More Big Bank Stupidity -- Aimed At Small Business in [Market-Ticker]

Posted 2012-01-18 10:04
by Karl Denninger
in Small Business

More Big Bank Stupidity -- Aimed At Small Business

There's a rather active thread on the forum right now about this topic and it's*****ing me off, so I thought I'd expand on it and write on it here.

If you're a small business and accept any form of "plastic card" payment, you have issues to deal with regarding security. The only exception is firms that have a "swipe" reader and store nothing -- in other words, they use one of the "XON" terminals or similar.

If you have a computer system that takes credit card orders and numbers, you have this issue.

Small Merchants
You must secure cardholder data to meet Payment Card Industry rules!
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
Learn how the PCI Data Security Standard can protect cardholder data and prevent theft.

Yeah, payment card industry rules intentionally designed to make it possible for them to slough off their responsibility for security onto you, the small merchant, thereby intentionally disadvantaging you as a business compared to those larger firms that have monstrous internal IT support structures.

I've got more than a bit of experience with this, having dealt with it when I ran MCSNet in the 1990s. Back then we had the same problem but dealt with it in what were at the time reasonably-effective means.

In short the problem comes about as soon as you accept and store, for any length of time, a credit (or debit) card number. That number, plus an expiry date, forms the ability to charge the customer's card. When coupled with a CVV number (the three or four-digit number on the back) and/or a customer address, it's even more important as the former is not on the magstripe and the latter allows an "AVS" (address verification) match.

If you read the standards you'll find that they not only mandate that you "prevent" the theft of this data but they're now requiring audits by so-called "trusted parties" to verify compliance. Exactly how this process works is probably open to some negotiation but if you certify compliance and then later have a breach you're in trouble -- big trouble. Potentially business-ending trouble, as the fines are per card stolen.

When we started dealing with this back in the 1990s I went to the merchant processor we were using with a means to fix the problem permanently. They ignored me. Since this is back in the public consciousness I want to outline where the problem is, what I proposed back in the 1990s, and hopefully, through doing so, will cause small merchants to bring pressure through Congress, if necessary, to put a stop to the rabid anticompetitive behavior that is exhibited by these networks with their "rules."

Let me begin: We all want secure networks and consumers have every right to believe that when they go into a store or shop online their data will not be stolen and then used to rob them. This is an entirely-reasonable expectation and it's not that hard to do. But the merchant networks have designed procedures that could be easily tightened to prevent most data breaches from being effective, along with destroying the value of "stolen" databases in the "carder" network world.

The merchant networks have failed to do this and given the simplicity of doing so I argue their failure is intentional and has the effect of being severely anti-competitive to small and medium-sized businesses.

Today many merchants pretty-much have to store card numbers for three reasons:

Return fraud. In short it's against card issuer rules to issue a credit to a card that you did not originally charge. Customers will occasionally try to do this for various reasons. They will also try to buy something on a card and then return it for cash, which is a round-about way to get a cash advance without paying the fee for doing so. You're required as a merchant to prevent these acts by your merchant agreement. In order to do so you need to be able to verify that the means of a refund or credit matches the original payment form.
Chargeback investigations. Do you need that number? Most of the time no, but once in a while yes. The reasons for this are somewhat complex but if you think all issuers are straight-forward when you get a chargeback you're wrong -- they're not, and sometimes you suspect (or are very sure, because your system says so and so does your bank account) you already refunded the card. How do you prove the refund happened to the specific account in question if you don't have the number involved stored?
Recurring billing. If you're an online service provider of some sort then you probably want to offer this. Some merchants don't -- on purpose -- because recurring billing often winds up generating a lot of complaints over hard-to-cancel charges and thus can generate a lot of chargebacks. But many merchants believe these risks are outweighed by the "convenience" to customers (and the flowing revenue from those who forget!) of "automated" billing. To do that you must have the card number on file to be able to resubmit it.

These two factors mean that many brick and mortar and virtually all online merchants (or those with any online presence at all) wind up having to store card numbers. This then turns their database into a treasure trove of useful information as the customer data (address, etc) along with the card number and expiry date is present. If stolen this is extremely useful, and when stolen in bulk it's very valuable indeed!

This is what drives the security and audit policies.

But those policies are never going to work. All security of this sort devolves into security of the key space, assuming secure encryption protocols. If I can steal the encryption key(s) used for a storage system I can steal the data. If I can compromise the system while it's running I don't need to steal the encryption keys, as I can just ask for the data and it will be provided through the currently-valid set of credentials. Both are a problem and the solution is not to have millions of merchants with supposedly-secure data stores where the security of all depends on effective key management. That is only defensible as a design if it is necessary.

This design is not necessary. It's done this way because the processing networks find it convenient to offload good security practices and their costs onto the small merchant, and in the process of doing so they not only radically increase your costs as a small merchant they destroy security for everyone, including consumers.

Look folks, this problem is not hard to solve. The merchant processors could easily change their operating protocol to work like this:

When you authorize a transaction the merchant processor, in addition to sending back approval, sends back a cryptographic token (e.g. a 32-byte HEX value.) This value may be stored by the merchant if desired. The merchant thus never stores any card data at all.
The returned token is valid until the later of some time period (e.g. 1 year) or the expiry of the card involved. It can thus be submitted in place of a card number in the future to authorize either charges or refunds. However, and this is the important point, it is valid only when presented from the merchant that originally obtained it.

Now you have a database that is utterly worthless if stolen. If I manage to rip off a database full of MD5 hashes I have nothing since the only way I can use them is to debit or credit the original merchant's account! Not only can I not use them with any other merchant I also can't reverse them into the card numbers themselves. The hashes thus have no value to a thief as they're unusable to do anything other than put money into (or take money from) the original merchant's account, which is of no value to him.

Note that the hash does not necessarily have to be globally unique -- it just must be unique for a given merchant during the time domain where it is valid. Only the processing network -- or the issuing bank for the card -- knows if the hash is valid or not in association with a specific merchant ID.

Incidentally there are card issuers that do this for "online shopping" -- Discover's "Deskshop" application is one of them. It generates "random" card numbers (tied to you) that are good only at the place first used and some of them allow multiple uses at the same merchant. But this model, in the generalized sense, is not implemented in the wire protocols for merchant processing networks.

Implementing this change reduces the problem domain at the merchant end to securing the physical network on which card numbers are fleetingly present during the original transaction processing process -- a much simpler process. Since there is now never a reason to store a card number, any storage of a card number, expiration date or CVV is now prohibited -- period -- and if caught doing it no matter who you are, big or small, your merchant account is permanently revoked.

At the same time the perfectly-valid business reasons to be able to ascertain with certainty that you refund to the original payment method remain intact and recurring billing is made easy. In fact, if you have brick-and-mortar locations and want to offer recurring billing you can now do so and get the security of "card present" chargeback protection since the original authorization that generates the MD5 sum can be done off a swipe! This is a significant boon to merchants and in fact was one of the reasons I wanted this back in the 1990s -- it would have been nice to be able to capture a digital picture and a physical card-swipe for customers who were willing to come into our office and set up recurring billing that way, thereby proving (1) they were there and physically authorized the transactions, and (2) that the card was physically present. Having such a token valid for a period such as one year (or the expiry of the card if less) would be perfect for most uses such as this.

Note that this change would shift the responsibility for security of the "large" data stores where it belongs -- to the processing networks and banks. Large-scale data breaches from merchants would instantly cease; if such a breach occurred in the future it would have to have come from either the bank or processing network itself.

More than a decade after I first proposed this with the noose tightening around the necks of small business it is time to push back hard against these monopolists. The merchant networks are at their core anticompetitive things which is why Dodd-Frank targeted swipe and interchange fees.

There is absolutely no reason for businesses to have to store card numbers on their networks if the card processors take an actual interest in real security instead of increasing merchant costs and presenting the appearance of security.

We're well past the point where small merchants should sit for this abuse.

Ps: Before the wailing starts on the use of MD5: It does not matter if the means of generating the hash is cryptographically secure. Think it through folks -- use of MD5 (or SHA-256) is simply for convenience -- the only important thing is that a valid hash is only valid for a given customer and merchant, and only the issuing institution knows if a presented value is valid from a given merchant. Sparse key spaces are desirable for attempted hack detection easier and tend to be more efficient during index lookups, but that's all. The processing network needs only the first four numbers of the card + the cryptographic sum -- the first four on a card are the issuer ID and thus route the transaction. There is no problem with merchants storing that, if you want merchant account portability, as the list of valid issuers is public and it doesn't help you get a valid account number.

Discussion below (registration required to post)

User Info	More Big Bank Stupidity -- Aimed At Small Business in forum [Market-Ticker]
Mortgageguymn Posts: 1563 Incept: 2009-03-09 North Coast	Explaining & promoting Liquid Salt Thorium Reactors, devising Electronic Payments Systems, Re-configuring the health care payment system, fixing front-load washers... where does it end, Gen? Even if people want to nit-pick some of your ideas, at least you bring a lot of damned important ideas to the fore. I almost convinced my lefty brother that we need to make student loans dischargeable in bankruptcy. He thinks federally-enforced price controls on tuition are the way to go. He is borderline insane, lives in DC and lives off of government contracts. The irony is that people like him run the government and some people think o'l Denninger's a kook. We need more kooks. PS. my liberal brother is the only person I know who has personally admitted to voting twice in the same election. Of course, he opposes voter photo ID, since it's "discriminatory" and there is no fraud to speak of... 2012-01-18 10:27:41 Permalink
Tesla Posts: 15541 Incept: 2008-04-03 State of Disbelief	Indeed. If anyone has read the PCI standards, all hundreds of pages of them, this would be obvious. No merchant can possibly be in compliance without spending tens of thousands of dollars. Here folks, get educated on what the processors require you to do to be compliant: https://www.pcisecuritystandards.org/sec.... ---------- "Even a dog knows the difference between being stumbled over and being kicked." -Justice Oliver Wendell Holmes "Neither the wisest Constitution nor the wisest laws will secure the liberty and happiness of a people whose manners are universally corrupt." -Samuel Adams 2012-01-18 10:54:46 Permalink
Firefly76 Posts: 49 Incept: 2011-08-09 Houston TX	Karl, You should submit this to BO's new czar of consumer financial protection. I'm sure he is a legit guy. 2012-01-18 11:00:10 Permalink
Truthseeker Posts: 8474 Incept: 2007-10-07 NorCal	Genesis wrote.. The merchant networks are at their core anticompetitive things The TRUTH! Anti-competitive, monopolistic, well-financed, and intentional. All the very reasons your simple solution was not implemented. We'll see what level of "little guy destruction" occurs before something like it is done. ---------- "...But people better realize that the worst-case scenario could actually happen.9/11 happened. This can happen. An economic 9/11, the likes of which we've never seen." Gerald Celente 2012-01-18 11:09:58 Permalink
Rdytmire Posts: 1022 Incept: 2008-07-07 Atlanta Ga	After going through a full PCI audit I can say that's your suggestion is considered "best practice" and encouraged. http://corporate.visa.com/media-center/p.... Actually, this is EXACTLY how we implemented merchant card processing for a client (the client stores credit card data at corporate but it NEVER gets transmitted anywhere but the processor, via a separate physical line). One end of the system can receive data (the more "public" facing one, which is behind all kinds of security) and the other end processes the requests. Everyone else gets a token, which MUST come from the initial authorizing location or it's considered a hack and invalidated. So the stores don't have to save any data except a token, which is meaningless if not submitted by the location using a specific set of credentials / methodology and a valid logged in user who is ALSO authorized in the domain to process cards...whew... Heck, I wrote the (client end) system and don't think I could hack it. If you're small, use something like Braintree, although it will cost ya. ---------- "Awesome: I'm a pig and a bigot." - Bezzle "I don't want a government that's able to effectively know whenever a circumcision happens." - Mrbill 2012-01-18 11:21:14 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	Rdy, the problem is that this should be implemented AT THE ISSUING BANK and honored through the network. Building systems that advantage large businesses is BULL**. And again, I recommended this to the merchant networks IN THE MID 1990s!** ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* Last modified: 2012-01-18 11:27:02 by genesis 2012-01-18 11:26:33 Permalink
Tristan Posts: 572 Incept: 2009-04-08 Spirit of '76	This is both a simple and fantastic idea, as well as damning evidence of collusion against small enterprises, because it is little more than standard authentication practice. A credit card number is really no different than a password. It's a personal, private authenticator. If I create an account at a website--an account not even tied to my financial well being--my password will still be stored as a hash and the site database will hold nothing terribly useful as far as granting unauthorized access to my account. The other great thing about hashes is that they can be salted with all sorts of information--expiration date, zip code, random numbers--to make it next to impossible to get anything useful out of them via rainbow tables and the like. A straight hash of a credit card number can be broken by brute force, but if there is a "secret ingredient" or two in there as salt, it would take a miracle to crack it. The only thing to watch with using hashes as authenticators for a credit card system is to verify when issuing a hash that it is unique among whatever subset is relevant, in this case, accounts at a given merchant. Hash collisions do happen, however unlikely, so that would have to be addressed. Unfortunately, this would make service providers responsible for the quality of their service and limit profits to actual value created. 2012-01-18 13:18:10 Permalink
Steph4liberty Posts: 1683 Incept: 2010-10-22 Raleigh, NC	Sometimes the best solutions are the simplest ones. Your solution makes sense to me...seems like a no-brainer. The only storage needed is by the merchant processor for all of the tokens and expiration dates with the matching merchant name. ---------- "Man will never be free until the last Banker is strangled with the entrails of the last Politician" - unknown "This isn't a market anymore, it's a computer game." - Drench 2012-01-18 13:22:41 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	It's not difficult at all. An authentication doesn't return a collision Tristan, since the merchant has the routing data (first four) and it CAN'T collide at the issuing bank (they're responsible for the credential and THEY can't have a collision either, so they simply won't issue one that does collide.) ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2012-01-18 13:24:36 Permalink
Tristan Posts: 572 Incept: 2009-04-08 Spirit of '76	Quote: ...so they simply won't issue one that does collide. This could be a monumental task for serial fraudsters. 2012-01-18 13:41:23 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	Well if it collides then it's their problem since they issued it ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2012-01-18 13:54:45 Permalink
Mannfm11 Posts: 3539 Incept: 2009-02-28 DFW, Tx	Small business doesn't have a stock that can be flash traded for profit. ---------- The only function of economic forecasting is to make astrology look respectable.---John Kenneth Galbraith 2012-01-18 13:55:49 Permalink
Dtlgc Posts: 936 Incept: 2007-11-26 Texas Online	Thank Karl - just sent this to my local representative, for what thats worth. 2012-01-18 14:11:34 Permalink
Kochevnik Posts: 547 Incept: 2007-07-30 Dallas TX	Karl as noted above - you are one sharp cookie and you prove that there are lots and lots and lots of solutions to all the problems we face. But from a big-foto standpoint, it never ends does it ? The screws just get tighter and tighter until all the small guys (who keep this country functioning) eventually just say **** it, close the doors and go home to spend their days taking naps. I think there was a book about that ... Written by some chick named Rand or something (LOL) ---------- There are decades where nothing happens - and there are weeks where decades happen. -- Vladimir Ilyich Lenin 2012-01-18 14:11:55 Permalink
Tristan Posts: 572 Incept: 2009-04-08 Spirit of '76	Gen, sounds like too much risk for the primary beneficiary... yeah, this is pretty cut and dry. Absolute anti-competitive behavior hiding under a VERY thin veil of technology. I've been through PCI compliance and it is a monstrous waste of resources--and we don't even store any data! Mann, it also allows for too much individual liberty. Next thing you know people will start thinking they don't need big banks and big corps and big gov handouts to survive. It's amazing how blatant it is, yet politicians still talk about how important small business is and how they will do this or that to help it. Well, they'll help the ones who behave appropriately / support their campaigns... 2012-01-18 14:22:24 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	Yeah, ** that. I started looking into it again, as I noted, a couple of years ago and was going to do my own merchant software to link to the forum. Then I started looking at what I'd have to do to meet requirements, and said " it." These ***s are still in the 1980s and think pushing these costs onto the small merchants is acceptable. ** them with a chainsaw sideways -- one of the intermediaries (T-Sys) still spams me from time to time as I had made contact with them, but I refuse to code against their API (or anyone else's) until these assjackets fix the underlying problems. It's simply not worth it. ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2012-01-18 14:29:55 Permalink
Tz Posts: 785 Incept: 2007-09-18 varies Banned	Except for a vandalism attack. Some hash-hole might decide to put through 100 shoes on the credentials. The value is not always theft, there is simple disruption. ---------- "I am become debt, destroyer of worlds" 2012-01-18 16:45:08 Permalink
Cawoodruff Posts: 110 Incept: 2008-04-17	That is one reason I like squareup. Free reader to use with your smart device, ability to look at transactions but no storage of credit card data. Note the swiped rate is higher at 2.75%, but no transaction fees or monthly fees. And no termination charges. Does take Amex,visa,mc. Disclosure no affiliation. It like it and for a small biz cheaper. Last modified: 2012-01-18 17:29:42 by cawoodruff Reason: Typooooooos 2012-01-18 17:28:30 From PDA Permalink
Poid Posts: 610 Incept: 2010-03-08	it amuses me that this much attention is placed on small business credit card security, and yet many of the "big boys" out there store unencrypted credit card and account information in plain text files on a company network accessible to anyone that is logged in to the network. 2012-01-18 19:19:26 Permalink
Caton Posts: 31 Incept: 2010-10-24 Neuilly-sur-Marne, France	About 10 months ago I started looking into the payment system for Autolib' in Paris, France. I quickly decided the cost and delays associated with a PCI-DSS certification made it impossible for us, and started looking for an alternative solution. I found a French credit union, the CIC, that, with Ingenico payment terminals, proposed a solution identical to your proposal. The consortium handling credit card payments in France (GIE CB) allowed it as a trial, and it is now in place and working well. 2012-01-18 20:12:02 Permalink
Jpg Posts: 329 Incept: 2009-03-23 MI	Quote: The returned token is valid until the later of some time period (e.g. 1 year) or the expiry of the card involved. It can thus be submitted in place of a card number in the future to authorize either charges or refunds. A minor nit-pick: What if I buy something with a card that expired 'tomorrow', so in two days the token is expired. Then, in a couple of weeks, I determine that whatever I bought is defective and I want to take it back for a refund. How would that work? Keep the token valid for an extended period for refunds? 2012-01-18 20:24:29 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	Yes. The point is to prevent charges on expired cards. ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2012-01-18 20:26:28 From PDA Permalink
Xqqme Posts: 625 Incept: 2009-01-09 Ohio	Can I reprint this to let our customers read and understand why we don't take credit cards? 2012-01-18 23:00:47 Permalink
Genesis Posts: 130717 Incept: 2007-06-26	Yes ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2012-01-18 23:23:19 From PDA Permalink

Genesis wrote..

Quote:

Quote: