Tuesday, January 20, 2009

Heartland breach, One-time credentials & EMV

The inauguration is over, and we are waking up to a new tomorrow. We are realizing, as is to be expected, that nothing much has changed in our lives.

The latest breach, at Heartland Payments Systems, was shocking. However, a cynic would say that after Madoff, the TARP fiasco, 8 years of Bush... the Heartland breach seems rather benign. Reports are that, as many as, 100 million accounts could have been compromised. To put this in perspective, TJX breach affected 45 million accounts.

Security audits, certifications et al are necessary. But these are essentially a cat-n-mouse game. As long as there is value in the data, the bad guys will continue to try to steal it (and they will occassionally succeed). Making payment transaction data worthless maybe a way to break this vicious cycle.

One-time credit card numbers is one way to get there. Orbiscom, recently acquired by MasterCard, offers such a solution. Citi, Paypal, among others, offer such payment cards.

Additionally, the US might need to get moving on adopting EMV / Chip-n-PIN. Creating magstripe payment cards using skimmed data is too easy. Creating chip cards using skimmed data is a tad tougher. As the rest of the world moves towards EMV, the US will increasingly be the soft target. I wonder what the trigger needs to be for the US payments industry to decide that cost to move to EMV is cheaper than status quo?

Feedback / Comments?

No comments:

Post a Comment