New study sees flaws in data security standards

New study sees flaws in data security standards

A report published in June by The Associated Press, which discovered flaws in the Payment Card Industry (PCI data security standards brings to mind former con artist Frank Abagnale.

Abagnale once talked about defeating the elaborate security devices on an ATM with just a tube of superglue. An expert on bank fraud, Abagnale glued the dispensing door on a new automated teller machine shut with a few drops of adhesive. After several customers tried to withdraw money, Abagnale simply punched the door with his fist, retrieving an accumulated pile of cash in front of a group of shocked bank executives.

The ease with which Abagnale defeated the safety interlocks forced the ATM manufacturers to go back to the drawing board. Unfortunately, when faced with overwhelming evidence of fraud in their own industry, those banks and lenders involved in credit card processing have not been as vigilant with their data security procedures as they should have been.

Before we get to what the AP piece discovered, it's important to look at the PCI standards.

PCI standards appear ineffective
Between the time that a merchant uses a credit card reader and a charge appears on a bank statement, a credit transaction must go through several steps. At each point in the process, sensitive information (such as a customer's name and available balance) are ripe for the picking by skilled cyberthieves.

In an effort to increase data security and curb ID theft, some of the larger credit card companies including American Express, Discover and Visa, founded the Payment Card Industry Security Standards Council in 2006. An admirable idea, the PCI Council sets credit card processing standards for banks and other lenders. Those who do not stay in compliance with the standards face serious fines.

Unfortunately, studies show that PCI standards aren't as effective as those with merchant accounts have been led to believe. The AP's recent piece highlighted notable flaws in the PCI standards. The article mentioned Heartland Payment Systems, a PCI compliant payment processor, which lost the personal and confidential information of millions of consumers.

Who is minding the store these days?
The first, and perhaps most critical, step in credit card processing is at the store level. Those businesses use merchant accounts, which should be thought of as an extension of credit from an "acquiring bank." When a customer presents a credit card for payment, the necessary information is sent to the acquiring bank, which then requests the funds from the credit card issuers on behalf of the merchant.

The AP article does point out the vulnerability between the store and the acquiring bank if the data isn't scrambled and sent on a secure network. Data encryption and decryption are time consuming and expensive, which is why many banks aren't as enthusiastic about using these data security techniques all the time.

Maintaining data security at the front end
Even with the ever-present threat of ID theft, most consumers still want the freedom to walk into a store, present a bit of plastic and walk out with their purchase in just a few minutes. Still, with the investment of just a little time at the beginning of the credit card processing cycle, banks and consumers could save thousands of hours of research and phone calls.

Besides demanding data encryption on every single transaction, the federal government could take a more serious look at the "chip and PIN" technology that has become quite popular in Europe. With this system, credit cards come equipped with a tiny computer chip that requires customers to enter a 4-digit personal identification number (PIN). It may take a few extra minutes to complete the transaction, but it saves more money and time in the long run.

Published: July 16,2023