StorefrontBacktalk

This is page 2 of:

Could Global Payments Breach Finally Kill KBA Questions?

March 31st, 2012

Secondly, Garcia’s comment that “it is crucial to understand that this incident does not involve our merchants or their relationships with their customers” is either stunningly naïve (quite unlikely) or deliberating misleading. Is Garcia honestly suggesting that a 10 million card breach “does not involve” a department store’s “relationship” with its payment-card-using shoppers?

Consumers don’t know Global Payments. All they know is the card brand, their bank and the retailer. When a breach happens, they begin to suspect all of the above.

History has shown overwhelmingly that U.S. shoppers have never stopped—or even slowed—purchases because of a major breach. But that’s not to say that as consumers better understand these issues and, critically, continue their move to debit cards and away from credit cards (where they lose the zero-liability credit-card protections), those fears won’t start translating into action.

Such breaches could also impact young markets, such as mobile payments, where fear of the unknown coupled with major breaches could slow a market that is already stumbling.

If Global Payments meant to say that it will protect retailers from fraud losses, it should have said that. But to say that this breach “doesn’t involve merchants or their relationships with their customers” simply doesn’t pass the laugh test.

That all said, let’s get back to Litan’s KBA thoughts.

Litan pointed out the absurdity of such security defenses in 2012 and said, “we can expect the PCI assessors to say no to KBA on administrative accounts. They need to say no to many different types of authentication that are being successfully bypassed by determined crooks.”

Unfortunately, I doubt that we can expect this. Just because QSAs should be forbidding KBA tactics for anything sensitive doesn’t mean they will. By the way, if something is sensitive enough to need protection, it would seem sensitive enough to need good protection. Hence, should KBAs be used at all?

QSAs are not likely to start fighting against KBAs until the PCI Council comes out with some strong language discouraging—if not outright banning—their use for anything that even gets close to payment card data. The council doesn’t have the jurisdiction to say anything about security that is not related to payment cards, but I am hoping that QSAs would take the logical next step. If not, retailers will hopefully make that move directly.

One low-cost and low-disruption response is to make KBAs more difficult. Instead of asking for something easily discoverable—such as your last residential ZIP code—why not seek the name of your third-grade science teacher? Or what you had for breakfast three days ago?

Simple answer: The more difficult to remember the answer is, the more likely the consumer will just make something up, as in “Mrs. Smith” or “cereal.” And we’re back into the “easily guessable” trap.

Shoppers will opt for the easy way out, using the same password for many accounts, writing it down near their computer (or in a text file on their phone) or something that is easy to remember (12345, password or iloveyou anyone?). The only secure mechanism is for the system to issue strong passwords and to also use secondary authentication. (Let’s say it all together: Something you know, something you have, something you are.)

Posted in E-Commerce, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

2 Comments | Read Could Global Payments Breach Finally Kill KBA Questions?

trooper Says:
March 31st, 2012 at 11:50 am
Integrating strong, managed security processes has always demanded more security-focused employees. Companies look at anything security-related as non value overhead. If they’re forced into a compliance mandate, such as PCI, it usually translates into a do-the-minimim approach, put on existing IT employees who are already over utilized doing production support (primary) work. Companies don’t consider risk -the probability, frequency and impact. Once a breech happens the response is usually in the form of an internal witch hunt and massive over-spending on a poorly planned, rushed solution to ad-hoc the gap. Companies will eventually recognize the difference between IT support and IT security, the need for both and the need to integrate both for successful implementation, management and monitoring of threat targets. As it stands now, any penny split between hiring overhead security staff and stock dividend will always go to the shareholders. It’s akin to eating yourself for breakfast.
Justin Robinson Says:
April 4th, 2012 at 5:43 pm
I think the death of KBA questions has been dying for quite sometime and unfortunately businesses and consumers are having to pay the price before companies take action. It’s amazing that social media and gaming companies around the globe have adopted technologies that allow their users to telesign into their account using the telephone while enterprises, financial institutions, etc sit around and let things like this happen…..

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.