GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Getting a bead on mobile merchants


Industry Update

Latest interchange increases - waving a red flag?

And the breach goes on

Durbin Amendment regs delayed temporarily

Durbin Amendment draws opposition

Ingenico gaining slice of U.S. market


The experiences of an entrepreneur

Ken Musante
Eureka Payments LLC

Research Rundown

The future of mobile payments

Selling Prepaid

Prepaid in brief

The secret to selling gift card programs

Metabank's cautionary tale


ACH finds volume in consumer apps

Patti Murphy
The Takoma Group

What a bank core processor means to you

Brandes Elitch
CrossCheck Inc.

Circumvent cyber theft through education

Tony Griffith
Integration Specialist


Street SmartsSM:
Spring cleaning the ISO house

Bill Pirtle
MPCT Publishing Co.

Smart phones, dumb habits

Dale S. Laszig
Castles Technology Co. Ltd.

Memorable ISO legal catastrophes

Adam Atlas
Attorney at Law

Old fraud schemes resurfacing?

Nicholas Cucci
Network Merchants Inc.

Company Profile

MagTek Inc.

New Products

An RDC solution for the Apple Mac

RDC Select for Panini I:Deal

Drive compliance with a PCI dashboard

Panoptic Security Inc.


Pause before you walk the tradeshow floor


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

April 25, 2011  •  Issue 11:04:02

previous next

Circumvent cyber theft through education

By Tony Griffith

As the payments industry strives to ensure the safety of consumer payment information and negate the potential for fraud, criminals are hard at work devising new and more powerful exploits aimed at gathering that valuable cardholder data. The new breed of fraudsters, armed with an impressive array of web-based tools, is cause for alarm.

While the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application (PA) DSS have helped make data more secure, these methodologies, policies and procedures alone will not be able to help in all possible and emerging scenarios. As technology improves data security, fraudsters will adapt to the advances and inevitably introduce new attack vectors that will create new vulnerabilities in security systems.

So the question is, what can be done to counter future threats and keep data safe? Well, it seems the answer is both the oldest known and least technological defense: education.

The public's need to know

The year is 2011, and the evolving payments landscape demands technologies such as Bluetooth 802.15, which is used in mobile payment hardware; radio frequency identification (RFID), used in credit and debit cards; wireless 802.11, used in mobile ATMs; and embedded operating systems, also used in ATMs.

The same landscape demands that those wishing to gain access to sensitive data use equal or superior technology, including high-speed field programmable gate array chips, which are used to crack encryption algorithms; flash storage devices, used to reprogram ATMs; RFID sniffers, used to lift account information off of cards; and even decoy installations, which include fake ATMs, fake readers and their ilk.

While it is astounding to realize how many ways to both steal and protect sensitive data exist, it is even more astonishing to know how little is being done in the way of public education to help avoid problems in the first place.

Examples of common vulnerabilities that could be negated by more effective consumer, and even merchant, education include:

Both of these common security failures offer attack vectors that are popular with criminals. This is a direct result of users not being sufficiently educated on exactly how to properly protect themselves when using those technologies.

To further understand this, consider the following: bankcard fraud will cost more than $1.5 billion again in 2011, and it will be up to issuers and cardholders to foot the bill. Most of the information used to generate that prodigious dollar figure will be obtained secretly - and without detection - on unsecured networks.

Equally detrimental to security is that the general population doesn't even understand why it is a bad idea to drop a credit card purchase receipt into the nearest waste bin without ripping it to shreds first. Again, education can help here.

Education as countermeasure

Now, let's take a look at the potential industry effects, as well as simple solutions, to these types of emerging threats using the concept of education as a countermeasure.

It is well known that public perception can be shaped and largely controlled through marketing. It is also a fact that using marketing as a perception control mechanism has its limitations. Public perception can be shifted by anyone with enough knowledge to exploit the Internet or other forms of mass communication.

Currently, the payments industry enjoys a public perception similar to that of the public utility industry, which is seen as an integrated part of the overall infrastructure that enables us to live modern lives. Everyone knows that you need public utilities and that they come with some associated cost.

However; when an entity described as a "public utility" is found or perceived to be disadvantageous to the public, it may have to deal with the resulting adjustments to the general public perception.

There has recently been a shift in the public perception of several "public utilities," such as financial institutions, as a result of the global financial crisis and the discoveries that have come to light following investigations into its root causes. The public has made adjustments to its perception and has changed (at least for now) its behavior related to the affected industries.

A good example of this is how many people have decided to let their adjustable mortgages lapse, walk away from the associated properties and not worry about the resulting lowered credit scores. On top of that, many young people no longer trust the lending industry.

The vulnerability of payments

It is obvious that if people do not trust an industry to keep them safe (even from themselves), they may choose alternate lifestyles that do not involve that industry.

While that may sound like something that could not affect the payments industry, understand that just such a shift in perception could stifle our business from every angle. A shift in public opinion can spread like wildfire because of global connectivity and social networking.

As you read this, the following thought should have crossed your mind: the PCI Security Standards Council has done a fantastic job with the PCI DSS, PA DSS and PIN Transaction Security DSS and everything else to help us operate as securely as possible, but it is usually the end user that is the root of security problems.

If you had that thought, you were right. But now think about this: End users will not blame themselves if the RFID card they have in their pocket gets skimmed. They will blame the issuer, then the technology and then, if things have gone really bad, the industry.

The payments industry's collective reputation can't be put into the hands of hackers who operate from the corners of coffeehouses, shopping malls, schools and even sporting events. We need to make it very hard for that type of crook to operate, and the way to do this is to educate potential victims.

The effectiveness of simple solutions

A mandated minimum level of data security education for every card-carrying patron could include provisions for short, recorded security tips to play when a user calls an interactive voice response system to activate a card. The messages would not need to be exhaustive, just informative.

This type of simple solution could save time and money in the long run, as well as help to boost and strengthen consumer confidence without the industry having to resort to expensive media barrages to force-feed information.

After all, reaching people at the precise right time with pertinent information is always more effective than bombardment. An example of this would be "Close cover before striking," which appears on most matchbooks. It is helpful reminder at just the right time.

By training customers properly, you are performing high-level customer service, and you will directly benefit over time. The payments industry, as a whole, stands to reap great benefits from taking on this mission and arming its consumers with the ultimate countermeasure: education.

Tony Griffith is an Integration Specialist with a leading integrated payments company and has over 20 years of experience in technology, management, customer service and training. He can be reached via email at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios