Card numbers are like nitroglycerine

Not before time, merchants are pushing back on the PCI-DSS regime, with a new law suit brought by a restaurant against the card companies. Infosec commentators like Ben Wright ask why all the onus should be on merchants when the payments industry could invest in better security technology?

Credit card numbers are a bit like nitroglycerin: handle them with great care or they’ll blow up. The slightest slip-up, the smallest weakness in database security in the face of sophisticated Advanced Persistent Threats, and tens of millions of card numbers are lost to criminals. PCI-DSS compliance is fiercely expensive, but all it does is protect against accidents; it is powerless to stop determined attackers or corrupt insiders.

Is it fair to hold merchants responsible for the highly technical handling procedures of the PCI-DSS regime, when instead the card companies could stabilise their highly volatile card data?

The PCI regime is like an elaborate set of handling instructions for nitroglycerin. The approach is unsustainable. What we need is the equivalent of Alfred Nobel’s invention of dynamite: something that stabilises the explosive so it’s safe to handle.

The fundamental problem with payment card safety (as is the case with most digital identity security) is that numbers are replayable. It’s child’s play to take account data and replay it against unsuspecting merchants, either via cloned mag stripe cards or even easier, in online Card Not Present fraud.

Yet with chip technologies now widespread, and digital signature primitives ubiquitous in computing and Internet platforms, it is technologically straightforward to eliminate replay attacks. We could make cardholder details non-replayable online by digitally signing them, just as EMV Cards do when interacting with merchant terminals. Not only could we dramatically reduce the cost of stolen card details, we’d pull the rug out from under organised crime, and we’d boost privacy by cutting the vicious cycle of gathering more and more ancillary personal data for proving customer identity.

See also Lockstep Technologies’ R&D in CNP fraud and digital wallets.