Encryption May Not Be the Answer for Card Security

CHICAGO — The payment industry's focus on adding encryption at the point of sale to protect card data is counterproductive, MagTek Inc.'s top executive says.

The terminal vendor has long advocated unconventional security methods. For example, the company's MagnePrint technology "fingerprints" magnetic-stripe cards by their physical traits to help catch cloned cards – a different approach to the industry's current focus on encrypting stripe data or upgrading to chip-cards.

In pushing advanced encryption, the Payment Card Industry Security Standards Council is doing more harm than good in its stated mission to protect cardholder data, says Annmarie Hart, president of the terminal vendor MagTek. Hart went so far as to describe the PCI standard, the rules the card networks use to enforce the protection of card data, as a "false god" when it comes to fraud prevention.

"We're told 60% of merchants are PCI-complaint, but we continue to hear about breaches," Hart said at a payments symposium hosted by the Federal Reserve Bank of Chicago on Monday. "Have we questioned whether the protocols are ineffective?"

The PCI Council's focus should center on authenticating data – rather than encrypting it – from the moment a card is swiped at the point of sale until it arrives to the issuer for processing, Hart said.

"It's authentication that actually buys you security, and it's authentication as an industry that we need to move to," Hart said in an interview. "You don't see any activity coming out of PCI on the subject of authentication."

The PCI Council's stated mission is to protect card data, but the organization is the "ultimate observer of the status quo" in terms of preventing fraud, Hart told conference attendees.

"PCI is all about compliance and not about fraud reduction," Hart said during her interview. "As a business model, if [the council] really wanted to do a service to the industry, they should reevaluate their business proposition and mission."

The council's ultimate mission should be to put itself out of business, Hart says. "Make the payments world secure enough that we don't need all these goofy rules and extra audits."

A representative from the PCI Council did not respond immediately to a request for comment.

Hart was not the only conference speaker criticizing the PCI process. The Shazam electronic funds transfer network spends millions to comply with PCI standards, says Terry Dooley, Shazam's senior vice president and chief information officer. But if the network makes a change to its software, the council's rules no longer deem the network secure.

"You're considered secure for about 30 minutes [out of] the whole year," Dooley said.

Dooley also pushed authentication as the best method to reduce fraud and said the council should place more emphasis on the use of PINs.

"There are a number of different companies touting technology that focuses on the PIN," Dooley said. "That will strengthen security more" than encryption.

For reprint and licensing requests for this article, click here.
Bank technology Consumer banking
MORE FROM AMERICAN BANKER