January 11, 2006 5:40 PM PST

MasterCard kicks off data security push

MasterCard International launched an initiative on Wednesday to help credit card-accepting merchants tighten up their protection of sensitive consumer data.

The credit card association is working with merchants to provide them with information, tools and support to help safeguard consumer data, Chris Thom, MasterCard's chief risk officer, said in a statement. It is part of a broader effort by MasterCard to safeguard payment systems and to improve security in commerce.

"This is a critical part of our strategy for ensuring security in the payments system," Thom said.

The effort is designed to combat credit card fraud amid increasing concerns about identity theft.

It comes after a series of high-profile security breaches involving credit card data, including at retailers. Last year, information on more than 1.4 million credit card transactions and 96,000 check transactions was stolen from 108 DSW shoe stores. In another incident, a problem with point-of-sale software at Polo Ralph Lauren compromised the credit card data of as many as 180,000 people.

A main component of the new initiative focuses on online transactions. MasterCard is providing lower rates to sellers who adopt MasterCard SecureCode, a program that allows cardholders to enter a security code similar to a PIN when they make online purchases.

Online merchants that support SecureCode will be eligible for rates comparable to those for face-to-face transactions, up to a 16 percent reduction, MasterCard said. Typically credit card companies charge merchants more for online transactions.

To help merchants meet credit card industry rules for security, MasterCard will offer free vulnerability scans. Such a scan is one of the steps required for many businesses to achieve compliance with the Payment Card Industry (PCI) Data Security Standard, which went into effect last year.

MasterCard aims to educate vendors about the importance of security through advertising, Web content and online seminars. Rival credit card association Visa USA has itself introduced a similar effort. It even organized a nine-city tour on PCI rules for merchants.

2 comments

Join the conversation!
Add your comment
This is useless. Their business model is wrong!
This extra PIN stuff is useless. Its not more than adding 4 additional digits to the 16 digit card number. The big difference to ID thieves would be that they would steal 20 digit fixed CC numbers instead of 16 digits (or actually 23 instead of 19 if you count the securuty code that is required nowadays to make online purchases.)

The business model is wrong. There should not be a need for the consumer to trust the merchant and all the merchants employees in order to pay using a credit card. The information supplied by the consumer to make a payment should not be reusable for any other purpose other than completing that one deal. The way it isw done now one has to give a code, (or several codes, like CC number+security code+PIN+billing address+name etc. that add up to one record) giving whoever receives it, i.e., any merchant you pay to the ability to use it for making additional charges to your card, or to sell the info to a third party that can then use it to make charges to your card. It's a business model that can work only in a world with almost no information flow, and this ended with the internet.

The only way to make secure payments is if the info passed between the two parties to a transaction can only be used for that one particular transaction. So instead of making the effort to "secure the info stored by merchants" (that they shouldn't have in the first place) that can be circumvented by any supermarket employee that can attach a hardware keylogger to a card reading device, the focus should be on replacing the old credit card system with a system where the consumer has a small device that accepts the merchants code, amount to be paid, and produces a hash based on that and on the consumer's CC number and the time and date that is then kept by the merchant to complete the payment. That hash would need much lower level of security and would be useless to whoever can steal it.
Posted by hadaso (468 comments )
Reply Link Flag
Smart Cards
You make a great point, but how do we get the credit card companies to absorb the cost of deploying millions of "smart cards"? They barely acknowledge there is a problem in the first place.
Posted by ceebee513 (11 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.