The payment industry must reinvent itself

July 16, 2009
Ever since the economy went down the toilet, and President Obama took office, I've been doing a lot of thinking about infrastructure -- and how our country stinks at it compared to other parts of the world, namely Europe.

Our roads and bridges are cracking at the seams, our trains go too slow, our lights don't always stay on....I could go on and on in addressing the deficiencies.

Perhaps the reason for this is that we've poured too much money into the Iraq war -- what did that exactly solve, again?

Or maybe it's because Wall Street lured our best and brightest with promises of big paychecks, even heftier bonuses and an extravagant lifestyle. Instead of coming up with a cure for cancer or designing a superior air traffic control system, these grads took trading jobs with Goldman and Merrill and Bank of America.

That's at least what Tom Friedman suggested in this New York Times Op-Ed piece from late last year. In it, he argues that America needs a "makeover," and fast, if it is to thrive in the 21st century:
To top it off, we’ve fallen into a trend of diverting and rewarding the best of our collective I.Q. to people doing financial engineering rather than real engineering. These rocket scientists and engineers were designing complex financial instruments to make money out of money — rather than designing cars, phones, computers, teaching tools, Internet programs and medical equipment that could improve the lives and productivity of millions.

Which brings me to security. Specifically, payment security, and why we need an infrastructure overhaul.

The Payment Card Industry Data Security Standard (PCI DSS) does a baseline job of requiring that merchants get better at securing cardholder data. But, breaches, monster breaches, actually, still are happening on a regular basis and many people are having their data fraudulently used by cybercrooks.

In the end, as Gartner analyst Avivah Litan told me today in a conversation, merchants aren't -- and will never be -- in the business of security. That's why to truly push back the sophisticated cybercriminal element, the payment system must be "fundamentally upgraded," Litan said.

I agree. Technologies such as Chip and PIN, tokenization and end-to-end encryption are ways to take much of the burden out of the hands of merchants -- who, let's agree, aren't exactly the best data gatekeepers. Fraud would go down.

Chip and PIN, specifically, involves cards being embedded with a customized chip that would be authenticated when a customer entered their PIN. In the UK, it has resulted in a dramatic decline in fraud rates for card-present transactions.

Bob Carr, CEO of Heartland Payment Systems, which suffered the worst reported data breach of all time, is trying to do that something similar. He said PCI is too human-intensive, so why not incorporate a technology across the payment chain that would work to mask the data at its source. His idea is end-to-end encryption.

Of course, there's cost. But merchants have to now accept the fact that security is part of their business objective. It's not going away.

(And just think, maybe a whiz kid who would've, before the economy tanked, opted for a hedge fund job will be the one who designs a way to affordably overhaul the payment infrastructure).

*You won't want to miss our September cover story, where we'll look at exactly what happened at Heartland, whether the PCI certification process needs a revamping and what companies need to do beyond PCI.
prestitial ad