2006: The Year of Card Security
As financial technology has advanced, so has the technology available to would-be financial criminals. Credit cards - and now by extension, debit cards - have long represented an obvious target for the criminal element. The Internet has served to make cards all that more attractive. Now 2006 appears to be the year that the industry takes a number of defensive countermeasures.
The Encryption Upgrade
For decades, automated teller machines (ATMs) have relied upon Data Encryption Standard, or DES, encryption to manage the transmission of user PINs. The idea is simple. When a member enters their PIN, a unique algorithm takes over that encrypts the PIN before sending it on its way. That was plenty of encryption for the "old days."
However, when you consider that today's personal computers have more raw power than the computers used to send the first men to the moon, it's easy to see that times have changed. Shortly before the turn of the century, a few experts got together and were able to decrypt a standard DES-encrypted string in a little under a day. With today's desktop equipment, that time has been cut to just a few hours. Clearly DES encryption no longer cuts it.
This deficiency in DES encryption gave birth to Triple DES, or 3DES, encryption. Jointly agreed upon by the International Organization for Standardization (ISO), the American National Standards Institute (ANSI), VISA, and MasterCard, 3DES works similarly to DES - except that rather than applying one encryption key, 3DES, as you may have guessed, applies three encryption keys.
3DES encryption is no longer an option; it's a mandate for any financial institution that hopes to continue doing business with VISA or MasterCard. MasterCard's latest deadline for 3DES compliance was April of 2005, and it's still officially sticking by that date in published documents. However, it's anticipated that MasterCard will continue to grant waivers through the end of 2006, as it has to this point.
VISA, on the other hand, has set its mandatory compliance date for July of 2007. Virtually all of the major ATM networks are in 3DES compliance, but any individual credit union that has yet to develop a deployment plan is starting late.
Better Online Security
While 3DES encryption may answer the call for better card security at the ATM, phishing attacks and other Internet scams have created a demand for enhanced online security, as well. Already many online vendors demand the entry of the security code printed on the backs of credit and debit cards. However, this only ensures that the purchaser has the card in hand; it does nothing to combat stolen cards.
MasterCard has introduced a security service called SecureCode that is gaining gradual acceptance by online merchants. Cardholders enroll in this service by registering a secret security code directly with MasterCard. When the cardholder makes an online purchase from a participating merchant, a popup requests the cardholder's code. However, instead of being transmitted to the merchant, the code is transmitted directly to MasterCard. This means the code is never compromised. Once MasterCard authenticates the code, it transmits a transaction approval to the merchant.
It's important to remember, though, that SecureCode is optional for both cardholders and merchants. But if it catches on, similar online security schemes could become commonplace.
No one can deny that technology has been a boon to the financial industry - nor can anyone deny that it has equally been a boon to the criminal world. It's safe to assume that card security will play an increasingly prominent role in the overall technology strategy of the credit union industry for the foreseeable future.