Overkill credit card security?

[ChrisGreaves]

1.JPG

I went to register online with one of my credit cards this morning.
The usual information required- card number, expiry date, name-as-appears-on-card, address-as-appears-on-invoice etc.
Mother's maiden name (another reason my autobiography will have to be posthumous)
Then I had to select three questions and provide security answers.
Well OK.
Name-of-my-fathers-mothers-first-pet-dog-in-a-foreign-country sort of thing.
Then I had to select an image and type in a simple chunk of text.
I've not met this before.
The images are corny - a boat, a bike, a forest, and the text message I chose ran something like "I can't believe this will be less work than keying through a phone menu".
Once it was all set up, I closed and reopened the browser, logged in and thought that my chosen image and text was corny.
I'm new at this, so I went to change it.
It can't be changed, period!
I suppose that keeps it very secure.
But I phoned anyway. Turns out if I de-enrol and re-enrol it will let me start fresh, but I don't believe the help desk.
I suspect the world will come crashing down if I try to re-enrol with the same credit card number.

All in all this seems to me to be a case of paranoid overkill in security.
I feel I am much more at risk from an unscrupulous merchant than a net hacker.

I know that theft-of-number-in-bulk occurs when laptops are left in taxi-cabs, but all of the above seems geared towards someone working out how to get into the credit card site.
Which suggests to me that the owners have little confidence in what they have built.

So why release it for public use?

[BobH]

Having been an IT exec in the industry 30+ years ago, I have some knowledge of how their messaging system works (or at least how it began). I am convinced that the credit card marque entities are naturally placed - and should be legally required - to provide better safeguards. I sent the message quoted below to Mr. Gary Flood, President for Global Product Development, MasterCard International, today. I think that it should be illegal for a merchant to retain a consumer's credit card account number in any electronic, paper, or any other form.

As the executive responsible for products and services globally, I'm writing to you to inquire about a specific product function that - in my opinion - should be provided by the MasterCard product and the systems that eventuate from their definition and to suggest that this feature be integrated into the product. It might even present an opportunity to differentiate the MasterCard marque from its competition.

I refer to a product feature that would perform much like the PayPal function offered to electronic consumers by some merchants. To cardholders, the feature is desirable because it isolates account data from merchant databases where data security cannot be maintained adequately. I cite the TJMaxx debacle of a few years ago as my evidence and proof. There are, of course, untold cases that provide ample evidence of the problem. This service is often not available from sellers because it increases their cost of sales in addition to whatever merchant discount they must pay. I suggest that MasterCard (and Visa, American Express, Discover, et al) are uniquely positioned and capable of providing this functionality and - arguably - should provide this service in consideration of merchant discounts charged to sellers.

It would not be difficult for the Operations Committee and staff to define the rules under which this service could be extended. The authorization network, when invoked by the merchant, would intervene to send the buyer a screen for entering card number, expiration and privacy code data. Cookies and message IDs could be used to link the issuer and merchant components of the transaction without using a card number revealed to the merchant. This information would be screened from the seller but forwarded to the issuer/authorizer and their authorization response forwarded to the merchant/seller.

There should be advantages to the marque in protecting the system from merchant fraud and information abuse. The buyer's email address could be passed to the merchant for their promotion or marketing efforts but the card number, expiration date, and CVC would be protected. By providing this to service to merchants, the MasterCard marque would be more valuable to the extent that a) it reduces costs from PayPal type service providers, b) it removes them from onerous data security costs, and c) relieves them from legal or fiscal liability should the data be compromised. These services are valuable to merchants and would have great appeal to cardholders.

Finally, though the Internet has been widely adopted by nearly the entire population demographic range, there is a significant residual of fear among potential online purchasers. Every advertisement for identify theft protection or free-credit-score-checking feeds this resistance. By making incorporation of this data channel a requirement for e-tailers, MasterCard could improve the value of the marque to all parties.