How Credit Card Authentication is a Ticking Time Bomb
Kmart. Buckle. eBay. These are just some of the many brands that have been hit with costly and reputation-damaging credit card breaches over the past year. And, with Target only starting to resolve its breach settlement this year, there's a lot of work that e-commerce companies and retailers need to do to strengthen IT security.
If you’re an online merchant who accept credit cards, you’re probably aware that you must adhere to the new Payment Card Industry Data Security Standard (PCI DSS) requirements. Although cards have made great strides in their security thanks to the function of their new EMV chips, there are still plenty of elements to consider when keeping that data safe, and making sure employees and administrators aren’t targets in attacks.
The newest PCI DSS version, 3.2, released in May 2016, will become mandatory on Feb. 1, 2018 and will serve as a starter guide for the necessary security measures to decrease breach risks. But, there’s still a lot of room for improvement to maintain customers’ data security.
PCI DSS rules are based on prior best practices, drawing on the experience gained from earlier security breaches within existing environments and the lessons they can teach. However, the IT landscape is changing rapidly, and to withstand new challenges, the industry will need new security measures to augment the PCI DSS requirements are necessary.
Currently, there are six guidelines that cover all of the elements protecting card transactions, which mostly consist setting up firewalls while monitoring and testing systems for weaknesses or breaches. One guideline I’d like to point out is access control, which is where the biggest vulnerabilities can exist -- and also be mitigated.
So how do merchants implement strong access control? First of all, it’s important to restrict access to cardholder data on a need-to-know basis per business, then identify and authenticate access to system components, as well as restrict physical access to cardholder data. The ones with administrative access are the biggest targets, so the goal is to reduce access privileges to a controlled and easily monitored few. This process is great for keeping the number of leaks to a minimum, but there is still opportunity to improve.
For one, the new updates to PCI DSS 3.2 ensure the implementation of multi-factor authentication (MFA) for all remote or non-console administrative access. Protecting the information holders with additional authentication factors is a given, considering how necessary MFA has become. But now the question is which MFA makes the most sense for retailers while also being usable and secure?
Security is also a concern for the consumer side. But, here’s the dilemma -- if you want to implement additional security measures, which may increase protection of customers’ data and reduce fraudulent transactions, you could face losing customers if it becomes more complicated and longer to complete transactions. For example, the introduction of traditional two-factor authentication for regular customers may significantly reduce the usability of e-commerce websites and result in customers leaving. While it’s relatively easy to determine and respond to direct losses from fraudulent transactions, lost profits due to inability to engage or complete transactions could be far worse.
Using a different factor for signing up and later signing in, to e-commerce websites, may offer many security-conscious and convenience-inclined users an added incentive to complete online purchases. Better yet, if these sign-on mechanisms offer the same experience and functionality across multiple sites and services, it will offer a wider pool of merchants a unique and consistent revenue stream at scale.
The good news is that there are commercially available solutions for username-less and password-less sign ons, using devices like phones customers have anyway, which provide better security for users and financial data. Favoring better sign-on methods while avoiding usernames and passwords provides even stronger security, especially compared to traditional two-factor authentication mechanisms such as one-time passwords or text messages. Merchants can anticipate adoption of this type of mass authentication mechanism in the near future, especially among organizations that invest in innovation and are scaling quickly. And, to stay ahead of the curve, merchants should prepare for the next PCI DSS upgrade within the next few years, which will likely mandate these sorts of password-less security protocols.
Gene Shablygin, CEO and founder of WWPass, focuses on freeing individuals, retailers and enterprises from ineffective, insecure password systems that can’t protect their data from increasingly sophisticated security threats. Prior to starting WWPass, he founded a multi-million dollar international systems integration company, lead the Midrange System practice at Compucom, worked as senior researcher at Institute for Nuclear Physics. He got his MS degree in Nuclear physics in 1983, and works in computer technology business since 1987.