Skip to main content

Once Bitten, Twice Shy: Why the Credit Card Network is Ready for a Paradigm Shift

Op-ed - Once Bitten

As a victim of the Target credit card hack, and having to work with the bank to replace the stolen identity, this writer can speak first-hand about thinking twice about giving out my credit card again. Not just to Target, but to any store. As the Venture Capital Partner from Andressen Horowizts, Marc Andreessen recently tweeted:

Corollary: Giving your credit card info to online merchant in 2014 is data equivalent of unprotected sex. For the love of God, please stop.

— Marc Andreessen (@pmarca) March 23, 2014

It was uncovered recently that MasterCard discovered a security breach for the State of California Department of Motor Vehicles for credit card hack. This went on for over SIX MONTHS. They found it necessary to send the alert to various financial institutions, but what about the public? Consider the loss of confidence that should be taking place as they cover up the mess as quietly as possible. It is in MasterCard’s best interest to quietly sweep this under the rug, but consumers might do well to question if this tactic is also aligned with their own best interest. US Attorney General Eric Holder has nowcalled for new laws for consumer protection that mandates companies disclose data breaches.

Merchants lost 190 BILLION in 2012 due to credit card fraud according to a report in Forbes. The financial institutions and financial news networks make sensationalistic headlines about the relatively tiny bitcoin market while underreporting the credit card fraud on a massive scale. By way of comparison reporting: The Mt. Gox fiasco estimated loss might be $300 million to customers (depending on the outcome discovered from the hidden wallet). Credit card fraud was about a 630 times bigger problem than Mt. Gox. Put in another way, credit card fraud would be roughly the same as Mt. Gox filing for bankruptcy every 14 hours. Every. Day. Of. The. Year.

Where were Senators Charles Schumer and Joe Manchin and their white horse riding in to rescue when we needed them from that mess? Bitcoin makes no campaign contributions.

While BusinessWeek ran a thorough piece analyzing what went wrong at Target, some consider it troubling that these companies fail to report the security breaches for days or weeks while they prepared their damage control and rehearsed their public relation campaigns. In the meantime, the problem compounded as user data was auctioned and sold on the black market. Trusted financial news markets such as CNBC and Fox Business news concentrated on the positive news of how well companies were doing to improve security measures but fail to report how bad the situation was to begin with. Bitcoin pays no advertising for these news channels.

Are the organization and their created rules that govern which companies can participate on credit card network and what security standards they must comply to benefit from the inclusion on the payment network. Among those represented are Visa, MasterCard, American Express, and Discover. The organization regularly issues guidelines and rules to update and augment the recertification for increasingly complex security requirements for the merchants. The validation checklist for the security audit includes a 218 page book containing 399 steps expected to be performed quarterly. Only the largest organizations with an on-site specialty compliance department might have the resources to undertake the task. For smaller companies, they must use an independent qualified and certified third party company. As one might expect, this doesn’t come cheap.

Comments from HP’s security and payments expert Slava Gomzin are gaining traction. He’s written the book “Hacking Point of Sale” and is a frequent critic of the PCI implementation of security at the point of sale. He’s compared a PCI-Compliant merchant environment as “A poorly designed nuclear reactor ready for meltdown.” It is important to remember that Target and Neiman Marcus were reported to be PCI compliant at the time of their security breaches. Slava’s suggestion was to keep several credit cards each with small limits. Small limits can limit the damage. Even if banks let you off the hook, through fees and interest passed on to everybody else, we all pay. Banks don’t repay those funds out of the goodness of their hearts. Gomzin has indicated he sees a future with a more mature version of a bitcoin-like digital currency system providing solutions.

An annual report issued by Verizon Enterprises indicates that a whopping 82 percent of companies were not compliant with PCI requirements that are said to be “non-negotiable”. An 89 failure rate was found for companies able to maintain PCI compliance between quarterly audits. Computerworld magazine openly questions if being “PCI compliant” even means anything anymore as for the security of the customer. Is it fair to question if all of the regulations, formulas, requirements, updates and revisions have now become unmanageable? Are they now too complex or have they spun out of control? Does the industry seem ripe for a paradigm shift?The Credit Card Payment Network’s point of sale systems are largely running on Windows XP. Alarmingly, merchants only have until April 8th to decommission all Windows XP devices or upgrade now before Microsoft ends all support and updates for the operating system. One possible solution might be a paradigm shift that one day might come from the fruit being born from digital currency research and experimentation – once it is scaled and matured enough to handle to volume.

Waiting to see who dares to use a credit card after April 8th reminds me of a scene in the classic movie Jaws. The scene takes place at the Amityville Beach on the fourth of July. After several reported deaths from shark attacks, who will get into the water first? The crowd gathers at the beach but nobody dares enter the water. One family is finally convinced to be first and soon everybody else on the beach feels safe and joins them. But it’s an uneasy and uncomfortable time in the water with skittish people. Once even the hint of a shark is muttered, everybody panics and rushes back to the beach for safety.

Is it possible that with credit cards it will be the same? April 8th is where the beach meets water. Hackers and virus makers have circled April 9th on their calendars. They may be lurking in the depths of the internet like a predatory shark unseen beneath the ocean surface. Bad actors have likely saved their own viral “masterpiece” to be released on the “special” day they know that venerable Windows XP computers will no longer supported or updated. Even if their devious efforts aren’t felt at first, we know through recent experience that the embarrassing problem of breached customer data records might not be disclosed for days or weeks – until it has become the last resort. By then the damage is done. A new round of consumers will have been bitten.

Who among us is brave enough or foolish enough to use a credit card on April 9th until some point down the road when the blood has cleared the water and the “all clear” signal has sound? I for one was bitten during the Target fiasco, so it will not be me.

Once bitten, twice shy.