Not sure how I found it, but I stumbled upon this post Curing the Credit Card Cancer on the Network Security Blog. In the post author Martin McKeay talks about the credit card data problem and offers some ideas to help mitigate it.
At a high level, I think we can all agree that credit card data is VERY sensitive. McKeay makes the very valid point that as much as you want to protect this data, someone else internally always wants access to it even if they don't need it. And then once they have access, they are very reticient to give it up (true in human nature, corporations, war, and government). So as more people have access to this data, the more likely that this data will get exposed. And guess who probably gets blamed?
The same IT or security folks who are trying to protect the data in the first place. Reminds me of some adage about s!@# rolling down hill.
His analysis is quite good, and a good read for anyone trying to understand WHY the credit card data problem happens. But what really caught my eye was the following:
When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information. We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data. If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards. Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.
Amen Martin! This has been the case for a long time (I actually thought I blogged about it at some point), and until the payment processing get more secure and easier to use, we will continue to have credit card spills. However, since credit card companies just write off fraud and the government makes special cases for them, what motivation is there for them to adopt better tokenization and authentication methods? Why should they care about fraud when they can just write it off?
It's all about carrots and sticks, and there is neither to make this change happen.
I grew up as a techie and first got hooked using an old Texas Instruments programming in Basic ("Hello World" app is my fav) and then learned the fun of "integration" making my PCjr actually run the old Sierra games I wanted to play. After a lot of fun at college, I found myself entrenched in the government technology world leading projects and integrating systems for the past 11+ years. I have extensive experience in technical project management, Public Key Infrastructure (PKI), Collaboration Technologies, Information Sharing, and Secure Systems Integration.