Are you a legal professional? Visit our professional site

Credit Card Data and Encryption: Big Holes in Protection

Article Placeholder Image
By Admin on September 18, 2009 10:58 AM

These days many people fear the theft of credit card data during online purchases or through malicious software on their personal computers. However, the biggest risk to your credit card number probably isn't someone stealing it from you, but rather someone stealing it from one of the merchants you pay everyday or from the payment processor a merchant uses.

In the wake of the largest credit card data heist yet recorded, many are wondering how a twenty-something in Miami (plus his partners) can rob one of the nation's largest card payment processors blind for more than a year. They may also wonder how he could cruise down the highway and remotely detect which big box retailers have credit card transaction data open for the plucking.

The answer would surprise most: credit card data often goes unencrypted at some point along the chain. As it goes from cardholder to merchant to payment processor to credit card company and back, someone getting hold of it at any point while its not encrypted has gold in their hands.

Currently, credit card companies require payment processors and merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS). While the PCI DSS requires encryption for payment card data while it is in transit from one network to another (say the merchant to the payment processor), encryption is not required when payment data is within an internal network.

This has Robert Carr, CEO of Heartland Payment Systems, calling for the credit card industry to adopt an "end-to-end" standard for the encryption of payment card information.

One might view this as too little too late from the less than nimble victim of the theft of 120 million card numbers (and the defendant of a slew of lawsuits over its data practices), but it's a good point none the less: why is this data not encrypted all the time?

Carr's call may also be seen as a plea for continued self-regulation -- let the credit card industry (not federal regulators) revamp its internal rules (which up to now have not proved terribly reassuring). As Computer Weekly put it in January, after the year and half long plundering of Heartland came to light, Heartland's case proved that PCI compliance is not enough. Will revamped self regulation through revised PCI compliance be enough?

A Congressional committee might rake Mr. Carr over the coals for a day, but will Congress step in and create rules of the road for payment data?