The GameStop data breach is a lesson in business transparency, and a reminder that payment technology at the point of sale and elsewhere is too outmoded to protect consumers.
News of the malware on GameStop point-of-sale (POS) systems is alarming since among the bankcard data hackers stole is consumers’ three-digit CVV number. The CVV is thought to be secure because consumers recognize that it isn’t saved, say, when shopping on desktop and mobile. Shoppers also don’t recall presenting a CVV to a cashier. At a POS terminal, though, a mere swipe of the card presents all the card data to the store and anyone else who’s watching.
The holidays especially are ripe for payment fraud. The high volume of transactions compounds the need for retailers to handle web servers meticulously. Different configurations, for example the use of SELinux to restrict which directories are accessed, are a good year-round practice. We no longer need to imagine what their absence feels like during consumers’ most active shopping months. The timeframe also coincides with a Verifone malware incident, meaning fraudsters know when and where to strike.
There’s a race to perpetrate and end fraud. Too often consumers and retailers are on the losing side, so it’s time for a shift in how identity and bankcard data are presented on all channels. Let’s end the tying of identity and payment authorization to stagnant alphanumeric strings and instead tie it to a person. For too long sensitive information has been traveling over the wire, when it should be closely held. Once presented, this data should be tokenized so its unauthorized capture yields nothing of value.
This race needn’t be a race to the usability bottom. Solutions like decentralized biometric tokenization phase out passwords and disprove a rule that says security and usability are inversely proportional. FIDO Alliance standards govern how voice, face, touch, eye, palm and other biometrics are used for authentication and payments. They also forbid the enterprise to store of biometrics. Think Apple Pay but free of the walled garden, with 2 billion devices already supported, lower risk for all parties, and growing choice of device, platform, and OS.
GameStop earns praise for its speed and candor when announcing the data breach. In the case of Yahoo!, that enterprise saw the price in its Verizon acquisition deal cut $350 million as well as an SEC probe and damage to its brand following a breach. Let’s also speed adoption of new payment technologies that protects consumers, with the added benefit of lowering risk and offering the best in customer experience.