When Ron Shevlin asked former Walmart CEO Lee Scott at a BAI Retail Delivery Conference if Scott thought the multi-retailer payments organization Merchant Customer Exchange (MCX) would succeed, Scott is reported to have replied, “I don’t know that it will, and I don’t care. As long as Visa suffers.”
Mr. Scott’s comment underscores the fact that there is no love lost between Walmart and Visa: the latest eruption happened in July 2016, when Walmart Canada phased out use of Visa cards, claiming interchange fees were too high. Couple this with years of antitrust lawsuits, data-breach lawsuits, FTC enforcement of data security standards, etc., and it is easy to see why the payments industry is in chaos today — especially related to fraud and data security.
The chaos related to fraud and data security is a direct result of a lack of technology innovation. Technology in the payments industry has not changed substantially for at least a couple of decades. Until there is innovation, the chaos will continue unabated.
There are two major technical challenges facing the U.S. in general and the payments industry in particular:
Sensitive data must be protected from loss and damage by hackers
Humans must be authenticated, not payment cards and not smartphones
What can retailers and other stakeholders do to meet these challenges?
The answer is really quite simple: Innovate revolutionary, next-generation technology that will eliminate card-present fraud, card-not-present fraud, and sensitive data loss as a result of hacking. New technology that will defeat the hackers and fraudsters is a lot closer to reality than you might think.
Protect Sensitive Data From Loss And Damage By Hackers
Next-generation technology that is guaranteed to protect against sensitive data loss as a result of hacking will satisfy at least the following technical requirements:
It is simple, at least simple enough that we know we can make it secure;
It is immune to external infection by malware;
It is not susceptible to theft of data by malicious insiders, assuming that human security monitors follow prescribed policies and procedures at all times;
Its executable resident code cannot be changed, except by a secure system update of the executable resident code in its entirety;
Its operating system is a simple microkernel that has been formally verified to be correct and secure (Windows, Linux, Android, and iOS are unacceptable); and
It has all the software it needs at the time it is delivered, i.e. it is a closed system (third-party applications cannot be installed).
A November 2016 report published by NIST (SP 800-160) and supported by Ron Ross (top computer-security person at NIST), Tony Scott (United States CIO), and Greg Touhill (United States CISO) is nothing less than a watershed event for U.S. cybersecurity. The report signifies the beginning of the end of 40+ years of futile attempts to prevent cyberattacks by patching insecure software with Band-Aids. It heralds the beginning of a new era of next-generation, trustworthy systems with security built in from the very start.
Integrating Biometric IDs
In a system that authenticates humans, you will be authenticated at the retail checkout stand (and at home for online transactions) by an iris scan and/or facial recognition and/or fingerprints and/or a PIN. You won’t need a plastic card and you won’t need a smartphone. The idea is to authenticate you, not a payment card and not a smartphone. Payment cards and smartphones can both be “spoofed” by fraudsters to look like they are your card or your phone. It is far more difficult to spoof your fingerprints, your iris, your face, and steal your PIN. This is called multi-factor, biometric authentication, and, if implemented properly, it is the only way to ultimately eliminate what is known today as card-present fraud and card-not-present fraud.
The Data Security Advisory Group (DSAG) was founded to create a community that will foster data-security and fraud-prevention innovation, not only for retailers, but for all companies and even governments that have suffered and continue to suffer from the fraud and hacking plague.
How is DSAG going to create and nurture this community?
DSAG needs members, especially influential companies that can provide powerful and unifying voices in the payments industry. To join DSAG, I urge you to visit the DSAG website at www.datasecurityadvisorygroup.org.
Recipe For Innovation
How is the DSAG community going to innovate its way out of this mess?
Some clues to the answer can be found in the seminal book The Innovator’s Way, by Peter Denning and Robert Dunham.
Denning and Dunham suggest that there are eight essential practices necessary for successful innovation. Only the first four are relevant for DSAG’s purposes today (the other four will be relevant later):
SENSING: Articulating a new possibility that would bring value to the community by addressing an issue or seizing an opportunity.
ENVISIONING: Building a compelling, engaging story of how the world would be better if the possibility were made real.
OFFERING: Presenting a proposed practice and its benefits to a community and its leaders so that they commit to consider it.
ADOPTING: Getting community members to commit to adopt the practice for the first time, reserving the option of dropping it if not satisfied after a trial period.
Let’s see how these four practices fit into DSAG’s mission.
SENSING: I and some of my colleagues have been doing a lot of sensing in the payments industry over the last couple of years. If you have made it this far reading this article, you have probably been doing some sensing of your own. If so, join DSAG and let’s start sharing the results of our sensing with the DSAG community.
ENVISIONING: I and some of my colleagues have gathered what arose during our sensing and submitted a technical proposal to IARPA (www.iarpa.gov). The title of this proposal is Elimination of Fraud and Data Loss from Hacking in Next-Generation Systems. The title is a good summary of our mission at DSAG. The new technology proposed to IARPA is not as difficult to implement as you might think. It is about one year and about $4 million away from a working, fully-functional, proof-of-concept system. The proposed technology addresses both the loss of sensitive data as a result of hacking and multi-factor, biometric authentication.
OFFERING: I and some of my colleagues have been “offering” for several months. We have put up the DSAG website, we have populated it with a few blogs, we have submitted a technical proposal to IARPA, we have done a couple of bulk email distributions to the old IRUG email list, we have enlisted the help of several payments industry and security industry leaders, etc. Unfortunately most listeners have not yet accepted our DSAG offers. We expected that, and we’re not offended. We will continue to broadcast our message until DSAG is successful.
ADOPTING: DSAG is currently at the first stage of adoption: the first adoption occurs when people in a community commit to considering the idea of a new practice. Joining DSAG is a member’s commitment to consider the idea of a new practice. When we have a critical mass of members in DSAG, we can move on to the second stage of adoption: when DSAG’s members commit to trying their hand at it for the first time.
Albert Einstein usually gets the credit for saying that insanity is doing the same thing over and over again and expecting a different result. Attempting to defeat the fraudsters and hackers on complex, insecure, current-generation technology is insanity. That’s just not going to work.
If the DSAG community works together, fraud and loss of sensitive data as a result of hacking can rather easily be eliminated in next-generation systems. I said it earlier, but it needs to be said again: a proof-of-concept system that will defeat the fraudsters and hackers is no more than about one year and about $4 million away.
Too often there is a spirit of selfishness in a society that prompts each individual to think his or her ideas should prevail. DSAG will gather a compendium of ideas and use these ideas to drive innovation for the good of the whole. Success is nearly always a question of getting others to subordinate their own individualities and follow a leader.
It’s time to start innovating and stop the insanity.
Jim Morris has a Ph.D. in Computer Science and a B.S. in Electrical Engineering, both from the University of Texas at Austin. He is a software developer, computer systems architect, businessman and serial entrepreneur with over 40 years of experience, most recently in solutions for secure data-storage systems that are immune to external infection by malware. He has started and sold a successful technology company and was an associate professor of computer science at Purdue. He has deep technical knowledge of cryptography, software development, operating systems, and hacking methodology. He could be a hacker himself, but he would rather make money honestly by beating the hackers.