March 14, 2006

When thousands of PINs and other account information of Citibank (New York) customers were pilfered from the database of an as yet unnamed merchant, the industry's perception of the invincibility of PIN technology was shattered. Some insiders are even encouraging people not to use PIN cards at the point of sale at all.

Yet experts say two important points to keep in mind when examining this situation are 1) the breach occurred at a third party, not the bank, and 2) this incident is not about PIN technology itself, but the way the data was stored.

"This issue isn't about the [strength] of PINs—it's about the merchants and how they store this data," says Bruce Cundiff, an analyst with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees. "PIN wasn't the problem [in the Citibank case]. Having a card and typing a PIN is perfectly adequate authentication," he says. "It was the data that was stolen internally."

According to George Tubin, a senior analyst with Needham, Mass.-based TowerGroup, this security incident is really an old story with a new twist. "We've seen this in the past. The difference with the Citi incident is [the hackers] obtained files with user names and passwords instead of obtaining it through phishing. It's an old crime with a new method."

Third parties, such as merchants, are usually discouraged from saving customers' card account information after transactions have been processed. Some, as recent cases have illustrated, choose not to discard this data for one reason or another. Therefore, it is vital that banks stay on top of their third-party partners, whether retailers or service bureaus, to make sure they are upholding their contractual obligations on data management.

"This was the merchant's fault," Tubin says of the Citibank case. "No one should keep a single file of names and passwords. Part of data security is not to keep pieces of information together that can be used to commit fraud. This is a basic tenet of information security, which the merchant didn't follow."

Gossels says this case highlights the need for organizations to carefully establish their relationships with third parties. "It became clear that third parties aren't doing a good job of applying the same standards of stewardship of consumer data as the banks," he remarks. "Financial institutions have to be very careful about the kind of information they share with them. They should just send the bare minimum of data to make an application work. Third parties are traditionally the weak link in the chain, whether they're merchants or data processors."

Also under the gun here are the card networks, says Cundiff. "It is important to look at the security of the networks, such as STAR and the PIN networks, in addition to Visa and MasterCard. They are hugely affected by this. The networks have to shore up their merchants and put them through more rigorous audit processes."

Yet placing greater liability upon the merchants is not necessarily the answer either, says Gossels, since the manner in which they handle security depends largely on their size. "Your local dry cleaner doesn't have a security officer on staff, so they rely on outside providers to do this. Major national brands, however, are more sophisticated about security. We expect better of them because they have the IT staff that should know better. In the case with Citi, [sources] are saying it was a major retailer.

Although Cundiff thinks the growing hysteria about not performing PIN transactions at the POS is a bit overblown, he also believes that chip cards could have prevented the ensuing chaos of the data breach. "This situation brings together a perfect storm of issues —mag stripe vs. chip, PIN vs. signature debit, and merchant storage of data," comments Cundiff. "I think this is potentially the beginning of building a business case for chip cards in the U.S."

He explains that replicating a physical smart card, while not entirely impossible, is certainly more difficult than manufacturing bogus mag stripe cards. The U.S. market never saw the use for chip cards since fraud rates on signature transactions have not been large enough to warrant the investment necessary to switch over to chip. "But this case shows the fraudsters have caught up. I'm wondering if this is the tipping point for adopting chip cards in the U.S.," he says.

SystemExpert's Gossels is not so sure about this. "It is important to focus on what the problem is that you're trying to solve," he explains. "Smart cards would not have solved this particular problem. Look at the way credit cards are used over the phone. You give your name and account number to the person on the other line. It doesn't matter if they have your card, as long as they have your data."

Further, he says the availability of smart card manufacturing equipment is becoming increasingly more available and user friendly. "Smart card equipment is not much more expensive that magnetic stripe equipment."

Aside from policing their partners better, Gossels says another means for banks to prevent data breaches is by taking steps to improve the strength of PINs by setting standards on their length and quality.