Tuesday, July 28, 2009

Security problems and solutions

Security problems and solutions

Credit card security relies on the physical security of the plastic card as well as the privacy of the credit card number. Therefore, whenever a person other than the card owner has access to the card or its number, security is potentially compromised. Once, merchants would often accept credit card numbers without additional verification for mail order purchases. It's now common practice to only ship to confirmed addresses as a security measure to minimise fraudulent purchases. Some merchants will accept a credit card number for in-store purchases, whereupon access to the number allows easy fraud, but many require the card itself to be present, and require a signature. A lost or stolen card can be cancelled, and if this is done quickly, will greatly limit the fraud that can take place in this way. For internet purchases, there is sometimes the same level of security as for mail order (number only) hence requiring only that the fraudster take care about collecting the goods, but often there are additional measures. European banks can require a cardholder's security PIN be entered for in-person purchases with the card.

The PCI DSS is the security standard issued by The PCI SSC (Payment Card Industry Security Standards Council). This data security standard is used by acquiring banks to impose cardholder data security measures upon their merchants.

A smart card, combining credit card and debit card properties. The 3 by 5 mm security chip embedded in the card is shown enlarged in the inset. The contact pads on the card enable electronic access to the chip.

The low security of the credit card system presents countless opportunities for fraud. This opportunity has created a huge black market in stolen credit card numbers, which are generally used quickly before the cards are reported stolen.

The goal of the credit card companies is not to eliminate fraud, but to "reduce it to manageable levels".[10] This implies that high-cost low-return fraud prevention measures will not be used if their cost exceeds the potential gains from fraud reduction - as would be expected from organisations whose goal is profit maximisation.

Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant's web server can be sent directly to the payment processor.

Controlled Payment Numbers which are used by various banks such as Citibank (Virtual Account Numbers), Discover (Secure Online Account Numbers, Bank of America (Shop Safe), 5 banks using eCarte Bleue and CMB's Virtualis in France, and Swedbank of Sweden's eKort product are another option for protecting one's credit card number. These are generally one-time use numbers that front one's actual account (debit/credit) number, and are generated as one shops on-line. They can be valid for a relatively short time, for the actual amount of the purchase, or for a price limit set by the user. Their use can be limited to one merchant if one chooses. The effect of this is the users real account details are not exposed to the merchant and its employees. If the number the merchant has on their database is compromised, it would be useless to a thief after the first transaction and will be rejected if an attempt is made to use it again.

The same system of controls can be used on standard real plastic as well. For example if a consumer has a chip and pin (EMV) enabled card they can limit that card so that it be used only at point of sale locations (i.e restricted from being used on-line) and only in a given territory (i.e only for use in Canada). This technology provides the option for banks to support many other controls too that can be turned on and off and varied by the credit card owner in real time as circumstances change (i.e, they can change temporal, numerical, geographical and many other parameters on their primary and subsidiary cards). Apart from the obvious benefits of such controls: from a security perspective this means that a customer can have a chip and pin card secured for the real world, and limited for use in the home country assuming it is totally chip and pin. In this eventuality a thief stealing the details will be prevented from using these overseas in non chip and pin (EMV) countries. Similarly the real card can be restricted from use on-line so that stolen details will be declined if this tried. Then when card users shop online they can use virtual account numbers. In both circumstances an alert system can be built in notifying a user that a fraudulant attempt has been made which breaches their parameters, and can provide data on this in real time. This is the optimal method of security for credit cards, as it provides very high levels of security, control and awareness in the real and virtual world. Furthermore it requires no changes for merchants at all and is attractive to users, merchants and banks, as it not only detects fraud but prevents it.[citation needed]

No comments:

Post a Comment