Breach shows credit card based payment systems fundamentally broken
The recent breach proves again that no amount of security theater can secure a fundamentally flawed payment system. A lot can be done to improve payments, but I fear it is impossible to do it on top of the existing infrastructure.
For historical reasons the banking industry thinks in messages. When you perform a payment the terminal sends a message across an age old network encompassing many different servers, parties and businesses.
A payment likely hits one or more of the following parties:
- Merchant
- Payment gateway reseller
- Payment gateway
- Aquiring Bank
- Credit card association
- Intermediary banks
- Issuing bank
Each one of these parties provide an opportunity for a breach.
What makes it even worse is that to authorize a payment, the entire security is based on the merchant sending the card and consumers details along in the message to authorize the payment.
If a breach happens anywhere along that whole list of trusted parties, the only way of solving it is by suspending the card and physically sending a new one to the consumer.
Disintermediation has always been one of the ways that the internet has managed to disrupt entrenched businesses.
Stripe, PayPal and Braintree have all worked on various solutions dealing with the lack of security in credit card payments. But in reality they end up just adding more links in the payment intermediation chain.
I don’t see any real change happening from within the traditional banking world as every single part of the chain is married to their business model. Visa and Mastercard are in the position of being able to change this, but are instead buying payment gateways, which would seemingly entrench them even further in the old way of doing things.
In my book the ideal payment would look like this:
- Merchant
- Issuing bank
The consumer would authenticate directly with the issuing bank who provides a unique token to the merchant allowing them to complete the payment.
A breach at the merchant would only ever be able to affect the current payment they have authorized. The issuing bank could easily suspend or hold payments for an affected merchant without affecting the consumer and other merchants.
3 Responses to “Breach shows credit card based payment systems fundamentally broken”
[...] in banking, finance and payments are quite remarkable in their absence. As mentioned in Breach shows credit card based payment systems fundamentally broken merchants are stuck with a broken system due to entrenched [...]
[...] J McCann of Futurewei Technologies essentially saying what I said in Breach shows Credit Card based payment systems fundamentally broken: The use of a simple string of digits that must be shared with any vendor with whom you transact [...]
[...] I applaud them for trying but unfortunately it is flawed on many different levels. They missed a great opportunity, but they don’t even seem to fix the fundamental security issues in the existing network. [...]
[...] in banking, finance and payments are quite remarkable in their absence. As mentioned in Breach shows credit card based payment systems fundamentally broken merchants are stuck with a broken system due to entrenched [...]
[...] J McCann of Futurewei Technologies essentially saying what I said in Breach shows Credit Card based payment systems fundamentally broken: The use of a simple string of digits that must be shared with any vendor with whom you transact [...]
[...] I applaud them for trying but unfortunately it is flawed on many different levels. They missed a great opportunity, but they don’t even seem to fix the fundamental security issues in the existing network. [...]