The Macrosite for News, Analysis and Opinion about the Future of the Internet
Chris Poley

Credit Card Processing Spawns Breach Opportunities

Written by Chris Poley
4/6/2012 24 comments
no ratings
DISCUSS     Email This

The list of high-profile online security breaches expanded again last week.

Global Payments, (NYSE: GPN), an electronic transaction processing and payment service company employed by Visa USA , has been dropped from the credit company’s register for approved services. In other words, the company has been terminated until further notice.

Last week, Global Payments reported a breach of roughly 1.5 million Visa and MasterCard accounts in a non-public announcement to the credit companies.

More specifically, Global Payments said “Track 2” information was stolen. If compromised, Track 2 data allows the hacker to transfer card numbers, PIN information, and expiration dates onto the magnetic strip of a fraudulent card, which then can be used to make purchases.

In his initial statement, Global Payments CEO Paul Garcia said: “It is reassuring that our security processes detected an intrusion.”

Really, Paul?

Despite Visa’s rapid decision to pull the plug on the third-party processor immediately, Global Payments took plenty of time to report the breach that occurred between January 21 and February 25.

That said, third-party processing is only part of an extremely complicated network involved in credit card processing, a network that exposes the consumer, merchant, and bank of issuance to hackers.

Here is a rundown of all the opportunities for a security breach that go into a single transaction:

  • Step 1. The customer submits a credit card for payment.
  • Step 2. The credit card company manages the complex routing of the data on behalf of the merchant.
  • Step 3. The processor for the merchant’s bank submits the transaction to a credit card network like MasterCard or Visa.
  • Step 4. The credit card network routes the transaction to the bank that issued the credit card to the customer.
  • Step 5. The issuing bank approves or declines the card purchase.
  • Step 6. The credit card network relays the transaction back to the merchant bank’s processor.
  • Step 7. The credit card processing company stores the transaction results and sends them to a Website, where the customer and merchant can see that the sale or the purchase has been completed.
  • Step 8. The issuing bank sends the appropriate funds for the transaction to the credit card network, which passes the funds on to the merchant bank.

This processing procession can be looked at two ways. First: “Wow, that seems like a whole lot of openings to create a breach for hackers.” Second: “Wow, it’s amazing there aren’t more security issues than already exist.” Either way, it appears the system is fraught with opportunity for fraudulent activity.

By the way, the same third-party processing leg of the credit card transaction was also responsible for the massive security breach that occurred in 2005, in which 40 million cards were exposed by CardSystems Solutions.

A frightening reality is there are dozens of third-party processors, and according to the Nilson Report, Global Payments handled $120.6 billion in Visa and Mastercard transactions last year and ranks seventh among third-party vendors. A so-called “stress test” was administered to Global Payments last July and the firm passed.

Users aren’t happy. Following a CNET blog by Roger Chen, one commenter wrote: “The problem is complexity. These are enormous organizations with tens or even hundreds of thousands of people and thousands of systems and applications. The number of moving parts and the number of interactions is mind-boggling. It's almost inevitable that oversights will occur."

So what’s the solution -- more regulators, more stringent compliance, more frequent testing?

Or is less more? Fewer hands in the processing, fewer risky processors? Or perhaps less apathy by the merchants who should be required to ask the card user to give the CVV or 4-digit code on the back of the card… always!

Let’s not leave the consumer blameless. The FTC suggests some protective measures that can help guard consumers against some of the more common user indiscretions. Remember: Your card can be used online from activity you have provided on either the phone or in a traditional retail store.

The globalization of all markets through the Internet has serious repercussions that will continue for years to come. The vulnerability of the credit card industry is just one of them.

Related posts:

— Chris Poley has been a professional trader for more than 20 years.
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
< Previous   Page 2 of 3   Next >
Chris Poley
Thinkernetter
Monday April 9, 2012 9:42:54 AM
no ratings

Thank you Michael for the link. I had read just a brief paragraph about tokenization and it pales in comparison to your links detailed explanation.

However, when speaking of the cost of doing business, don't you find the necessity to provide the highest industry standard of credit card protection on all levels and to all concerned parties? Whether or not the FTC, rating agencies or the banking industry itself provide some stringent compliance to the credit card process or not, isn't it paramount to have the best protective measures is place because you will lose your business to someone who provides such protections? Also if insurers are involved either your rates will reflect high risk and not be cost prohibitive or you may be denied protection altogether.

Bottom line, either way the issuer and processor need provide the highest level of protection if they choose to stay in business.

 

 

Michael P. Kassner
Thinkernetter
Monday April 9, 2012 9:21:14 AM
no ratings

If the database was encrypted properly and there was no insider crime, that means the stolen database is encrypted. Of what good is an encrypted database to the bad guys? 

Tokenization is available, but as I mentioned it is costly and yet to tip the risk assessment balance into a position where management will emply it. 

http://www.creditcardprocessing-r-us.com/Credit_Card_Processing_Blog/2010/12/credit-card-processing-tokenization/

Chris Poley
Thinkernetter
Monday April 9, 2012 7:32:44 AM
no ratings

You're absolutely correct syedzunair. However there is no doubt if consumers and merchants followed FTC guidelines as well as industry guidelines in loss and fraud prevention that $190 billion annual loss would shrink considerably.  

jabailo
IQ Crew
Sunday April 8, 2012 10:00:16 PM
no ratings

Is there anyone who can stop the IE spambot?!

I have been successful in doing so on my own forum site, if anyone wants some tips...

 

syedzunair
IQ Crew
Sunday April 8, 2012 4:28:37 PM
no ratings

Chris, I agree with you on the insurance part. But insurance is just a fall back strategy for customers and merchants. Essentially, we should focus more on security and strive to reduce the security breaches to a bare minimum. 

I know that is not an easy job and it will require more research in security and more stringent measures on the websites where transactions are being performed. 

Chris Poley
Thinkernetter
Sunday April 8, 2012 8:59:27 AM
no ratings

mhhfive, I agree that more insurance should be available at each level of the processing system. From a 2009 that came out in 2011 report by Lexix Nexis, Merchants lost $190 billion, banks $11billion and the consumer $4.8 billion- most attributed to online purchasing.

In this most recent attack it was made clear that Global Payments was capable of covering the amount of fraudulent activity from the 1.5 million hacked cards.

I think the system seems very disjointed and tighter industry standards and security compliance should be administered by the prevailing parties within the credit card system.

I also believe that there will still be hacking and fraud just based on the amount of leaky areas that allow the consumer and merchant to ability to practice industry standard protection measures.

On a bright note credit card fraud had dropped from the previous year thanks to merchants being more vigilant.

 

 

 

Chris Poley
Thinkernetter
Sunday April 8, 2012 8:29:56 AM
no ratings

Well pizzshop.com based on this blog it would be appropriate to give you my crdit card number, expiration date and CVV2 code.

mhhfive
IQ Crew
Sunday April 8, 2012 1:46:47 AM
no ratings

There's probably no cure for fraud in the credit system, but maybe there are treatments? Perhaps an large insurance system could provide some kind of backup to fraud in the credit system -- just like FDIC protects deposits up to $100K, maybe there should be a fraud insurance system -- and people who have verifiable identity theft claims would simply be paid out according to how much insurance they were willing to buy into..... 

Chris Poley
Thinkernetter
Saturday April 7, 2012 10:33:39 AM
no ratings

Thank you DHagar, I believe there are rating systems done by neutral parties. Here is one that reviews a number of different variables in a attempt to allow merchants a fair and equitable selection of processing vendors.However, there should be a formal agancy that test and reviews these processing firms on scheduled basis. Your suggestion makes a world of sense

 

 

Chris Poley
Thinkernetter
Saturday April 7, 2012 10:25:21 AM
no ratings

Michael are you saying that these top tier credit card processors do not use encryption? Two of the largest processing companies are Chase and Bank of America; I find it very improbable that in addition to address verification, real time processing, secure socket lever (SSL) and CVV2 as fraud protection measures the fail to have a encrypted database.

But if you know this for a fact, I love to hear more.

 

< Previous   Page 2 of 3   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Chris Poley
Chris Poley
Chris Poley   10/25/2012   42 comments
In light of shifting trends in search engine advertising, enterprise leaders are scratching their collective heads on just how to allocate their IT and marketing budgets for 2013.
Chris Poley
Chris Poley   9/20/2012   74 comments
Twitter has once again become a lightning rod for controversy. This time, the microblogging site is the focus of what could be a landmark decision concerning just how much access law enforcement has to material published on social networks -- including material posted by enterprise employees during the course of doing their jobs.
Chris Poley
Chris Poley   9/12/2012   21 comments
We all saw it coming, and now it's here to stay: What began as the innocuous scraping of users’ search results has morphed into collecting complete personal dossiers of every customer’s purchase, inquiry, or social network preferences.
Chris Poley
Chris Poley   8/24/2012   105 comments
Social network stocks are getting the antisocial treatment from tech investors. What was once the "next hot thing" is cooling off, and traders and early investors are heading en masse for the nearest exit.
Chris Poley
Chris Poley   7/26/2012   36 comments
Two firms that are clinging to patents as a means of survival are finding the approach tough going: Eastman Kodak has taken one step closer to the darkroom after losing its patent case against Apple and Research in Motion Ltd. And in an ironic twist, RIM is already living its own patent lawsuit nightmare.
5
of
Kim Davis
GroupOn's Problems Multiply
4|6|12   |   1:55   |   14 comments

With resubmitted fourth-quarter results, an SEC probe, and now a lawsuit, GroupOn is floundering badly.
Mary E. Shacklett
Online Banking, Part 2
Part 2 of 2   |   See complete series
4|28|10   |   2:25   |   No comments

As banks seek to improve their online customer experiences, they are recognizing that many of the Web-oriented skills they are looking for are already at mature levels in the retail industry. Increasingly, banks are breaking with the tradition of hiring from within the industry and are importing retail talent.
Mary E. Shacklett
Online Banking, Part 1
Part 1 of 2   |   See complete series
4|21|10   |   3:10   |   3 comments

Since the mid-1990s banks have had three main online objectives: establishing an e-presence, providing enough security for bank customers, and shifting banking transactions from brick-and-mortar branches to the Web. Results have been good, but banks still struggle when it comes to delivering a pleasing online customer experience.
Rob Salkowitz
The Use & Abuse of BI
2|1|10   |   2:19   |   4 comments

Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Second Shooter
How 2010 Will Be Like 1984
1|4|10   |   2:13   |   19 comments

Microsoft reportedly has plans to integrate Windows Live and even Xbox with Windows Mobile. That may provide them a strategic advantage, but what will the cost be to your privacy? Tom explains all.
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   8 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   9 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Steve Saunders' Outernet
The Death of Anonymity: Part 1
Part 1 of 4   |   See complete series
10|26|09   |   1:29   |   13 comments

The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Thomas S. Kunz
Banks Get Social
10|19|09   |   1:32   |   2 comments

The PNC Financial Group is using social networking for outreach, product development, customer segmentation, branding, and more. It has also developed an iPhone-based virtual wallet application for Gen Y customers.
IETV: the thinkerNet on film
5
of
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Second Shooter
Locked Handsets Aren't the Problem – Subsidies Are the Problem
3|13|13   |   2:09   |   10 comments

Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   5/17/2013   1 comment
It's been 17 years since I've visited the city of Dublin, but I still have some very distinct impressions from my one and only visit.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
Intel's Haswell On-Die GPU Is Lean, Powerful & Built for Cloud
Jason Mick
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
Baking Up Business With Facebook Advertising
Harry Hawk
Facebook advertising is a lightning rod. It seems neither brands nor consumers are 100 percent happy about the social media site's policies, placement, or procedures. But the real controversy about Facebook ads and promotions is over whether they work.
CLICK FOR MORE
IT Suffers From Obama Admin's Jekyll & Hyde Approach to Privacy Rights
Ron Miller
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
CLICK FOR MORE
Websites Should Consider Tougher ID Verification Policies
Alan Reiter
The apartment and house sharing service, Airbnb, now requires members to verify their identities by demonstrating a presence on the web, and by either scanning a government ID or entering detailed personal details. Other enterprises should take a close look at Airbnb's verification policies.
CLICK FOR MORE