Credit Card Processors Launch A New Strategy To Defeat Theft

This fall, credit card processors will being rolling out a new approach to preventing data theft, based on the assumption that it’s impossible to thwart every attack. Instead of keeping 100% of criminals out, they’ll segment and encrypt the data into such small chunks that it will no longer be a cost-effective crime.

We spoke with Evan Schuman, the editor and publisher of the blog StorefrontBacktalk.com, which broke the story earlier this month. Schuman has spoken directly with representatives of Heartland—which announced its own massive data breach a few months ago—and says they’ll roll out this new approach around October of this year, and that other processors are working on similar solutions. It involves new point-of-sale hardware that can encrypt each day’s batch of credit card numbers separately, then shuttle each daily pack off to Heartland’s data centers for archiving.

It’s a better approach than what we currently have. For one thing, retailers will no longer have any reason to store credit card numbers. But it’s not an ideal solution and there are some definite costs, as Schuman points out below. In fact, there’s a much better end-to-end encryption solution that we could already be using but aren’t simply because it’s not as profitable for card companies like Visa and Mastercard.

Consumerist:
So what is it that Heartland is proposing?

Evan Schuman, StorefrontBacktalk.com:
“Historically security has always been based on, ‘You build a really good deadbolt, you keep the bad guys out. And if they come in you set it up so that you’ll learn about it quickly and engage in pursuit.’ What they’re saying here is, you know as a practical matter, let’s be a little smart about this. First of all we really can’t keep the bad guys out. Trying to do that is futile. Might as well let ‘em in, and let them steal a certain amount of data, and let them go. A, they’re going to anyway, and B., if you do it that way, you make sure they don’t get enough data that they can profitably sell. If you do that, they’re not going to steal it, or at least not very often, because they’re not going to make money that way.

“So it’s really about segregating data, so instead of having 50 GB of data here, you’ve got in a thousand different locations small quantities of data. They may get through that. Fine. They’re not going to make any money off of that, and it’s not cost-effective to break in at 50 different locations. It’s like instead of having a million dollars in your house, you’ve got 5 dollars in 200,000 houses. They’ll have to break in that many times, and each time there’s a risk of getting caught. It’s not worth it.

“Right when we broke the story, [we found out that] two other major processors, including one that’s larger than Heartland, were working on essentially the same thing, with their own proprietary angle.”

“Proprietary” sounds expensive.

“What it means is that there are a variety of proprietary efforts out there. Today, it’s pretty easy for a retailer, if you don’t like your processor, you go to another one. It’s really not that big a deal to switch. But with this, now they’re going to have all this hardware that only works with processor 3, and now it’s much more difficult for [retailers] to shift, particularly when multiple processors are doing it. So it’s going to be a whole lock-in time for retailers where they’re going to have to stay if they let this happen.”

A commenter on your story points out that this will separate retailers from their own data.

“I checked with our people at Heartland and they said, ‘Well, yeah, that’s kind of true.’ When a retailer uses their own credit card—for instance, when Sears uses a Sears credit card—they’re going to have to pay a processor to unencrypt their own data. In other words, you’ll be paying someone else to give you access to your own data. And if you start following through the logic of that, there are a lot of issues.”

Heartland calls this an end-to-end solution, but you and your readers have pointed out that this isn’t really true.

“This is not end-to-end, this is not even close to end-to-end. End-to-end really refers to, you take a credit card off the factory line, when they print the credit card, before the consumer gets it, before anyone can steal it, on the factory floor it’s encrypted. And it stays encrypted all the way through to the processor and even beyond to the card brand. Now that’s end-to-end encryption. You can steal it at any point—the consumer never has it unencrypted in their hand. Neither does the retailer, you completely bypass them.

“What these guys [Heartland] are doing is kind of, ‘Well, a little bit to the right of middle, to the middle of middle’—which just doesn’t have as much of a marketing tone.”

So why isn’t the end-to-end approach being pursued? Is it too technologically difficult?

“No, it’s not difficult at all. First of all, in Heartland’s defense, and any of the processors’ defense, it’s beyond their power to do it. They don’t ave the ability to do that, they don’t own the card.

It would have to be at the Mastercard or Visa level…

“Exactly. And Visa, among others, doesn’t want to do this because they would have to pay for the technology to unencrypt at their end. They would rather have it unencrypted. They insist that you send it in the clear, unencrypted, across a proprietary network. That’s they way they’ve done it for decades.

“The card brands, they don’t want to pay for end-to-end encryption, they have not supported it. They say, ‘Oh, we’ll consider it, we’ll talk about it,’ but they don’t want to do that. They can see that’s the best way to go, but they don’t feel like doing it, and no one in Congress is forcing them to do it. Even the latest credit card overhaul, they didn’t even come close to security issues. It was all about interest rates. No one is forcing them to do anything in terms of security, so why should they. So the processors are saying, ‘Well, we’re doing what we can here.’

“This doesn’t solve the problem, it won’t even materially reduce the problem, but it’s a definite improvement in security. It’s safer, it’s better than what exists today. It won’t resolve everything, but it’s better than today.”

So, how likely is it that Heartland’s approach will happen?

“As far as Heartland is concerned, this is definite, they’re going to have it out by October.

“Now, retailers who are Heartland’s customers have got to buy it. As far as I can tell, no one has bought this yet, so in theory if no one ever does… It’s sort of like a car company that puts out a car. Is the car definite? Yes, it’s going to roll off the assembly line and be in showrooms, assuming there are showrooms any more, but if no one buys it it won’t be out there for long.

“So this will definitely be introduced by Heartland. Whether anyone buys it has yet to be seen. I’m guessing some will. Heartland can deeply discount it to the point where it will be easy for them to do. But the cost is not really in the cost of the hardware, although if it’s a large chain, that can add up quickly. The cost is in making the change and then making it much more difficult for yourself to move later if you feel like it.”

We’re reporting on this on Consumerist because it reveals a little of the world of credit card processing and data security—the part of the retail chain that we never see, but that affects us at the register and after we leave the store. Schuman points out that whether the new data segmentation approach takes off or not, things won’t change for the consumer experience—it’s all pretty invisible from our side of the register.

What it could affect, however, is the cost of transactions for the retailer, and consequently it could impact prices at the register. Whether that’s worth it to implement a better security approach remains to be seen.

If you’re interested in how retailers approach the issue of data security, you should check out StorefrontBacktalk.com.

“Heartland’s New Encryption Strategy: Let Them In, But Limit Them” [StorefrontBacktalk]
(Photo: Andres Rueda)

Comments

Edit Your Comment

  1. shepd says:

    This is the internet. Connecting to 50 machines won’t take someone with “skillz” any longer than it took them to amass that 250k computer botnet they’re abusing. And how is finding the IPs of another 49 botted PCs going to help them? Consider that in all likelyhood every one of the 50 computers is going to be running exactly the same everything–break into one and you can own them all. Or are they going to have each one running its own OS and a different revision of software?

    And the data needs to be knitted together. Wooooo! I’m sure that will stop them! Absolutely fo’ sho’!

    • sanjsrik says:

      @shepd:
      I posted exactly this idea. It’s dumb, if 1 computer is hackable, then 50 will be well, 50 hackable computers.

      This is a dumb idea.

      The apples and oranges analogy of $5 in 200,000 houses is also pretty stupid. $5 is a physical thing in 200,000 houses which you’d have to break into to physically retrieve. Credit card numbers are all electronic, and all available via the Internet via an IP.

      Stupid idea, let me guess, consultant sold them on the idea right?

      • snowburnt says:

        @sanjsrik: A) I’m sure he’s not spilling exactly how they do it. it’s quite possible that there is some sort of procedure where it encrypts each of the 50 pieces using different keys and processes and unless you know all that it won’t work.

        still a single point of failure, but really, if you had a new fangled method of securing something, unless it was a honey pot would you tell everyone everything about it?

        He did just enough to make it sound like they were doing something to instill confidence and that’s it.

        • Cheapskate Brill says:

          Each system probably keeps the data encrypted with a different key. That would be pretty common.

          It’s not hackers from the Internet that’s the only worry. Insiders can steal the most information and breaking data across lots of servers throws up a big red flag if one user is logging into each of those servers. The PA-DSS security requirements (Visa/MC/Amex/Disc. security regs) require that all access to servers with sensitive information be logged.

          This whole Heartland piece is not about breaking into servers. It’s about sniffing the unencrypted IP traffic between systems. The encryption system is meant to prevent someone from sneaking into the back room of your local big box retailer (or anywhere on the network) and connecting a sniffer PC to the store’s card network router.

    • karlthepagan says:

      @shepd: Fortunately, since almost no sites have security that weak, it’s not about skill or resources, but about the time the attacker spends to acquire the accounts.

      Yes a 0day could own a large number of servers, but not all of them. Vendors are getting better about protecting their servers lately (see the 0day archive [research.eeye.com])

  2. johnva says:

    I’m surprised none of them have this sort of thing already. Well, actually I’m not that surprised, given the fact that the basic credit card system is fundamentally flawed from a security perspective. This might help to limit the processors’ exposure to data breaches, but it doesn’t fix the basic problem with credit cards, which is that they use a static number that can easily be stolen simply by looking at the card, using a skimmer, etc. You can use more and more sophisticated encryption and storage schemes, etc like this to limit the damage caused by breaches, and that’s a good idea, but it’s still way too easy for someone to steal a credit card number and use it.

    If Visa/MC were really concerned about security, they should go to something like a contact smart card system with strong cryptography on the card and only one-time-use numbers for everything. But it’s their decision, as it’s their liability if things get stolen.

    • cabalagent1 says:

      @johnva:
      What makes me cry is that the technology to fix ALL of this exists today.

      In itself, it’s not rocket surgery or brain science. But getting the industry to THINK securely is a monumental undertaking. The card companies may be satisfied with PCI, but I consider it only a most basic starting point. It’s a joke.

      The entire credit card infrastructure needs to be overhauled, starting with the swipe terminals used at the point of sale, all the way up to the banks. I don’t like giving my card to someone and having them walk out of my sight to process it. The skimmers have portable swipers, so why can’t the vendors have them? While we’re at it, let’s make sure that the swipers are communicating securely and that the swipe and the clearinghouse have authenticated themselves.

      While we’re at it, let’s move away from the 60 year old model of “swipe and it’s authorized” to a 2-factor model. This will necessitate the use of portable swipes so my card never leaves my presence. Tie it to an RSA-style keytoken that changes every minute. Now, even if you have my card number, it won’t do you any good unless you have my PIN and keycode. And if you do have it, it’s only good for 60 seconds.

      I could go on and on at each level, and wonder why nobody has done anything to fix an obviously broken system. While we’re at it, let’s enforce the “Hey big retailers… you shouldn’t be retaining your customer’s card info” rule. They have no real need for it, and it’s only going to lead to problems.

      • johnva says:

        @cabalagent1: Yeah, like I said, the entire CC infrastructure is fundamentally broken. As always, it’s an issue of money that prevents it from being upgraded. It would appear that so far it’s cheaper to just buy insurance or something against fraud than to actually fix the infrastructure. The sad thing is that I’d be willing to bet a large part of the infrastructure actually gets replaced periodically anyway. I’d bet that the largest part of the cost of a new credit card system would be replacing all the POS terminals out there, and the retailers already have to buy new ones of those every time they wear out. Agreed that PCI is a joke.

        I think this is a case where the people involved with fixing this simply don’t see it as worth it. The losses just aren’t enough, yet, for them to care.

    • mac-phisto says:

      @johnva:

      But it’s their decision, as it’s their liability if things get stolen.

      see, THAT is the whole problem with the system. i’m assuming that “their” in your post means visa/mc. that couldn’t be further from the truth. here’s how a transaction pans out:

      you –> retailer –> retailer’s processor –> card issuer’s processor –> card issuer

      now, what you’ll notice is that visa never really touches it, or more accurately, this is all visa. they provide the infrastructure/rules/hardware/standards for the system.

      typically, when fraud occurs, the rules dictated by visa decide who pays: you, the retailer or the card issuer. visa is NEVER on the hook. breaches are a little different b/c each link is ultimately responsible for their security. in these cases, a processor could be on the hook (like w/ heartland). now, banks & processors typically have insurance to mitigate these incidents, but in the face of multi-million dollar breaches, the insurers are starting to do what insurers do – tell you to piss off when you need them most.

      the point is, the people most likely to lose when fraud occurs are the least likely to do anything about it. insurance companies aren’t even customers of the system, so it’s not like they can do a whole lot. card issuers & retailers are pretty much hanging by their balls here. the processors have some interest in keeping their data safe, but the real culprit is visa & they don’t have any exposure here.

    • Cheapskate Brill says:

      A debit card is “two factor”, but a PIN is false security. Plus if it gets breached, you are SOOOO screwed. Try explaining to a bank how your super secret PIN somehow got out.

      And as a frequent card user, I have security concerns, but I don’t want to make it inconvenient to use my card or take away the ability to use it on the internet or offline when the system is down.

  3. econobiker says:

    I thought the scammers were beyond stealing card numbers and now running automated number generators which they then test against I-Tunes to verify as a live number?

    • Ihaveasmartpuppy says:

      @econobiker: Yes, they are. Here’s a good one:
      Years ago one of our cc’s info was stolen. The card was replaced with a new one and new number, but THAT one also had the info stolen before we even received the card in the mail. So it was either generated or stolen at the issuer. The envelope wasn’t tampered with and there was no RFID chip in it so it wasn’t anyone in the postal system.

  4. wardawg says:

    I’d be more convinced if he actually sounded like he believed in the technology himself. He readily admitted that it’s not the best solution, and that there’s a significant chance that it probably won’t take off. And if it doesn’t take off, what are the chances that the credit card companies are going to do anything about security like he suggests they should.

    True end-to-end enctyption is the way to go speaking from a purely security minded standpoint, but I’m sure I’m not the only one who gets the feeling that the credit card companies are going to have to have it shoved down their throats.

    • cabalagent1 says:

      @wardawg:
      They should have been encrypting their data to begin with, but this only prevents the theft of the actual database itself. The database itself needs to be designed not for convienence but for security. Restrictions on views, queries and the rest. The applications they use to access the database should be rewritten from a security paradigm, not “whatever is easiest”.

      This is 99% of the problem – the original designers went with whatever was fastest, cheapest and easiest. A lot of programmers don’t think in a defensive mindset, they’re into whatever works and try to leave it up to the networking people to secure it. When the fault is in the application and the data, all the firewalls in the world aren’t going to prevent data from being stolen.

      Programming for security means returning only the minimal amount of data back to the application that is necessary to conduct the transaction. Or re-thinking the entire process. Really, places like this are just interfaces to Mastercard and Visa, I would be suprised if they really need anything more than an approval code and a transaction number. While we’re at it, let’s make sure all the traffic is not only encrypted, but we’ve authenticated each other.

      • wardawg says:

        @cabalagent1: You mean like having combined PKE pairs embedded in the new chip cards that match up with PKE keys in the terminal assigned to each retailer to form a full key, ensuring that the only information held at processing facilities like Moneris and Heartland is fully encrypted and can only be decrypted by MC/Visa (who would distribute the key ranges to authorized processors) but is never actually stored in the decrypted format? (/crypto nerd)

        There’s better ways to do it I’m sure, but doing the initial encryption with a 1024 bit key between the card and the terminal using a diffie helman key exchange would be simple to implement and make it nearly impossible to view any unencrypted data, but the chip card would have to be programmed to encrypt it’s own data before going out which would increase the cost per card.

        Another option would be Triple-DES encryption using keys from the card, the terminal, and the issuer, but it might be harder to implement the initial key exchange.

  5. Schlake says:

    When you are talking about security and encryption, the word “proprietary” is synonymous with “insecure,” not “expensive,” though the first does lead to the second.

  6. vladthepaler says:

    If retailers are now allowed to add a surcharge for credit card use, they could easily recover the cost of the secure transaction. It’d certainly be more fair to do it that way than to raise prices for everyone.

  7. oldgraygeek says:

    I fix home PCs, and I am the smallest credit-card merchant there is. I make, on average, about one transaction per week.

    If I read my merchant agreement correctly, I am responsible for financial damages caused by any data breach in my office. If I kept the card numbers, a simple break-in could ruin me: fraudulent transactions on any two or three cards I had accepted would locate me more accurately than any GPS unit.

    Here’s my security procedure:
    – Using a single-copy receipt book, I take an imprint of the card at the customer’s house and get a signature.
    – I give the customer the signed original.
    – I make sure the yellow copy is legible and put it in my wallet, in case I lose the receipt book. (I did lose one book, and replaced it without worry because I knew there were no card numbers in it).
    – When I get home, I punch in the customer’s card number, expiration date, house number and Zip code. (“Card Present?” = Yes, because I have an imprint).
    – My terminal dials up for approval, prints one copy of the slip with the full card number on it, and offers to print a second that would only have the last 4 numbers; I decline.
    – I settle the terminal, transmitting the “batch” of one or two transactions.
    – The written & printed slips go into a folder.
    – Every Sunday, my wife shreds the contents of the folder.
    – She mixes the shredded slips with used cat litter and throws them away.

    On any given Monday morning, I have no records of any customers’ card numbers (or signatures). I’d like to retain the signatures for longer, but I can’t figure out how to do that without also keeping the card numbers. I should scan them and blur the card info, but I’m too lazy to make it happen & stick to it.

    • mac-phisto says:

      @oldgraygeek: you’re leaving yourself open to some chargeback exposure if you can’t produce a signed sales receipt – especially considering you’re not transmitting CVC/CVV2 track data for an authorization.

      i know a few merchants that do their settlement on dedicated machines disconnected from any network/internet (except when they are transmitting batches & then, only via a phone line). then there’s some i know that archive strictly on optical (though there’s still a chance that data could be compromised in this fashion).

    • Révolution says:

      @oldgraygeek: Highly secure digital scanning system:
      Buy a cheap desktop
      Bolt it to the floor
      Install Truecrypt
      Encrypt the files
      Modem+Scanner
      Fill in extra USB ports with epoxy.
      Lock the case shut, or at least use screws.

      Scanning works fine, as long as the computer isn’t networked, is encrypted, and is physically secure.

  8. alternatestory says:

    This was tremendously interesting – thanks for posting it.