« ViewStateUserKey issue revisited | Main | ViewStateUserKey final verdict »

A classic example of approaching a security and privacy problem the wrong way

The Payment Card Industry (PCI) has embarked on a quest to improve the handling of sensitive user data, after a series of recent high profile breaches exposed the inadequacy of its security practices. The February 2007 issue of Information Security (p. 36) writes about a major initiative championed by Visa, MasterCard, Discover, and American Express that "is designed to ensure cardholder privacy."

Basically, this initiative mandates that cardholder data is to be protected (implied encrypted although not required) when transmitted across public networks. The standard goes at length to suggest and require that network infrastructure providers, retails (big and small) not store permanently the cardholder data, with the elephant in the room being the simple fact that knowledge of card number and card expiration date is often enough to place a transaction without actually possessing the card.

So, here is an industry that does not have any economic incentive to use the best available technologies to protect consumers (see Bruce Schneier's excellent points on this subject in the January 2007 issue of Information Security and my forthcoming letter that will appear in the March issue of the magazine) going at this problem from the wrong end. Credit card number, expiration date, and even the three-digit security code on the back, should not be the secrets that enable financial transaction to take place. Just think how much simpler the problem of protecting the consumer will become if we eliminate the reliance on compromisable secrets. Instead, PCI must adopt technologies that prove possession of the card by the proper cardholder at the time of the transaction. Smart card-based technologies are one example of such technology but the PCI in America resists deploying this and other similar solutions.  


TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)