Given the role that credit, charge and debit cards play in the lives of corporates of all sizes around the globe every day, it’s perhaps not surprising that those in the international card industry regard the technology which underpins the entire system as almost having taken on a life of its own.
The ‘life cycle’ of Chip and PIN terminals is commonly referred to as describing the main points in the existence of the machines themselves from ‘cradle to grave’ or, to be more precise, from the manufacturer’s factory to a recycling plant.
Securing the Entire Lifecycle
The energy and expenditure devoted to tackling the issue of security relating to payment card machines is mostly concentrated on the set-piece elements of the cycle, including not only their construction and destruction but also their installation and operation.
At a recent meeting organised by the card and payments industry body, Vendorcom, that issue was illustrated graphically when members were presented with a diagram illustrating the various steps in the life of a card terminal. The key points were shown as coloured boxes, joined by a succession of arrows, and around the table sat individuals from the various companies represented by the boxes, each outlining their contributions to combating card fraud.
However, there was nobody in the room to represent the arrows – the points when the machines upon which the whole industry places so much emphasis were not physically in the possession of anyone or any company contributing to the discussion. This follows research published by Global Freight Solutions (GFS), which concluded that 2% of all shipments of payment cards and terminals were late or lost.
Everyone in the payment industry appreciates the significant progress that has been made in recent years in trying to reduce fraud. In October this year, the UK Card Association detailed how such crime had fallen to its lowest level for a decade. It suggested that initiatives by manufacturers and managers of payment card systems, as well as the retailers and customers using them, had been instrumental in improving security.
The GFS analysis, though, illustrated how the good work of all those organisations could be undermined by a collective failure to involve the major courier firms with which we all deal – the arrows in the earlier diagram – in any attempts to protect ourselves from crime.
To use the analogy of the lifecycle now commonly applied to the management of such assets, everyone appeared to be focused only on the major episodes in the existence of our technology and not on what happens in between, or the often costly consequences of whatever trips and stumbles might occur en route.
It is difficult to put a precise value on what losses there may be as a result of the late and lost shipments but the potential for loss is clear. Despite a reduction in fraud, the UK Card Association still estimated that criminal activity resulted in fraudulent losses of £186.8m in the six months to the end of June 2010.
It is difficult to conclude anything other than how important it is for the payment card industry to involve the carrier industry more in its ongoing discussions on this subject. After all, they literally hold our security in their hands. The reliability of the software and hardware moved between the makers, users, repairers and recyclers of payment card equipment is, to a degree, only as good as the individuals moving it. That’s not, of course, to imply that carriers are part of the problem, but has the industry embraced their involvement as much as perhaps it should have done?
There are stringent standards applied to those who work within our industry, as well as the nature of the work we all do. Those criteria are enforced by card associations. PIN entry devices all have to subscribe to EMV specifications.
The many retail and financial services environments in which payment terminals are located are bound by the Payment Card Industry’s Data Security Standards (PCI DSS), governing the protection of data. And, at the end of a machine’s lifespan, the companies which we use to securely dispose of them have to be licensed and regularly audited.
Every organisation forming part of the industry equation will rightly point to the work it does to reinforce security. However, it is also true that no one body is arguably any more important than the next. While companies are able to provide solutions in their own particular areas of responsibility, no single firm can offer a panacea, an answer for every different element of the payment industry equation. Card payment security works on many different, interlocking levels. A failure to ensure those levels link together comprehensively is essential.
The technology to bridge that gap already exists. We employ it at Hypercom in liaison with GFS, tracking and reporting on assets in real time. But it has to be across the industry and all terminal manufacturers should review their position and align their process to ensure every step is being taken to safeguard the security of the asset.
PIN entry devices are our lifeblood. They are essential business tools for retailers and banks globally. Carriers move hundreds of thousands of terminals each year for installation, repair and destruction. It is imperative that everyone in the industry employs the highest levels of security.
We need to show clients – either within the industry or consumers – that our security measures are comprehensive and as watertight as possible. By doing so, we make our own lives less stressful and the lifecycle of our technology less problematic.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.