Credit Cards

Take a look at this article, or even just its title: 40 million credit cards exposed. What is this — the fourth article in the last year about millions of credit card numbers compromised?

I just came across an article on News.com titled the red herring of data protection, and I read it eagerly, but I feel that author Eric Norlin misses the mark. He suggests that web sites should store only the data that we as users allow them to store.

Personally, I think that it’s time to change the model. I think retailers (and web sites) should stop storing any credit card numbers. Why? They can’t handle the security requirements. Let’s leave that responsibility entirely up to credit card companies.

A Google search brought me to an MSNBC.com article titled The credit card system’s weak link?, which quotes Gartner Inc. analyst Avivah Litan as saying about the view credit card companies have of payment processors, they “just sort of wait for them to have a breach.”

On the June 20, 2005 edition of NPR’s All Things Considered, I heard a story titled Mastercard: Customers’ Data Was at Risk that started me thinking about this post. In that story, NPR reported that CardSystems passed a recent audit by Mastercard and Visa. I could go on an entertaining diatribe about why this security breach is CardSystems’ fault or Mastercard’s and Visa’s fault, but that’s off my point.

My point is, if certain parties involved are unable or unwilling to properly secure consumers’ data, then they should no longer possess the data.

Look at this model: I type my credit card number into a form at Amazon.com. I tell Amazon.com that I want to purchase a new DVD. Amazon.com sends my credit card number, my name and address, and a dollar amount to Mastercard. Mastercard then tells Amazon.com, “okay.”

I’m not saying Amazon.com practices risky behavior with my data, but the trust given to Amazon is also given to thousands, if not millions of retailers around the world. So let’s take the security burden — and the credit card numbers — out of the retailers’ hands. In other words, instead of Amazon.com telling Mastercard what my credit card number is, how about Amazon gives me a special code, then I give that code to Mastercard, along with the name of the retailer (Amazon.com), and a dollar amount? Then Mastercard can give Amazon the okay.

In this system, retailers would own the oft-exchanged, cryptic numerical code, instead of consumers. (Perhaps the code would be unique to the transaction, but I feel like there would just be too many.) Amazon might be interested in securing that code, but it would be available to anyone who ever uses Amazon.com to buy something. The beauty of it is, this code is used to credit Amazon’s account with Mastercard, whereas credit card numbers are used to charge consumers. I could use the code for something other than its intended purpose, but I wouldn’t get any financial gain out of it.

Of course, the inverse of this transaction would be a merchandise return, where Amazon would be required to return money to Mastercard, who would therefore credit the consumer’s account. If a malicious hacker could exploit the return system, you might have a problem. But again, I feel retailers would mind their own account information at least as doggedly as they mind their customers’ data, and third party transaction processors would likely face graver consequences if they exposed secret codes of retailers such as Amazon, McDonald’s, and Sony than if they exposed millions of secret codes belonging to lowly consumers.

It’s a new world. Electronic commerce will no doubt become orders of magnitude more popular than it is today. Under the current system, I don’t see much reason why large scale security breaches would be eliminated. So let’s change the system, put more power in the hands of consumers, and place more onus on corporations and the firms to which they outsource the dirty work.

Credit Cards