What’s in a 100 Million?

100 million credit cards compromised.  Just like that.  Heartland Payment Systems was hacked in May, and now the following January they are famous for all the wrong reasons.

What gets me about this, is that this processor was storing and forwarding the exact same set of data that the consumer provided.  Why??? Why not alter that data at each step, such that the data needed for processing is not the same set of data needed to initiate a transaction?  Using these kinds of methods may not prevent theft of data, but they can sure as heck increase the difficulty in using that data to make a profit.

I wonder what the cost is to the credit card companies per re-issued card?   Adding the postage, labor, and manufacturing time, I have to imagine this will not be cheap.    Changing an already established system isn’t cheap either, but what are the options?  Getting better promises of security from your payment vendors?   Yeah.  Right.

2 thoughts on “What’s in a 100 Million?

  1. The real costs are even higher than those associated with reissuing cards; when merchants are presented with counterfeit cards produced with the aid of information obtained fraudulently as in this case, they often have literally no way of detecting that the cards are bogus – but they are still held responsible for the cost of the stolen merchandise under their credit card agreements. So this sort of incident can be very damaging to businesses who rely on credit cards.

  2. Presumably at least some of these stolen credit card numbers were originally used in online credit card transactions. While it may be difficult to ensure that merchants and credit card processors are taking adequate measures to secure this information, the ultimate goal is to prevent bogus payment transactions using the stolen information.

    One solution to online credit card fraud has been around for a while, but isn’t much used. Single-use credit card numbers are offered by only a small number of banks, and aren’t widely promoted. One reason is that these single-use numbers are cumbersome to use: you have to either download a piece of software and login to generate the numbers, or you have to login to the bank’s website. Then you must copy or drag the cc information to the merchant’s payment page. Most people won’t bother, especially since consumers are generally not held responsible for fraudulent use of their credit cards.

    Despite these disadvantages, there are at least two big advantages: since single-use cc numbers are good only once, it won’t matter if they are stolen. Secondly, since authentication is required to generate them, there is less chance of unauthorized charges being made. So merchants have some protection against financial loss due to chargebacks from the credit card company.

    The use of managed Information Cards as a way to generate and deliver a single-use credit card number to a merchant during an online payment transaction might be a better way to get single-use cc numbers more widely used. Provided of course that (a): the Information Card community can make Information Cards easy for consumers to obtain and use, (b) vendors of online shopping carts can be persuaded to incorporate the necessary processing for acceptance of the security tokens carrying the credit card information, and (c) credit card companies / banks support the use of managed Information cards for online cc payments, publicize their availability, and encourage their use by consumers.

    Not a small set of challenges, but I think the ever-increasing number of data breaches presents some real opportunities for Information Cards to help prevent online identity and payment fraud.

Comments are closed.