Digital Transactions Authoritative, insightful and timely information for payments professionals
By Kevin Woodward
@DTPaymentNews
The payments industry’s efforts to protect sensitive cardholder data and transactions are moves in the right direction. They’ll have to be, because solutions to the epidemic of data breaches and online fraud are going to have to come from the private sector and from consumers’ own precautions. That’s the assessment from Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency, who will be the keynote speaker at the Electronic Transactions Association’s Strategic Leadership Forum taking place Oct. 19-21 in Palm Beach, Fla. Hayden is a principal at The Chertoff Group, a Washington-based consulting firm.
Hayden, who rose to general in the U.S. Air Force and served as the highest-ranking intelligence officer in the armed forces, confesses to knowing little about the inner workings of the payments industry, much less acquiring. What he does know is data protection and mitigating risk to that data.
“The payments industry is in the wheelhouse for a whole bunch of actors and a whole bunch of motives,” Hayden tells Digital Transactions News. These so-called bad actors are attracted to the payments industry not only because of the sensitivity of the data it possesses, but because its natural state is to be outward facing and interconnected for consumers, merchants, and the financial services organizations to use it, he says. Unlike the case with a military network, granting controlled access following a thorough review of each person connected to the network is not feasible or desirable for the payments industry.
This inherent openness makes electronic payments susceptible to criminals, the disaffected, or nation states attempting to steal the data, corrupt or destroy the data, or harm the network, Hayden says.
The financial-services industry, from an overall perspective, knows the vulnerabilities it faces, he says. The challenge is altering the mitigation efforts in step with the changing tactics and strategies of attackers.
Until recently, attackers sought specific data, such as credit or debit card numbers. Now, they’ve shifted to steal so-called big data, the bits of a consumer’s digital persona, such as date of birth, maiden name, health history, and similar records, Hayden says. “Where they would steal something that was immediately useful, like a credit card number, now they’re stealing raw material,” he says. “They’re stealing big data. They have to productize it themselves.” By “productize,” Hayden means that instead of immediately being able to use the stolen data, criminals have to devise ways to use it to get to more valuable resources.
Evidence of that shift is manifested in the rise of account-takeover fraud. In these schemes, criminals use stolen consumer data to gain control of the consumers’ accounts and impersonate them online.
“There’s an extra step in there, but if they’re willing to do it, now that makes all forms of big data fairly lucrative,” Hayden says.
As a consumer, Hayden does what he can to minimize his exposure. When shopping online, he uses a digital wallet, and he never uses public Wi-Fi networks. Bill payments are made online, but only from his personal computer, and his online banking is secured by a two-factor authentication measure.
Consumer-driven steps to protect their own data have a great importance, he says. “You’re probably going to have to do it yourself,” Hayden says. “The government isn’t going to save you. It’s just too hard for the government to do.” It’s the private sector, with services such as tokenization, that will help. “The good news is the American tech sector is getting really good at this,” Hayden says.
