Aite Report Says There Is No Easy Cure for Threats to Card SecurityEditor's Note: The three biggest problems according to this article (and the facts) are as follows: 1. Malware, 2. Card Cloning and 3. CNP Transactions. The web is the most dangerous place to conduct transactions and we do it by "typing" our card numbers into a box. Think about it. How stupid is that?
7/29/2009 - Credit Union Times
By Marc Rapport
"There’s no vaccine against card data security breaches in the United States, and the prognosis for this persisting ailment shows there is no fast cure, according to a recent report, which also said it would cost an estimated $100 billion to fix card security in the U.S.
What was that line Clinton used to win the presidency? "It's the economy stupid!" Well here's my version...It's the "typing" stupid! Can I get anymore simplistic? Yes, I can name that tune in three words: "Swipe...Don't Type!"
Merchants are in the most vulnerable position in the card data security realm and malware, counterfeit card fraud and card-not-present fraud currently top the list of threats. Of even more concern, card security may never be fixed, as criminals will always seek new ways to commit fraud.
That’s according to a new report released by research and advisory firm Aite Group. The report, “Card Data Security: In Search of a Technology Solution,” which is based on survey responses from 29 individuals (most of whom head up risk management for North American issuing banks or payment processors), focused on what the respondents thought were today’s biggest card security problems, the responsibilities of stakeholders and possible card security solutions.In fact, there is NO DIFFERENCE between taking cash out of an ATM (Swipe Your Card, Enter Your PIN) and what HomeATM does. The banks seem to trust that the consumer is present when they authorize the spitting out of $20 bills. Want to take security one-step further? HomeATM has already engineered and has available an EMV version to our PCI 2.x Certified SafeTPIN.
What did surveyors find as the most viable remedies for card security issues? One promising solution, a shift from magnetic stripe cards to EMV architecture (the use of smart cards), may never come to fruition.
The report stated that a decision to make the use of smart cards a standard practice is five to seven years away–or may never take place at all. Editor's Note: So why even try? We lost. Fraud is a part of the costof doing business right?. It's that same mentality that caused theproblem in the first place. Want to get rid of fraud? Get rid ofsignature debit and make the switch to PIN debit.
“With the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure, this may be the case,” Aite Group’s Nick Holland said of the survey participants’ predictions that standardized EMV architecture may never be a reality in the U.S.
However, out of the three biggest threats to card security–malware, counterfeit card fraud and CNP fraud–counterfeit card fraud is the only problem that an EMV architecture shift could solve. There are other promising solutions to all three problem areas, the report said."
Editor's Note: Yeah, there is. For example, 1. Malware won't affect transactions that are immediately encrypted when they are swiped. What was that line Clinton used? It's the "economy" stupid. Well here's my version...It's the "typing" stupid.
2. A counterfeit (cloned) card won't work if you require two factor authentication for web purchases. Swipe (what you have) your card and Enter (what you know) your PIN. For those who argue that credit cards don't have PINs? Our patent pending "PIN Your Card" technology can assign PINs to credit cards.
3. CNP fraud would be eliminated by morphing the "Card Not Present" environment (i.e. the Internet) into a card present one. There is no difference between a consumer swiping their own card in the safety of their home vs. swiping their card at an unattended kiosk or gas pump.
Continue ReadingFrom Aite's Website:
Card Data Security: In Search of a Technology Solution |
WhileEMV architecture could mitigate card fraud, it does not address allsecurity concerns and is not likely to be implemented in the near-term. |
Boston, MA, July 2009– A new report from Aite Group, LLC reveals stakeholder perceptions ofcurrent card data security issues, an overview of theirresponsibilities and a look at what is required to fix card datasecurity. Based on in-person interviews conducted by Aite Group with 29heads of risk management and other bank executives, the report providesinsights from key decision-makers in the card payments risk andsecurity realm. |
Thereis no arguing that card data security is a major concern tostakeholders, and one that urgently needs to be addressed, but the EMVroute is not a given for the United States. While many agree thatswitching the industry to EMV smartcard architecture would go a longway in mitigating card fraud, few see the transition occurring withinthe next few years, if at all. " Survey respondents believe the greatest threats to the card industry are malware, counterfeit card fraud and CNP fraud," says Nick Holland,senior analyst with Aite Group and author of this report. "Since a moveto EMV architecture would only address counterfeit card fraud, AiteGroup recommends the establishment of a pan-network panel to study cardsecurity issues and identify alternative technologies to reducevulnerabilities." |