an industry wide cooperative effort to implement a standardized authentication system, which has the power to eliminate magstripe card fraud and assure continued confidence in the payment system. I call upon him and the entire payment community, including Square, to join MagTek in the campaign to wipe out counterfeit card fraud. We need to acknowledge the root cause of fraud and build a system, which can truly protect cardholders and put criminals out of business. Encryption plus authentication is the answer.
Annmarie D. (Mimi) Hart
President & CEO
1710 Apollo Court
Seal Beach, CA 90740