Credit: U.S. Navy photo by Mass Communication Specialist 2nd Class LaTunya Howard, public domain, via Wikimedia Commons via Computerworld.
Several electronic and mobile payment options have become available, but most of us in the U.S. are still using plain-vanilla credit and debit cards with magnetic stripes. They use technology that dates to the first Nixon administration. That's not a problem in itself; I have no problem with time-tested security measures that work effectively. But just look around: Data breaches are everywhere, and those magnetic-stripe cards are often implicated.
Personally, my credit card accounts have been compromised no fewer than three times. Those compromises included fraudulent purchases charged to my account. That experience has made me an early adopter of some of the newer mobile payment options, because I desperately want to use systems that are more secure than the old-fashioned credit cards I keep in my wallet.
From a security architecture standpoint, traditional credit cards are a nightmare. Among other things, they often:
- Store account numbers on servers
- Expose account numbers to clients
- Only encrypt data in transit (like SSL/TLS)
- Expose account numbers to merchants
- Reuse the same payment/account number
That's quite a list of failures.
And how do credit cards' more modern counterparts measure up? Let's look at three of them and see.
Credit card readers on mobile devices. These systems, which include Square, started popping up a few years ago and have become moderately popular with small-to-medium-sized merchants, because they're easy to deploy. But they also hold benefits for those merchants' customers. The readers (typically they are simply smartphones or tablets) are not just point-of-sale (POS) terminals. In most cases, the card reader devices encrypt the customer's credit/debit card information. The encrypted data is decrypted back on the server side at Square (and the other companies operating in this space), but nonetheless the encryption in transit effectively removes an entire threat agent from the equation --the merchant.
These systems are more widely used than the other two technologies I will discuss, and that's probably because they are beautifully simple, supporting existing technology (mag-stripe credit cards) while reducing opportunities to exploit the payment data. (Card reader systems are moving into card-less transactions as well, such as with Square's Wallet app, which goes further toward reducing such opportunities.)
But these systems do not eliminate opportunities for mischief. The customer's payment data is still stored on the service provider's systems. Should a provider like Square suffer a major server breach, there's always the chance your payment account information will be compromised.
Verdict: All the convenience of credit cards, but more secure. Why aren't more people using them?
The Europay MasterCard and Visa (EMV) system. EMV cards contain a smart chip and/or a contactless (RF-based) chip. They're typically used in either "chip and PIN"or "chip and signature"configurations. (You either have to enter a PIN or sign to complete a transaction.)
Sign up for CIO Asia eNewsletters.