This fall, credit card processors will being rolling out a new approach to preventing data theft, based on the assumption that it’s impossible to thwart every attack. Instead of keeping 100% of criminals out, they’ll segment and encrypt the data into such small chunks that it will no longer be a cost-effective crime.
We spoke with Evan Schuman, the editor and publisher of the blog StorefrontBacktalk.com, which broke the story earlier this month. Schuman has spoken directly with representatives of Heartland—which announced its own massive data breach a few months ago—and says they’ll roll out this new approach around October of this year, and that other processors are working on similar solutions. It involves new point-of-sale hardware that can encrypt each day’s batch of credit card numbers separately, then shuttle each daily pack off to Heartland’s data centers for archiving.
It’s a better approach than what we currently have. For one thing, retailers will no longer have any reason to store credit card numbers. But it’s not an ideal solution and there are some definite costs, as Schuman points out below. In fact, there’s a much better end-to-end encryption solution that we could already be using but aren’t simply because it’s not as profitable for card companies like Visa and Mastercard.
So what is it that Heartland is proposing?
Evan Schuman, StorefrontBacktalk.com:
“Historically security has always been based on, ‘You build a really good deadbolt, you keep the bad guys out. And if they come in you set it up so that you’ll learn about it quickly and engage in pursuit.’ What they’re saying here is, you know as a practical matter, let’s be a little smart about this. First of all we really can’t keep the bad guys out. Trying to do that is futile. Might as well let ‘em in, and let them steal a certain amount of data, and let them go. A, they’re going to anyway, and B., if you do it that way, you make sure they don’t get enough data that they can profitably sell. If you do that, they’re not going to steal it, or at least not very often, because they’re not going to make money that way.
“So it’s really about segregating data, so instead of having 50 GB of data here, you’ve got in a thousand different locations small quantities of data. They may get through that. Fine. They’re not going to make any money off of that, and it’s not cost-effective to break in at 50 different locations. It’s like instead of having a million dollars in your house, you’ve got 5 dollars in 200,000 houses. They’ll have to break in that many times, and each time there’s a risk of getting caught. It’s not worth it.
“Right when we broke the story, [we found out that] two other major processors, including one that’s larger than Heartland, were working on essentially the same thing, with their own proprietary angle.”
“Proprietary” sounds expensive.
“What it means is that there are a variety of proprietary efforts out there. Today, it’s pretty easy for a retailer, if you don’t like your processor, you go to another one. It’s really not that big a deal to switch. But with this, now they’re going to have all this hardware that only works with processor 3, and now it’s much more difficult for [retailers] to shift, particularly when multiple processors are doing it. So it’s going to be a whole lock-in time for retailers where they’re going to have to stay if they let this happen.”
A commenter on your story points out that this will separate retailers from their own data.
“I checked with our people at Heartland and they said, ‘Well, yeah, that’s kind of true.’ When a retailer uses their own credit card—for instance, when Sears uses a Sears credit card—they’re going to have to pay a processor to unencrypt their own data. In other words, you’ll be paying someone else to give you access to your own data. And if you start following through the logic of that, there are a lot of issues.”
Heartland calls this an end-to-end solution, but you and your readers have pointed out that this isn’t really true.
“This is not end-to-end, this is not even close to end-to-end. End-to-end really refers to, you take a credit card off the factory line, when they print the credit card, before the consumer gets it, before anyone can steal it, on the factory floor it’s encrypted. And it stays encrypted all the way through to the processor and even beyond to the card brand. Now that’s end-to-end encryption. You can steal it at any point—the consumer never has it unencrypted in their hand. Neither does the retailer, you completely bypass them.
“What these guys [Heartland] are doing is kind of, ‘Well, a little bit to the right of middle, to the middle of middle’—which just doesn’t have as much of a marketing tone.”
So why isn’t the end-to-end approach being pursued? Is it too technologically difficult?
“No, it’s not difficult at all. First of all, in Heartland’s defense, and any of the processors’ defense, it’s beyond their power to do it. They don’t ave the ability to do that, they don’t own the card.
It would have to be at the Mastercard or Visa level…
“Exactly. And Visa, among others, doesn’t want to do this because they would have to pay for the technology to unencrypt at their end. They would rather have it unencrypted. They insist that you send it in the clear, unencrypted, across a proprietary network. That’s they way they’ve done it for decades.
“The card brands, they don’t want to pay for end-to-end encryption, they have not supported it. They say, ‘Oh, we’ll consider it, we’ll talk about it,’ but they don’t want to do that. They can see that’s the best way to go, but they don’t feel like doing it, and no one in Congress is forcing them to do it. Even the latest credit card overhaul, they didn’t even come close to security issues. It was all about interest rates. No one is forcing them to do anything in terms of security, so why should they. So the processors are saying, ‘Well, we’re doing what we can here.’
“This doesn’t solve the problem, it won’t even materially reduce the problem, but it’s a definite improvement in security. It’s safer, it’s better than what exists today. It won’t resolve everything, but it’s better than today.”
So, how likely is it that Heartland’s approach will happen?
“As far as Heartland is concerned, this is definite, they’re going to have it out by October.
“Now, retailers who are Heartland’s customers have got to buy it. As far as I can tell, no one has bought this yet, so in theory if no one ever does… It’s sort of like a car company that puts out a car. Is the car definite? Yes, it’s going to roll off the assembly line and be in showrooms, assuming there are showrooms any more, but if no one buys it it won’t be out there for long.
“So this will definitely be introduced by Heartland. Whether anyone buys it has yet to be seen. I’m guessing some will. Heartland can deeply discount it to the point where it will be easy for them to do. But the cost is not really in the cost of the hardware, although if it’s a large chain, that can add up quickly. The cost is in making the change and then making it much more difficult for yourself to move later if you feel like it.”
We’re reporting on this on Consumerist because it reveals a little of the world of credit card processing and data security—the part of the retail chain that we never see, but that affects us at the register and after we leave the store. Schuman points out that whether the new data segmentation approach takes off or not, things won’t change for the consumer experience—it’s all pretty invisible from our side of the register.
What it could affect, however, is the cost of transactions for the retailer, and consequently it could impact prices at the register. Whether that’s worth it to implement a better security approach remains to be seen.
If you’re interested in how retailers approach the issue of data security, you should check out StorefrontBacktalk.com.
“Heartland’s New Encryption Strategy: Let Them In, But Limit Them” [StorefrontBacktalk]
(Photo: Andres Rueda)