Debit Card Hacks - Will they affect E-Commerce?
I was contacted by a member of the press the other day and asked for my take on how the recent debit card fiasco would affect on line merchants.
Short term…
The bad guys that have this debit card information are not going to attack on line merchants for goods that they’ll have to convert to cash. They’ve been heading straight to the ATMs for the good green stuff.
In general, the direct impact on merchants in the CNP world will be minimal; certainly no more than a like number of credit cards but probably much less. I don’t think the CP merchants will feel it much either. Consumers, on the other hand, are going to take a huge hit. As you know, credit card holder’s liability is limited to $50 under FTC regulations but there is no such limit for debit cards. The card holder is responsible for keeping the PIN private and shame on him if it gets out and he doesn’t report the card stolen.
Yes, the banks will probably do what they can to keep their card holding customers happy, especially if the cleaned out account can be traced to a compromised PIN by whoever it shakes out is responsible. Will that accountability always be traceable? I don’t know. But even if the banks ultimately cover those losses, the cardholder has to deal with his account being cleaned out, bouncing checks, and all that goes with it.
The long term effects…
My big concern for the merchant - on line and off - is the consumer confidence fallout of this whole thing. We already have evidence that confidence in on-line transactions has been falling a bit. This first debit/PIN compromise by itself is survivable, but if it turns out that this wasn’t a one-time thing and we’ve suddenly discovered that PIN transactions are not as safe as we thought, then on line merchants are in big trouble and brick and mortar could be in trouble too.
And I have to wonder how long the banks are going to be willing to appease their debit card holders. At what point will they start passing the losses to the cardholders like they pass them on to the on-line merchants now?
It could become a matter of survival.
As an online merchant who conducts 100% of his business CNP - “card not present”, what really blows my mind is why ANY merchant would keep PIN numbers and complete credit card numbers in their database after transactions have been finalized. There is no need to do this, and it just exposes the merchant to attack. In fact, it greatly increases the risk to their reputation should they be hacked, in addition to the potential legal liability. We keep no card data on our servers; I sleep well at night.
March 19th, 2006 at 10:40 pmSome of us do recurring billing or subscription type payments for customers. We have to store card information, but must do so RESPONSIBLY.
Credit card numbers, (but not CVV), are stored encrypted and require a corresponding encryption key be present on the ‘local’ computer to view the number. In addition, access to this interface is limited to a static single IP address - mine. If anyone tries to access from any other IP or without the corresponding encryption key installed on their computer, they can not see anything.
Heck, even the customer can not SEE the CC number we have on file for them.
We do about $4,000 a month in recurring billings so not storing credit card numbers is not an option.
March 24th, 2006 at 1:11 pmAnd then people are surprised that credit card numbers are offered in India in bulk quantity.
September 4th, 2007 at 2:16 amhttp://www.vondar.com