Author: Dharshan Shanthamurthy
I have been seeing a number of articles and television channels flashing news about how credit cards have been misused in many places.
This one on a leading national newspaper is an example – http://timesofindia.indiatimes.com/india/In-12-hours-Mumbai-womans-credit-card-used-in-4-continents/articleshow/18374084.cms.
When it comes to payment card security, one should remember that the increased role of digitization has greatly increased the propensity towards card fraud. While we must certainly attempt to prevent fraud against every card, we should remember that fraudsters tend to remain more interested in easier and bigger baits. Hence, the priority should be to protect card information held by organizations where a breach would lead to huge ramifications.
One definitely needs to appreciate the efforts taken by the Indian media in highlighting the serious issue of e-crime and inadequate security in the payment ecosystem, especially at a time when India is moving towards a cashless environment. However, as someone who has been instrumental in shaping the payment security ecosystem, I believe there is a long way to go before we can say that solutions implemented are adequate. Let us look at the issues we face:
Merchants: World over, merchants have been an easy target of fraudsters. The scope of security attacks is no longer restricted to attaching skimming devices to point of sale terminals and stealing a handful of cards. More recent attacks have been compromising millions of cardholder data systems that are stored in merchants’ systems. Let me give you an example from my experience, shopping at retail outlets in India. Most Indian retailers perform double swipes at their cash counters, which is swiping once on the POS terminal and again on their retail systems. Have you ever wondered what data they are capturing on their retail systems or what protection they have for this data?
Banks: Indian banks have a considerable base of debit and credit cards. Card security for many Indian banks is not on their priority list. How many of these banks can claim to compliant to payment security standards? Numbers will be less than 5%.
Let us examine some of the solutions suggested in various media reports to address the above problems.
1) Line Encryption is the silver bullet.
Line encryption is a security mechanism that protects data from the POS terminal to the POS controller. Assuming line encryption has been properly implemented, the question remains on how the card data is secured when it is read at the POS terminal or once it reaches and is stored at the controller.
2) EMV will eliminate fraud.
EMV is a good security measure with respect to face-to-face frauds. However what happens to cardholder data during storage or processing at each of the entities that handles them?
3) Cardholders should be more careful
While points 1 and 2 do offer good measures of security, are they adequate? So what exactly is the solution? PCI Security Standard Council (an industry association for payment security that is globally accepted) has released a series of standards with respect to payment card security. Payment brands such as VISA/MasterCard have already mandated PCI Compliance for organizations storing, processing or transmitting card information. This standard with over 218 protection measures tries to address various security risks faced by organizations when they transact or process cardholder data.
To conclude if we want to create a payment ecosystem which is beneficial to all (banks, merchants and service providers), the solution lies in taking a wholistic approach to payment security and not just one off measures.
About the Author:
Dharshan Shanthamurthy is the CEO of SISA Information Security (www.sisainfosec.com), India’s leading payment security company with global headquarters in Bangalore, India. Dharshan was the first payment card security certified professional (PCI-QSA) in India and is considered one of the top payment card security professionals globally. Dharshan works out of Sunnyvale, California and can be contacted at firstname.lastname@example.org.