Card Stripes, Prison Stripes
and the Question of Security

By: Biff Matthews, President, Cardware International

As the card industry evolves to strengthen the security of cardholder data
through compliance with PCI standards and federal initiatives, the criminal
element is evolving, too – shifting into areas where information is easier to obtain,
in order to ply their trade.  Theirs, too, is a business. Illegal or not, it must be
seen as that – and businesspeople of all stripes (including those destined for
the prison variety) defend their livelihoods.

Today, many criminals are shifting their focus from cardholder data to checking
account data.  The Revolution Card, CAPITAL ONE’s decoupled ACH card, Debitman
and Tempo generate a card-initiated transaction that creates an ACH debit to the
business or personal checking account.  They’re similar to debit cards, but are
outside the MC or Visa environment – and do not incur those fees.  A $100
transaction in the credit card or debit card world is $.55 to .60;  in the
ACH world, it’s about $.20, thanks to direct linking.

Being external to the MC/ Visa environment makes ACH different from credit card
transactions, and while security laws will eventually catch up, they have not as yet. 
And therein lies the criminal opportunity.  

Tempo cards, of course, are not new.  Debitman has been with us for a decade; 
Revolution card, 12-18 months.  CAPITAL ONE’s decoupled ACH card is the newest
of the group.  Introduced in the spring of 2007, it severs the link between debit
cards and demand-deposit accounts. As with other emerging payment systems
riding the ACH rails, funds are drawn from the consumer’s DDA via ACH, with
CAPITAL ONE taking on the risks associated with fund availabilities for debit
purchases.  This MasterCard debit card is marketed to anyone with a checking
account at any bank, not just to CAPITAL ONE checking account holders,
and is expected to do well.

Readers of this publication and others realize there’s significant migration to
ACH  transactions and that more businesses, mostly for recurring payments,
are moving to ACH.

With merchants and others creating automatic debits to customers’ checking
accounts, data and software must be resident on someone’s system, like credit card
information was.  We as a company decided, when PCI standards first emerged,
not to hold credit card information resident on our systems.  I saw a need to apply
the PCI standards to our ACH program and that is what we are doing.  We have not
yet endured a white hat hacking attempt, but we are encrypting routing and checking
information within our system.  Equally important, we operate within a server
separate from our primary server, and separate from our internet server. 
In these ways, we are actively applying PCI standards to our ACH environment.

The greatest vulnerability in any system, credit card or ACH, is the link between
the secure encrypted server data and people in the organization who have need to
know/ right to know access.  And herein lies the problem.  Someone must open the
information valve for it to be used.  Someone must have access, and that creates
system vulnerability. That’s the area we’re addressing today – tightening the
security locks on our ACH system. 

As criminals move from stealing credit card data, checking accounts, and the
data attached to them, are logical targets.  There are fewer data elements involved
in ACH  than credit card transactions. A credit card transaction requires an account
number, expiration, amount, who the funds go to and an authorization signature.  
Expiration dates and who the money goes to is not part of the ACH system. 

Years ago, prior to changes in federal regulation, written authorization was required
for an ACH transaction.  When you took out an auto loan, there was a separate
document authorizing the bank to debit your account.  You could rescind in writing
within a reasonable time. Now, only verbal authorization is needed for ACH, and we
and others are relying on just this for lease contracts and other important commitments.  
We can demand signatures – and we do - but when someone calls for a swap-out
or a supply order, we offer a direct debit option and increasingly, customers take
advantage of this.

ACH volume is headed up and credit card volume straight down.  The trend is
undeniable, and is being pushed by powerful marketing budgets.   Banks are
clearly concerned that “decoupled” cards – gratis, revolution, tempo and capital
one do not process through the credit card system and therefore do not generate
interchange revenue.  Their concerns are justified: this is a real threat to the
standard credit card fee structure model. 

But there is an entirely different threat to interchange that will, in time, make all
of this moot.  The Interchange fees charged by banks have been ruled “exorbitant,
anti-consumer” -  and illegal in Australia, New Zealand, and the EU. For four years,
the National Retail Federation and The National Association of Convenience Stores
have worked to lower, if not eliminate, interchange fees. 

As a point of perspective, interchange fees for a C-store operator are often higher
than labor cost.  90% of C-store business is in the petroleum environment and
the number of employees is low, so these fees are the greatest expense.  The
interchange skim, as c-store operators regard it, is a major revenue source for
the issuing players.  The ACH  environment is a parallel threat to the interchange
revenue stream, and one that is guaranteed to gain ground.

Anyone selling decoupled cards needs to understand the importance of PCI security
standards and apply them, before it’s mandated, to the ACH environment.  There is
no defense equal to preemption.   If you are PCI compliant for credit card transactions,
it’s a short step to secure ACH transactions equally.  You’ve invested 90% of dollars
to accomplish this, so invest the additional 10%. 

Not only is this an easy step, but it’s a sales tool as well.  “Not only are we PCI
compliant, but we’re equally secure for ACH transactions.”  That speaks powerfully
about your priorities, and way of doing business.  Companies like ours will surely ask,
in increasing numbers, how you are dealing with data security.   Paypal, Google
Checkout and other online marketers will eventually embrace ACH in addition to
credit cards.  For now, early adaptors will have the advantage. 

If you are an ISO discussing PCI compliance with merchants, and you’re selling
ACH processing, you should be talking about security for credit card and ACH
transactions.  And if you are an auditor, you should be talking about PCI, too . . .
“while I am here, for additional $500. let’s look at your ACH.” 

Legislation is in the pipeline, so let’s all just get over it.  The choice is to spend
$10k for PCI compliance for credit cards and another $1K for ACH.  Or, wait,
and start over later, at which time the bill will be higher.

Biff Matthews is President of Thirteen Inc, the parent company of
CardWare International.  He is one of 12 founding members of the ETA,
serving on its board, advisory board and committees.  (740) 522-2150

> BACK TO MAIN LIBRARY