PCI - Driving in the Rearview Mirror
Few dispute the security inadequacies of the U.S. payment infrastructure. The magstripe card and static data, potent devices that they were when the payment network ran on its own, cannot stand up to Internet-born technologies in the hands of Internet-powered hackers never mind the simple trick of card skimming.
PCI has brought no little order and discipline to payment and networks security. But today's fast pace of innovation, particularly at the mobile edge of the network, makes standards development, and even development guidelines, challenging. The PCI DSS has to be a reactive set of standards.
The PCI data security standards cannot do more than require the construction of high coffer dams around a payments system that was, like the Internet itself, designed with limited security in mind. As long as magstripe-encoded static data exists there will be breaches in that dam. While PCI encourages stronger techniques, like EMV, it must deal with current operations and near-term options.
The payment industry's answer is, of course, EMV, the smart card-based security framework that, among other attributes, makes payment cards nearly impossible to counterfeit. It is coming. But, as the last magstripe holdout, the US is a fat target for counterfeit fraud at the POS and ATM. EMV will go after the counterfeit card problem.
It's Harder to Improve What You Don't Measure
One of the great shames of the payments industry is the lack of transparency regarding fraud losses. Issuers don't want to report losses. Neither do card networks or processors. The origins of such reticence may have started in the now absurdly vain attempt to maintain consumer confidence in payment security. Good job. No doubt, lawyer-driven CYA is today's main driver.
So, that leaves us with today's unfortunately frequent reports of card data breaches, punctuated by an occasional spectacularly successful theft of millions. (It's unfortunate that the card pictured in this news story is an EMV contact chip card because it's very unlikely that chip card data fueled these losses).
However, in a brief private conversation, one processor reported to me that the losses it was seeing across all payment brands now exceed a $200 million annual rate. Based on that and other sources, we are on a trajectory toward multiple billions per year in card-related losses.
Fortunately, EMV is coming to remove counterfeit cards and let dynamic data kill off transaction replay attacks. End-to-end encryption and point-to-point encryption promise to remove card data and PII from the transaction stream. Tokenization, encryption's handmaiden, simplifies securing transaction history and other data-at-rest concerns. Mobile approaches based on NFC or more data-driven schemes promise to tighten the mobile perimeter.
All of that effort will make $200 million breaches, and even the $2,000 variety, far harder to accomplish. From a security point of view, we're headed in the right direction.
Largest Retailers Get It
The largest retailers are already well along the path. Knowing the cost of brand damage due to data breach never mind actual data loss, PCI compliance among the largest retailers exceeds 90%. They already have EMV-capable terminals or have them in their acquisition plans. They already have scope-mitigating encryption and tokenization approaches in play. They get it.
The Coming Level 4 Disaster
While the Level 1 and 2 merchants, those largest of retail brands, have payment security on their corporate radar, the Level 4 merchants who represent the millions of small business operators in the US can hardly spell it.
Last fall's survey by PCI compliance solutions vendor ControlScan and Boston-based ISO Merchant Warehouse shows how far small merchant awareness has to rise before they get the scope of the PCI problem.
- After 7 years, just 54% of small merchants said they were aware of PCI.
- And compared to last year's report, among the aware, action has declined. Just 50% report themselves as validated PCI, a drop of 7%. Fewer can even find their SAQs.
- Down three points, only 48% are spending any money on compliance.
In other words, talking to Level 4 merchants about the risks of payment security is like, as Crash Davis said in the film Bull Durham, like a Martian talking to a fungo.
An industry mandate to push merchants, all of them, to adopt new security technology is the only viable approach. That's what the October 1, 2015 liability shift date is about. Pushing a portion of that growing fraud burden onto the merchant should get their attention.
The key question for the industry is "how do we get EMV and other security protections down to the Level 4 merchant?" There are no few barriers to achieving that goal:
- If they're even aware of it, many merchants are looking at the impending liability shift - still 900+ days away - and saying "I'll take the counterfeit risk. It's cheaper than replacing all of my POS gear."
- Level 4 merchants believe terminals should last forever. They simply want to take payments so there's no need to upgrade to a more secure device. The millions of technologically ancient dial-up terminals still in use are proof. Oh and, by the way, how is it that security expenditures improve my sales?
- As the ControlScan / Merchant Warehouse survey showed, many already believe they're secure.
Yes, It's Complicated
Besides the sheer scope of the US card market, we have many more moving, and often independent, parts. In Europe, where they are still in the acquiring business, banks enforce compliance, limiting choices and excuses. But here in the US, the merchant services business is a supply chain of acquiring processors, merchant acquirers, gateway operators, independent sales organizations, merchant-level sales reps, independent software vendors, and value-added resellers. It's a cat-herding problem.
Yes, some acquiring processors take a different approach. Heartland Payment Systems is vertically integrated with its own tightly managed sales force who are taught to sell, and have available, a widening set of services that go well beyond credit and debit card processing. But they're the exception.
A Weak Link in the Deployment Plan
A major complicating factor is the mismatch of incentives between the organization who sell merchant services and the merchants they serve. The ISO "feet on the street" whether in-house or contracted merchant level sales reps have, for a decade, been principally focused on portfolio development and management, not about offering innovative, non-payment related services that help their merchant customer be more successful.
Many ISOs are on a dive to the bottom trajectory, selling card services on price. As a result, this cadre views good account maintenance by how long they can stay away from the customer because when they do contact the customer, it only invites a discussion on price.
Fox in the Henhouse?
The merchant services industry has made a high art of pricing and fee obfuscation. Very few merchants can decipher their own statements. Some ISOs and their channel allies look at PCI compliance, and non-compliance fees, as an additional revenue source. Profiting from security concerns, they can charge high-margin fees for network scanning and other "security" services.
This is the channel that, through complicated statementing and fear-based fees, has pushed card acceptance costs for some merchants past 5% of sales.
And this is the channel that the industry will be relying on to roll-out EMV terminals and new security services. ISVs, with their vertical software for merchants of all kinds, will also be responsible for pushing security to the edge of the payment network.
No wonder Square's 2.75%, with its rich software offerings, is making inroads at the POS and generating high decibel buzz and merchant mindshare.
Get With It or Go Away
The merchant services industry has few options.
1. Clean up the Act. Price transparency matters. Today's obfuscation makes the price predictability of Square and its like all the more compelling.
2. Sell on Value. Besides card acceptance, what can be sold to merchants that make the merchant more successful selling? If the answer's nothing more than card acceptance, maybe it's time to leave the business to those who can.
3. Get Real about Security. That doesn't mean ripping out every creaky dial-up terminal today. It does mean getting it into the merchant's mind that enforcement is on the way. Even if the liability shift date slips (and my guess is that it will) we're at the end of a technology's life.
None of these steps will be new to the merchant services industry or the ISV community. Many have been ignoring similar advice for years. But given their critical role in deploying new terminal technology, where will payment security be if they fail?