Who is at Fault for Credit Card Insecurity?


Investigate the Payment Card Issuers

The Massachusetts Attorney General forced the owner of some local restaurants to pay $110,000 to settle charges that the company maintained inadequate security over credit card data.  Malware had infected the company’s computers.  The company (Briar Group LLC) had failed to change the default passwords on point of sale devices, and its wireless security was inadequate.

Even Sophisticated Systems are Breached

SME Computer Security
Data security is a difficult, sophisticated job.  Briar Group was not well-suited to the job. A company like this relatively small restauranteur is an expert at serving food, not an expert at data security.

The reality is that most any commercial computer system can be breached.  Even sophisticated technology companies like Sony and RSA suffer data breaches.  RSA is one of the most trusted data security firms in the world!  If RSA can get hacked, it is no surprise that Briar Group was hacked.

Investigate Credit Card Issuers Themselves

I am sure that in punishing the Briar Group restaurants the Attorney General had the best intentions.  Yet why is it that the Attorney General focuses attention on a modest restaurant company?  If that company needs to be investigated and fined, why does the Attorney General not investigate companies that have real influence on credit card security – the issuers of credit cards themselves?  Credit cards are abused regularly on account of their weak security.  Why should the Attorney General not punish the issuers for using faulty, out-of-date technology?

Why, for example, should the Attorney General not force the issuers to require a text message confirmation for each credit card transaction?  (Example: I swipe my card at a point-of-sale device; I promptly get a text message on my phone asking for approval; the transaction does not complete until I text approval to the issuer.)

Alternatively, why should the Attorney General not require card issuers to embed dynamic authentication EMV chips in cards, as is done outside the US?

Continuing to Operate after Breach Discovered?

The Attorney General said that one the justifications for punishing the Briar Group restaurants is that they continued to accept credit cards after they knew their computers were compromised.

But do not card issuers do the same thing?  They know that their system is compromised routinely, but they continue to use their old system.

Maybe the argument for issuers to continue to use the flawed credit card system is that even though it is imperfect, it has redeeming qualities.   It has many redundant controls, such as the rule that consumers are normally not liable for false transactions on their cards.  Further, if issuers immediately stopped using their flawed system, the economy would be harmed.  Jobs would be lost.

Could not similar arguments be made in favor of Briar Group?  The theft of card data from a restaurant does not automatically mean fraud will occur.  Redundant controls (such as transaction monitoring by card issuers) help to protect card holders.  Further, if Brian Group had immediately ceased processing cards after it learned it had been breached, it would have been forced to shut down and lay off employees.  For Briar Group to have shut down would have caused  greater harm than the harm caused by some false credit card transactions (for which individual card holders will not be held liable).



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update:  Why law enforcement should focus attention not on merchants, but on the insecurity that is inherent in credit cards as they are presently designed.