Comments on: Retail Group Lobbying To Have Credit Card Data No Longer Stored

By: Matt Harrigan

Matt Harrigan — Thu, 04 Oct 2007 19:24:18 +0000

It’s an idea for change – an idea for change that requires a wholesale change on the part of an industry which has millions of entities – merchants, SPs, 3rd parties, equipmment vendors, the brands, etc, handling trillions of records and transactions.

It’s analagous to suggesting that the solution to global warming is that everyone cease to use fossil fuel powered cars. Sure, that would be great, if there were a hydrogren refueling station, or electric charger on every corner, and someone was going to simply hand out the new automobiles.

Sure, its a good idea, but its going to take time, money, and commitment on the part of the folks in the path of transactions, and ALOT of thought leadership.
Plus, as marc indicated, there will always be some unique identifier that maybe isn’t being stored, but is traversing some network somewhere, and is potentially subject to being snatched by said “bad guys.”

I think that the formation of the SSC, the community meetings that are occurring, and the opportunities that participating organizations have to contribute to standards -have- helped to advance security, and reduce fraud.

By: Marc

Marc — Thu, 04 Oct 2007 18:24:47 +0000

The removal of card storage lessens the impact of a breach, but does not completely mitigate it. There is always the issue of a well placed trojan on a register or server that sits there and quietly captures card data being sent out for authorization.

It will take a little longer for the bad guys to get their data, but they will get it.

The real answer is to take the card number out of the loop of the transaction. When the card number never leaves the card, then there is nothing to steal from the merchant. The card associations need to fundamentally overhaul how transactions are authorized and settled. The technology exists (smart cards, PKI), but there is no incentive to make the associations change. They make plenty of money the way things work now, and they get to pass on fines when there is a breach. It’s good for them all over!

By: Matt Harrigan

Matt Harrigan — Thu, 04 Oct 2007 15:00:57 +0000

What NRF has suggested is actually the best case scenario for the retailers, the card brands, the council, and all other parties in the PCI ecosystem.

If a retailer or service provider stops storing data all together, then the potential for fraud goes away. Additionally, the organization that was formerly storing cardholder data, and is now not doing so does not have to undergo the compliance process.

Its good for the card brands, because they no longer have to absorb the risk of their banks, who no longer have to absorb the risk of their merchants, who no longer have to worry about being compliant.

Unfortunately, it’s not something that happens overnight.

There are a few products out there which tokenize credit card data, eliminating the need for explicitly protecting it.