The recent breach proves again that no amount of security theater can secure a fundamentally flawed payment system. A lot can be done to improve payments, but I fear it is impossible to do it on top of the existing infrastructure.

For historical reasons the banking industry thinks in messages. When you perform a payment the terminal sends a message across an age old network encompassing many different servers, parties and businesses.

A payment likely hits one or more of the following parties:

Merchant
Payment gateway reseller
Payment gateway
Aquiring Bank
Credit card association
Intermediary banks
Issuing bank

Each one of these parties provide an opportunity for a breach.

What makes it even worse is that to authorize a payment, the entire security is based on the merchant sending the card and consumers details along in the message to authorize the payment.

If a breach happens anywhere along that whole list of …