The black hole of Credit Card Security
I just got off a conference call with a client discussing a vendor we are evaluating to do a complete PCI compliance audit. The whole process will entail everything from policies and procedures, vulnerability scanning, server and network security controls and testing and remediation. Needless to say this service comes with a hefty cost and my client asked a simple question, “When this is completed will my stores be 100% secure from outside intrusion?” The answer is no, thus the black hole. The simple truth we are using 40 year technology for processing credit card transactions. Will the implementation of EMV by the end of 2015 solve the problem? The answer is no again since the U.S. has decided not to use the version used in Europe which requires both pin and chip; instead we will use the chip only. Everybody agrees a pin is essential to protect credit card data. So the question is why, which is the second black hole. I watched the congressional hearing this week when they questioned Target and the few other retailers who have been recently hacked (Target had passed a PCI three months prior to the breach). It was the usual theatre of outraged lawmakers promising to get to the bottom of the issue. My suspicion is that they we have lagged behind Europe in adapting the EMV standard for financial reasons. All the interested parties, banks, credit card companies and retailers all have a strong interest in who will pay for the new equipment required to process the new cards. I suspect there has been much lobbying of congressmen and senators by all the interested parties. When you watch a hearing you don’t know who’s paying who in the form of campaign contributions. I have a simple solution; let’s require legislators to wear uniforms like NASCAR racers with patches of their sponsors. When I watch a congressional hearing at least I would know who is sponsoring the line of questioning. We would eliminate one black hole anyway.