Ashok Misra has an interesting, and certainly provocative, article in the current Secure Payments Magazine. If you don’t know Ashok, he is Sr. Manager Payments & Security at RealNetworks, Inc in Seattle, chairman of the European CNP Payment Forum, and a long-time friend of Glenbrook Partners. In the article, he comments that the current credit card security debate is fundamentally flawed, and that the essential problem is that the credit/debit card systems were not designed with security in mind. Thus far, industry developments in credit card security attempt to build security on top of infrastructure that was simply not designed to be as secure as we are trying to make it today (of course we are facing threats unimagined when the systems were designed). He cautions against retro-fitting security into a system that was not designed for online commerce.
Ashok suggests that a new system designed with security in mind needs to be built from the ground up. He claims that this is not a huge technical challenge as the components for such a system are available now.
A few examples of these kludges in the ecommerce context are CVV2, Verified by Visa, MasterCard SecureCode and zero dollar authorizations. The point to take away here is that since credit cards were not designed for use in a non face to face environment, they need to be ‘retrofitted’ for authentication in a customer not present environment
He goes on to observe that
If such an initiative for payment system refactoring is not undertaken, merchant protection of payment data will continue to be the fulcrum of the ecommerce security issue. Payment security will degenerate into a vaudeville theatre where key parties will transpose liabilities on other players. The costs of compliance and auditing will erode margins and ultimately consumers will finance merchant costs for data protection through increased product price points.
Charlie Chaplin once said, ‘in the end everything is a gag’. In the context of the current security payment security debate, this is indeed a true statement.
Retrofitting Security: How the industry works backwards to go forwards
By Ashok Misra, Secure Payments Magazine, 3rd Quarter 2009