The latest revelations about the National Security Agency confirmed what many in the payments industry had long suspected: the agency is watching electronic transactions along with communications.

The news will likely expose the NSA to greater political scrutiny and make security-skittish consumers even less likely to use payment cards.

Eighty-four percent of the agency’s data on financial transactions comes from credit card payments, the German publication Der Spiegel reported over the weekend, citing documents leaked by former NSA contractor and whistleblower Edward Snowden. Other NSA documents from 2010 reveal the NSA targets credit card payments, with NSA analysts internally discussing how they searched through Visa’s transaction network for tapping opportunities, Der Spiegel reported, adding the Society for Worldwide Interbank Financial Telecommunication (SWIFT) was also “an NSA target,” as were payments by consumers in in Europe, the Middle East and Africa. It not clear how many of the consumers were local residents or U.S. citizens.

“I think we all have to assume that any electronic payment data is subject to search by US intel agencies,” said Avivah Litan, a vice president and security expert at Gartner.

“For years many foreign countries believed [card data] was and is being tapped by the NSA and the CIA,” said Litan in an email. “I recall the Russians not wanting the card brands in their country back around four or five years ago for this very reason."

The NSA, which is already under fire for a phone surveillance program, may face questions about how it collected the information, and under what authority.

It is unclear whether the NSA is authorized to collect the records, says Jonathan Lewis, director of product marketing for SSH, an online security company that counts seven of the top 10 Fortune 500 companies as clients.

Credit card processors may face pressure from consumer interests and politicians to reveal if they are cooperating with the NSA in the data collection or if the NSA is doing so without their knowledge and support, Lewis says. "Card issuers may be exposed to heightened risk from hacktivist groups and malicious insiders seeking to exact revenge for perceived cooperation with the NSA."

Other companies, such as Google and Facebook, faced scrutiny earlier this year after it as reported they were cooperating with the NSA, a charge Google and Facebook denied.

Der Spiegel's article follows reporting from The Guardian that contends the NSA and other agencies are using a mix of their own programming and pressure on technology companies to infiltrate the encryption placed on financial transactions through “back door” attacks that allow outside parties to infiltrate financial networks.

“I suspect this will only confirm the worries of those who are already predisposed to be suspicious of electronic transactions,” says James Wester, a research director at IDC Financial Insights, who says the latest revelations about the NSA probably won’t have an impact on overall card usage beyond the privacy conscious consumers. “I don’t think it will affect card use any more than the NSA monitoring wireless traffic has reduced people using their cell phones,” he says.

Visa and SWIFT did not return requests for comment by deadline, though Visa told Der Spiegel it was unaware of any unauthorized access to its network and it does not disclose transaction information without a subpoena. 

The NSA did not provide an executive for a phone interview, but issued a statement saying “The U.S. Government acquires information about economic and financial matters to combat a range of threats to the national security of the United States and its allies including information about terrorist financing and terror networks. This information is collected through regulatory, law enforcement, diplomatic and intelligence channels, as well as through undertakings with cooperating foreign allies and partners.”

The spying on payment transactions was conducted by a unit of the NSA called “Follow the Money,” which obtained information that was dumped into an NSA database called Tracfin, according Der Spiegel's article. In 2011 alone, this database contained 180 million records, the article says.

Earlier this year, The Wall Street Journal reported the NSA was using credit card data as part of its security program but gave few details. Payments data is considered valuable in criminal investigations because purchases can be a good indicator of a party’s intent.

Payments encryption is protected by electronic “keys” that unlock the sensitive data inside. The NSA and other external actors could be able to view encryption-protected data by using lost or pilfered authentication keys, according to SSH. 

“If someone gets ahold of those keys, they would have a clear path [to a large internal network],” says Jason Thompson, director of global marketing for SSH.

The NSA and other external parties have ample opportunity to infiltrate companies, SSH says. Many companies, including large credit card issuers and payment companies, don’t manage their encryption keys properly, which makes the companies vulnerable to external access by governments or other entities that wish to access payment data, the firm says.

“We’re talking to a large bank, with $2.5 trillion in assets, 15,000 servers, and 1.5 million keys, that had no idea that 10 percent of those keys were high level [access], and nobody knew where those keys were,” Thompson says. “There was little inventory controls and monitoring.”

At most companies, the current network security environments are run by administrators and groups that create keys on their own, Thompson says.

“There is no centralized control, people at the companies create as many keys as they want,” he says, adding the new Payment Card Industry data security guidance will include a requirement that companies create an inventory of encryption keys. “Encryption keys at all systems at the company should be covered, including past transactions, credit card information and all personal information. You can lock down that environment.”

The PCI standards provide guidance which is applied to cryptographic keys used for the protection or generation of other keys, for the encryption of data, for data integrity or for authentication, PCI spokeswoman Laura Johnson said in an email to PaymentsSource. The council’s standards require the use of “strong cryptography,” which the council defines by reference to national and international standards, which the NSA has been weakening, based on the Guardian’s report.

The council didn’t comment on the next version of the PCI standards, which are due to be released in November.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry