Most of us who work in data security have probably had this experience. You bump into a neighbor on your morning walk, or meet someone at a party and as soon as they find out what field you’re in, they pop the question: “Do you really think it is safe to buy stuff on the Internet?” There are variations on the question, of course. They might ask about on-line banking, using a credit or debit card at the store, using a bank ATM, or almost any other financial transaction. Fielding these questions is one of the unintended consequences of your career choice. But what you tell that near stranger says almost as much as what you don’t tell them.
I usually try to keep my answer short and say something like: “Large retailers are probably compliant with PCI regulations and they are likely to be more secure in relation to credit cards. Smaller retailers may not yet be in compliance with these regulations. However, your credit card issuer is going to protect you from losses due to fraud and theft. Debit card transactions are more secure end-to-end because of encryption, and your merchant likes debit cards because of the lower fees, but your bank may or may not be helpful in the event of a loss. You might have more personal risk when you use your debit card. If you do on-line banking, make sure there is two-level sign on, and make sure your bank will stand behind you in the event of a loss. My advice is to take the normal precautions when using your card, use a credit monitoring service, check your statements regularly, don’t use Internet cafes for payments or banking when you travel, and know your bank.”
The rest of my answer is mainly for industry insiders. For instance, I find it odd that merchants who are PCI compliant are reluctant to make this information public. I would certainly feel better making an on-line purchase if I saw a statement on the check-out page that said something like “We’ve passed a PCI audit with no compensating controls. We are committed to securing your personal information when you buy online from us.” Even with some obligatory fine print from the lawyers, this would signal a sincere effort to protect information. But you never see this type of statement on merchant web sites; even the ones that I know are PCI compliant and really diligent about security. I wonder why . . .
Similarly, I find the difference between debit cards and credit cards to be interesting. Debit cards have long had end-to-end encryption using public/private key encryption. When you swipe your debit card and punch in the PIN code, that PIN is encrypted all the way to the bank. The same isn’t true for credit cards, however, because credit card numbers are simply not encrypted as they flow over various networks. That information is susceptible to loss anywhere along the path from the retailer to the credit card processor. All parties seem to accept this risk simply as a normal cost of doing business, and the bad guys do occasionally breach those networks. So the bottom line is that even if a credit card transaction starts out secure, there are numerous weak points where information can be lost or stolen.
This takes us back to the original question, and my answer that’s more for those of us in data security than for my neighbor. “I think there has been major progress over the last three or four years in data protection, but we have a long way to go before payment transactions are really secure. There are so many ways to expose and lose information, and end-to-end encryption is the only way I know to truly protect it. My hat is off to those merchants and payment processors who are making that long slog to embed encryption at every point in the process. But until encryption is universal, none of our sensitive information will be truly secure.”
To learn more about encryption solutions for retail and other industries, click here.
Tags: compliance, credit cards, debit cards, encryption, pci, privacy, retail