Should online transactions be allowed on credit cards without adequate safeguards?
1. All credit cards that ship today are enabled for internet/IVR transactions by default without any action on the part of the card holder. This is a significant risk to the credit card holder.
2. This exposes the card holder (even one who does not intend to conduct any internet transaction) to the risk of fradulent internet/IVR transactions if his card no, exp date and CVV2 is noted at a merchant establishment at the time of swipe. The risk is more in India where many credit card holders may not be interested to conduct internet/IVR transactions at all but are exposed to the same risks.
3. Should it be be made mandatory for credit card issuing organization to ship cards that are NOT enabled for internet/IVR. The card should be enabled for internet/IVR only at the explicit request of the card holder - that too with build in additional security mechanisms (VbV/Secode/etc.). After all savings/current accounts are enabled for internet transactions at the explicit request of the account holder.
4. Ecommerce transactions on websites that do NOT adhere to these additional security mechanisms should be either totally denied/restricted to low value transactions (allow the card holder to choose his low value!) with cumulative value restrictions for a defined period. This will force the websites to adhere to the additional security mechanisms. Moreover, the onus of any fraudelent transactions at these websites should be solely on them.
5. Credit card issuers should transparently publish at their websites the complete guidelines for handling disputed transactions. At present the published information is very high level.
Answers (2)
Have you looked into the PCI DSS ...The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
Links:
Lynn W.
virtualization since Jan68, online at home since Mar70
Best Answers in: Financial Regulation (5), Information Security (5), Economics (4), Government Policy (3), Equity Markets (3), Risk Management (2), Blogging (2), Enterprise Software (2), Budgeting (1), Mergers and Acquisitions (1), Sales Techniques (1), Planning (1), Bond Markets (1), Derivatives Markets (1), Hedge Funds (1), Career Management (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Web Development (1)
There is extended discussion related to several of the issues in the
In your experience which is a superior debit card scheme - PIN based debit or signature debit ? In markets where Chip n PIN are not mandated, have Banks preferred one scheme over the other?
thread in the Credit Card Professionals group
Links:
- http://www.garlic.com/~lynn/subnetwork.html#gateway
- http://www.garlic.com/~lynn/x959.html#x959
- http://www.garlic.com/~lynn/subintegrity.html#payments
Clarification added September 30, 2008:
We had been called in to consult with a small client/server startup that wanted to do payment transactions on their server and they had this technology they had invented called SSL they wanted to use. Part of that effort is something called the payment gateway ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway
and is now frequently called electronic commerce.
We were then asked to participate in the x9a10 financial standard working group which had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments (*ALL* ... POS, non-face-to-face, internet, etc). As part of that, there were detailed, end-to-end threat and vulnerability studies and resulted in the x9.59 financial standard ... misc. past references
http://www.garlic.com/~lynn/x959.html#x959
Part of the detailed, end-to-end threat and vulnerability studies looked at issues with single factor, static, "something you know" authentication information. In effect, the current information horrible burdens the account number with both being widely available for numerous business processes and at the same time requiring it to be kept confidential and never divulged.
the other was looking at things like skimming, evesdropping (primary use in the world today of SSL is to prevent divulging account number), and data breaches. Something from kindergarten, security 101 was "security proportional to risk". Basically the value of the information to the merchant is worth some percent of the profit off each transaction while the value of the information to the attacker/crook/insider is worth the account balance/credit-limit ... as a result the crooks (attacking the system) can frequently outspend the merchant (defending the system) by a factor of 100 to one. Part of x9.59 standard was to change the paradigm and eliminate the usefullness to the crooks (and as a side-effect eliminates the major use of SSL in the world today).
Clarification added September 30, 2008:
we would periodically joke ... that because of the dual-use nature of transaction information with diametrically opposing requirements (generally available for numerous business processes and at the same time must be kept confidential and never divulged) ... that even if the planet was buried under miles of information hiding encryption ... it still wouldn't be able to prevent information leakage.
lots of past archived posts discussing various aspects of current paradigm in a thread about "naked transactions"
http://www.garlic.com/~lynn/subintegrity.html#payments
