Now that Visa is a Public Company it needs to take responsibility for the harm it creates.
The antiquated system of trading credit card numbers is only something that seems reasonable in a pre-1978 world, one without public key cryptography.
A modern credit card authorization scheme should look something like this:
- Merchant requests transaction from Visa for a specified amount of money with a signed/encrypted message
- Merchant passes transaction information to client in a signed/encrypted message
- Client (human) accepts/declines terms of transaction by passing signed/encrypted message to Visa. Input of a credit card number is optional, and could be replaced by a cert/PIN.
- Merchant can check transaction status via signed/encrypted exchange with Visa.
- Merchant can handle returns/exchanges via this transaction
This stuff can be easily streamlined today with a simple browser extension or integrated into future web browsers. A physical token (smartcard) is even better, and extends the model beyond Internet transactions.
Just today I learned that my credit card number may have been compromised by shopping at Hannaford’s. There’s no reason for Hannaford to have held onto credit cards for this length of time, that’s just reckless, but there’s also no theoretical reason for them to have to store credit card numbers in the first place.
How many times are we going to have to go through the cycle of:
* merchant gets hacked
* new cards are issued
* everybody changes all of their automated billing setups
before everybody gets fed up? My wife’s card was compromised last summer by shopping at TJ Max, now her card and mine probably at Hannafords. Given enough time, all the merchants are going to get hacked. This will be her second replaced card in a year, and there’s still time for a third. This rate will only accelerate.
More importantly, the current system is a house of cards [ouch – ed.] built on the assumption that every merchant with whom you do business has bullet-proof security. PCI is a pathetic attempt to try to impose IT security upon merchants, but it’s full of holes, and can never be perfect, no matter how hard everybody tries.
The real secret is that PCI is just an attempt to cast blame on the merchants and make it shoulder all of the costs, when Visa is capable of making the whole problem go away and has been for some time.
The disconcerting aspect is that as a non-profit they should have been more willing to do this. Let’s hope real security is an intended use of proceeds from their IPO.
If not, they’ll be displaced by somebody offering much better rates to all the merchants and shopping without fear to the cardholders. Sure, it’ll require large capitalization, but the value proposition is immense. Drop me a line if you want to fund this. 😉
Massive increase in fraud crimes should make the government and banks realise that their data protection and Chip and PIN systems are diverting rather than deterring fraud crimes.
This shows that fraud will continue to grow until they exploit KEY and PIN system described on website http://www.xwave.co.uk which will deter fraud crimes by making signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.
We hope that the government and banks will appreciate these details and exploit KEY and PIN system before it is too late to stop a fraud boom.