Is the dawn of the age of ubiquitous e-payments finally here? Can we throw away our credit cards yet?
I wish! If you read my column regularly, you know that payment systems are a particular interest of mine. I've been holding out hope for a few years now that big improvements were just around the corner.
I'm a security-conscious guy, but my credit card accounts have been compromised three times in just the past couple of years. I try to be careful in how I use my cards, but the fact is that I have to use them a lot, all over the world. Given those circumstances, there doesn't seem to be any way currently to ensure safety. Heck, the most recent compromise was of my fancy-pants EMV (Europay MasterCard Visa) card — the kind with a smart chip on it that is supposed to make it much more difficult for attackers to steal data. EMV is certainly not perfect, especially when the merchant processes it like any other credit card. That's just what happened on a recent trip to Asia, where two merchants ran my EMV card's magstripe through their payment terminals. Sure enough, bad things happened.
Despite the shortcomings of EMV, I'll be glad when it's widely adopted in the U.S. It's coming, but slowly. Nonetheless, it's not going to solve all of our problems.
Happily, some other developments are helping.
Payment data can be compromised at retailers both big and small, but the nature of the compromise is very different depending on the merchant's size. With small-scale retailers, the threat is that someone, probably an insider, will simply snatch the relevant data (credit card numbers, for example). That affects one customer at a time. The high-profile compromises, of course, hit large-scale retailers like Home Depot and Target, where cyberthieves are able to access millions of accounts all at once. These attacks have succeeded by compromising firmware on payment terminals directly, thereby snagging account data during the payment process.
In both cases, the way to keep data safe is to keep it from prying eyes. For small retailers, this goal has been furthered by companies like Square, which have put credit card payments into the hands of even the smallest of merchants while paying attention to security. When a merchant uses a Square reader, it never sees the customer's credit card account number and keeps no record of it. The payment is processed by Square, , which probably helped Square achieve compliance with PCI-DSS (the Payment Card Industry Data Security Standards).
Of course, Square and its competitors don't serve big merchants, the ones whose data breaches make the headlines. But a similar idea — don't let the merchant ever even see the credit card data — could help there as well. And Apple just might be giving us a glimpse of how this could work.
Sign up for CIO Asia eNewsletters.