CEO Perspective: Protecting Consumer Data Requires Collaboration
Jason Oxman
June 1, 2015 – News reports of data breaches – criminals that hack insurance companies, retailers and even government agencies – are so frequent we are barely surprised when our personal information is stolen by criminals. These headline-grabbing events have now led some groups to ask Congress to mandate specific technologies to combat cybercrime. But in the case of our nation’s electronic payments systems, multi-faceted security upgrades to counter these new criminal threats are already underway, and a government-selected technology could hinder the fight.
For more than fifty years, financial institutions and payments companies have secured vital infrastructure against intrusion. The recent increase in sophisticated, global attacks on personal data has prompted a collaborative response from payments systems and retailers on three distinct fronts. First, EMV chip cards combat fraud by preventing criminals from producing counterfeit cards with stolen account numbers. The EMV (short for “Europay, MasterCard, Visa”) chip can’t be duplicated by criminals like a magnetic stripe card can, because it creates a unique code sequence for each individual transaction. The migration to EMV technology is happening right now in the U.S, and no government mandate made it happen.
Second, as we block cybercriminals from creating counterfeit plastic cards, we anticipate a shift in criminal activities to other target-rich environments, such as e-commerce. And so we are deploying tokenization technology to remove card numbers from data streams that could be intercepted. Tokenization transmits a one-time use, randomly generated cryptogram in lieu of a traditional credit or debit card account number, so even if intercepted, the token cannot be used to initiate a subsequent fraudulent transaction.
Third, the payments industry is deploying new point-of-sale innovations to further secure systems against attack. End-to-end encryption secures systems that connect to the outside world against intrusion through malware and other attacks that scrape personal data and transmit it to waiting fraudsters. Such encryption tools are widely available from a variety of providers and are a crucial component of systems security architecture.
Although the private sector is best positioned to address the shifting tactics of cyber criminals, Congress does play an important role in protecting consumers in two areas ripe for reform: legislation regarding consumer notification of breach events, and information-sharing.
Currently, breached companies must comply with a patchwork of 47 separate state data breach notification laws, making uniform notifications virtually impossible. Recently, Chairman Randy Neugebauer (R-TX) and Congressman John Carney (D-DE) addressed this issue with the introduction of the bipartisan “Data Security Act of 2015,” HR 2205. The bill creates a federal standard for data breach notification that protects consumers by providing a reasonable and effective notification requirement. Instead of complying with bureaucratic mandates, the industry can devote its resources to innovative security solutions that protect against new threats.
Finally, the federal government needs to develop a more effective information-sharing framework to allow public-private flows of information about hacking attempts. The House recently passed two bills – H.R. 1731, the “National Cybersecurity Protection Advancement Act of 2015” and H.R. 1560, the “Protecting Cyber Networks Act,” – both of which would promote sharing of cyber-threat information between the U.S. government and private industry in order to help all parties better understand their attackers and bolster defenses.
Innovative security systems are protecting our infrastructure against future attacks. The proper role of government is not to select a preferred technology, but rather to ensure the path is clear for the deployment and collaborative use of technological innovations that will most effectively protect consumers.
Jason Oxman is the CEO of ETA, the global trade association representing more than 500 payments and technology companies.