Saturday, June 20, 2009

Credit Card Transaction Risks

Every time you make any purchase on a credit card or any payment card, there is the risk that someone is writing down your name and numbers so they can break into your account later. In the largest of the known recent data center break-ins, at TJX, Heartland Payment Systems, and RBS, criminals got away with data from 100–500 million credit card transactions.

If you are a United States credit card holder, the probability that an organized crime group has one of your card numbers right now, along with its verification code and expiration date, is more than 1 in 10 from these incidents alone. And the odds that your card data was acquired in another security leak that has gone undetected is even higher. We used to worry just about what could happen if someone got your credit card, but the risk that all the data on the card could be stolen by electronic means is far higher than the risk of the actual card being stolen or misplaced.

The risk of data being intercepted in any one transaction is small, but it’s a risk that goes up with every transaction you make on a card. And the risk is greater when you use your card out in the world than when you use it on a web site. The credit card network is not yet as secure as the Internet is. It is just another reason to use cash for routine small transactions when it’s convenient.

I have been paying cash all month, or trying to. Most of my transactions are for $30 or less, so they don’t have much impact on the way I manage my cash. It is not always easier to pay for all these transactions in cash, but perhaps it is a little bit safer.

I have worked for years in banking data, and from everything I have seen, I don’t think the current payment system, based on 16-digit numbers that are printed on cards and stay the same for years, will stand up much longer. The 16-digit number system wasn’t designed for the network era. Even after all the enhancements we can think of are completed, it may still be too vulnerable to attack. A single massive transaction attack by criminals could permanently shut down the whole credit card system in a matter of days with relatively little warning. And if using cash for the many routine small transactions will help the transaction processing system stand up a little bit longer, then perhaps it is something people should be encouraged to do.