In the wake of large catastrophic events, which now include data breaches, people demand action. Sometimes action is more important than answers.
Those demands trigger a raft of solutions aimed to mollify the growing calls for action.
In the wake of the Target data breach, the US Congress is holding hearings. In testimony this week, the CFO of Target signaled a desire to speed their plans to adopt chip-and-PIN, but noted they can't go it alone and need other retailers to follow suit.
That makes for a good headline and is a skillful way to divert attention from the reality of their data breach. But chip-and-PIN would not have prevented the Target or other recent breaches.
Which begs the question, "why focus on fraud solutions during an investigation of how a data breach happened?"
It defines the problem in terms of a potential solution. That's dangerous and it's risky for the credibility of the security industry.
What's at stake if we get this wrong
This article introduce questions necessary to both frame the challenge and the solution. The order matters: define the problem, then the solution.
If we skip this step and blindly recommend chip-and-PIN as a solution, companies will likely spend billions of dollars to combat a perceived problem.
Here's the risk of collectively defining the problem incorrectly: the “solution” of chip-and-PIN could result in:
- No change in the levels of fraud
- Increased transaction costs for retailers and consumers
- Data breaches continue, unabated
That kills the credibility of security professionals and sets back the entire industry. It's a challenge bigger than payment cards, but that's the current focus and our best opportunity to get things right.
Before we rush in with a solution, we need to encourage the discipline necessary to step back, take a breath, and employ different thinking than what got us here.
To be upfront, these aren't leading questions. I don't have answers for several of these. I anticipate more conversations that generate more and better questions.
This is an opportunity to contribute your knowledge and experience. Ask questions, offer answers, and engage.
The first 3 questions
As the clarity from hindsight revelations surface, it’s a time to bring people together and focus on the problem or problems we need to solve.
Whether with clients or in general (which my family just *loves*), I simply start with 3 questions:
- What is the the problem we are trying to solve? In this case, is the problem data breach, fraud, something else, or maybe all of the above?
- Is that the problem we need to solve? Just because we can solve a problem doesn't mean we should. The key is to surface, understand, and solve the right problems.
- Do the benefits of the solution outweigh the costs? Leave it to me to question the value.
These seemingly simple questions are deceptive. Rarely are the first answers accurate or complete. Before providing either a series of terse or exceptionally long answers, consider the following sequence of questions to guide a more fruitful discussion.
Is the real challenge fraud? Doubtful.
When I ask why we should focus on chip-and-PIN, the most common response is "to reduce fraud."
I challenge both the framing of the problem and the potency of the solution.
When I studied economics in college, full employment was 96%. Which means 4% of the eligible and “looking for work” population without employment was acceptable. Lately, it seems that 95% is considered full employment, increasing the tolerance of unemployed, but seeking work or transitioning, to 5%. Either way, it's a known, measured, and reported number.
When it comes to credit card fraud, the numbers are bit murkier and secretive. The whisper number I’ve heard for nearly two decades is 4%. As long as the fraud is kept to 4% or less, it’s an acceptable rate.
Maybe my number is wrong. If so, what does the payment card industry accept? Note: what the payment industry tolerates as fraud is likely different than what risk-averse security people find tolerable. It's not our call.
The only reason to explore solutions to reduce fraud is if the current rate of fraud is higher than the accepted tolerance.
When someone claims the challenge is fraud, there are a few additional questions:
- Is the challenge of fraud general (that it exists), specific, or the detection and response to fraud?
- What level of fraud is acceptable to the industry?
- What is the current level of fraud?
- What investment is required to reduce the fraud to a lower level? Is that desired or possible?
- Is the benefit of the lower level greater than the cost of getting there?
Another dimension to consider: payments are either "card present" or "card not present."
Branden Williams has a nice write-up about this here. He shares plenty of insights and context, but note these two excerpts:
"...even a cursory internet search will show how Card-Present fraud declined dramatically in Europe while Card-Not-Present fraud increased after they migrated to [chip-and-PIN]. And the biggest part that Target is missing, [chip-and-PIN] can be configured in the same insecure ways as transitional magstripe transactions"
and
"As it stands today, [chip-and-PIN] is not implemented with a PIN component unless you are running a debit transaction. It’s "Chip & Sign""
When considering chip-and-PIN as a solution to reduce fraud, it boils down to understanding how much fraud will this reduce, if any and at what cost? In other words, will the savings/benefit/value outweigh the costs?
Bottom line on fraud: current investment in fraud detection and response coupled with the gains in effectiveness suggest fraud isn't the chief concern. More, chip-and-PIN only shifts the type of fraud without a necessary decrease in overall rate/costs.
If fraud isn't the problem, does chip-and-PIN still hold value?
Perhaps.
Exploring the costs and benefits of chip and pin
Matthew Schwartz recently shared excellent detail about chip-and-PIN the article: Target Breach: Why Smartcards Won’t Stop Hackers.
What I found odd, however, was the mixed assertion that the US is overdue to migrate to chip-and-PIN while admitting it was not a factor in the Target data breach.
With fraud off the table until better defined and understood, what problem, then, does chip-and-PIN solve?
Set aside the risk of defining the problem in terms of the solution to entertain a few more observations and questions.
After reading the article, I drew three conclusions about chip-and-PIN:
1. It would not successfully prevent or address the challenges in the Target data breach or similar breaches
2. It Is expensive to deploy; the merchants bear those costs (which means they might get passed on to consumers)
3. When deployed, the merchant assumes all liability for fraudulently used cards
Taking into consideration the costs to retailers and consumers, that provokes more questions:
- How does this benefit the retailers? They bear all the costs and the liability; what do they get in return?
- How does this benefit consumers? As Branden Williams explained (both here, and here), common implementations are similar to what people experience today. Is there a benefit to chip-and-PIN? What if consumers bear the bulk of the increased costs? See the experience questions below.
- What about card not present (CNP) transactions? Does chip-and-PIN provide any value here?
The value of chip-and-PIN remains unclear to me. Let's explore the experience.
How much does the chip-and-PIN experience cost?
Based on my recent discussions with banks and credit unions, the average loaded cost to replace a lost, stolen, or compromised card is between $2.50 - $5.00 -- a figure they consider a cost of doing business (discussed more here).
I expect the cost of chip-and-PIN cards compared to magstripe to be higher, which means we need to consider:
- How much does a chip-and-PIN card cost to issue? The loaded cost needs to be compared to the current technology and the total number of current payment cards in use; this is a nontrivial number
- How much does a chip-and-PIN card cost to replace? It seems likely it's greater than $5; is it? How much more?
- What is the process and cost to have the card reset or replaced? Since chip-and-PIN (when used with the PIN) is generally disabled after three failed attempts, then what happens? People upset about the cost of convenience of a replaced credit card with a mag stripe might be in for a real unpleasant surprise here.
I'm left wondering where the consumer role/responsibility is in this system? The more we disconnect people from the consequences of their actions, the more problems we create. I’m not sure what the answer is here, but I look forward to the discussion.
Engage and contribute to the conversation
At this point, I neither like or dislike chip-and-PIN. I'm open-minded and focused on understanding the problem before offering a solution.
Collectively, we need to first provide or create real visibility into the overall system to gain an understanding of the real problems to solve. That necessarily means documenting and translating complexity into understanding.
With a clear picture of the challenges, we can explore solutions, their implications, and the potential list of unintended consequences (which despite the misconception are often predictable, to some degree).
We owe it to ourselves, those we serve, and our industry to discuss this. By addressing the challenges in the context of acceptable risks, we can prioritize the focus and partner to advance solutions that make a measurable difference.
Anything less is unprofessional and risky.