As any astute online business owner will tell you, control is a basic fundamental of management.
Nobody would think to operate a business without having control over it.
Yet, when you accept credit cards online via the current real time online credit card payment gateway system you hand over one of the most critical of decision making responsibilities to a third party system.
When accepting and processing credit card payments 'live' online your third party payment gateway will make the decision as to what orders and credit cards your business accepts and charges, without the business owner even knowing about it.
Automation is a wonderful thing but the fact is you are blind to the process and you have no control over it.
Instantly attempting to process any credit card entered into the system by any anonymous person on the open internet 24/7 is the real time 'live' payment gateway's function, this is how it has been designed and this is what you are paying big money for it to do for you.
But, what happens when it fails?
What happens if you end up with financial loss because they transacted a fraudulent payment?
You only have to look at the growing 'card-not-present' credit card fraud statistics to learn this is becoming an increasingly dangerous likelihood for all online business owners. In fact, near all of the online credit card fraud in the world today, which in turn accounts for the overwhelming majroty of all credit card fraud, is perpetrated via of this very system.
Somehow the online credit card payment processing system is happy with being in control of the decision to charge your customer's credit card or not, but if they get it wrong then have a guess what the end result is ...
Its your fault!
You are the one who has to pay for the financial loss and the dreaded 'charge back' fees that may result.
For those within the online payment gateway industry this is of course perfectly normal practice. In fact some may think it down right troublesome of me to be bringing this strange anomaly to light, after all, this is the way its always been since e-commerce began and this is how its done to this very day.
Well, irrespective of whether we all think that practice is grossly unfair or not, I'm here to tell you that's not the way it has to be any longer.
The e-Path manual credit card payment gateway puts an immediate end to the potentially devastating 'Russian roulette' nature of accepting credit cards online where you as the business owner have no control over what credit card payments your own business accepts.
With e-Path it is the business owner who is able to be in control over what online orders they accept and what credit card payments are charged into their own private merchant account facilities. In short, you win back control over your business.
So not only is e-Path a less expensive and more secure system but e-Path is also ideal for those who want to accept credit cards online but don't want online orders and payments to be automatically accepted and charged without them knowing.
Your merchant account and its input interface from your bank will of course still have all the fraud screening mechanisms and safe guards as required by card vendors, but with e-Path this is IN ADDITION to you being in full and total control over what does and does not get entered into your merchant account in the first place. So you enjoy the best of both worlds!
Seize back control of what orders and payments are accepted online and save a considerable amount of money along the way.
... just a thought
----------------------------------------
Peter Thwaites
E-PATH CREDIT CARD PAYMENT GATEWAY
Saturday, January 16, 2010
Wednesday, January 13, 2010
Is CDU Compliance the future of ecommerce?
At the end of today's rather lengthy rambling you will have a clear understanding of exactly how the vast majority of the world's credit card fraud can be terminated.
Not quite the same as disclosing the cure for cancer but considering highly sensitive credit card and identity data theft and credit card fraud are all considered the electronic cancers of our day and age, then perhaps pretty close.
It is called CDU (Critical Data Unlpugged).
Have a read of that section and you'll end up with the knowledge that has either completely eluded the mega-billion dollar online payment processing industry or perhaps is being quietly ignored by choice.
But first let me make the important point that CDU (Critical Data Unplugged) is not an official data security standard. It is not enforceable by any established authority.
CDU (Critical Data Unplugged) is a genuine e-Path initiative to term the absolute fool-proof security practice of terminating the core root reason why the vast majority of critically sensitive and private information becomes available to be compromised in the first instance.
The force behind the new CDU initiative originated directly from Police and law enforcement authority advice to the general public and business communities on how to guarantee total and absolute protection for all forms of critically sensitive information in the internet connected world, not just credit card and identity data.
Police and law enforcement authorities don't mess around. Keeping people safe and secure is their purpose, they are not motivated or influenced by what makes money or what doesn't make money.
Cold hard facts spell out cause, effect and .... solution
There will perhaps always be card skimming type scams (or similar), or wallets and purses being stolen, but in reality the fraud derived from these methods accounts for less than 2% of credit card fraud today. Some statistics compilers suggest much less, some more. It is very difficult to get an accurate figure.
But by far the real issue is internet borne activity.
It is reported that near 90% (this figure could rise after the recent Heartland payment gateway processor breach is taken into account) of the world's stolen credit card and identity data can be traced back to that data being compromised (hacked, copied, stolen etc.) when permanently stored online, within payment gateway systems, on e-commerce websites, from networks, from storage devices or from internet connected systems.
Real time credit card payment gateway processors have the unenviable reputation of being 'where its at' for hackers, cyber criminals and online criminal gang syndicates. And with the possibility of huge numbers of highly sensitive credit card details permanently stored within their systems, its like a red flag to a bull, the perfect made to measure pot of gold target for online criminals.
Same is the case with any website, online storage device or anything similar that permanently stores sensitive credit card and identity data within its internet connected systems.
And to be frank I find it near impossible to solely and simply lay blame on the criminal element for the terrible credit card fraud crisis the world is in.
I believe equally responsible are the ones who insist that extremely sensitive credit card and identity data be permanently stored online and thus potentially at risk of being compromised or stolen in the first place ... especially now since new secure manual systems, like e-Path, mean that data no longer needs to be stored online at all!
Even the PCI DSS (Payment Card Industry Data Security Standards) explicitly state NOT to store credit card details when there is no need to. And for very good reason because here are just a few examples of what can happen ...
See: Possibly 100 Million Credit Cards Compromised
and: Visa Confirms Another Payment Processor Breach
and: 40 Million Credit Cards Hacked
Making e-commerce safe and secure should not require you to continually have to dig deeper and deeper into your own wallet or purse. It should not mean businesses that want to accept credit cards online are forced to the wall with having to pay ever increasing costs, fees and charges.
And dare I even further suggest that card vendor companies themselves, such as Visa International, Master Card, American Express and Diners Club could well do without the extra cost of creating and re-issuing a new credit card every time its reported that credit card data has been stolen or compromised. At a reported $10.00 per instance this cost burden could possibly amount to a yearly figure well into the high multiple tens of millions of dollars.
But the common sense solution to the majority of the world's credit card fraud is, believe it or not, contained in one simple indesputable fact. When critically sensitive data doesn't exist it can't possibly be stolen. Data can not be stolen if it doesn't exist.
And without any credit card or identity data being stolen or compromised then credit card fraud can not possibly exist.
The understanding of those indisputable and fundamental facts and the bold preparedness to implement ground-breaking practices, policies and processes based on them has the potential to turn dreams of a world without credit card fraud into an absolute distinct possibility.
Automation - an enemy in disguise?
It seems that technology companies, real time automated payment processing gateways and others within the industry are continually urging us to "Automate your online card processing" or "grow your business - don't go backwards".
I can't blame them, there is big money to made when people feel there is no choice other than to utilise expensive automated systems.
Automation saves time and effort, it is obviously an appealing message. But the unfortunate by-product of the online automated credit card processing system is largely the reason why the world faces a mega billion dollar credit card fraud bill every single year, and its growing.
It is common knowledge in the criminal community all one needs to do with a stolen credit card is to find a website connected up to a real time payment gateway processor and presto they have direct and instant access into that website business owner's private merchant account.
The transaction will be attempted live on the net even without the business owner knowing. If it comes back "transaction approved" credit card fraud has been instantly perpetrated. The crime has already been committed. How easy was that?
Some say the total ease by which anybody anywhere can pay by credit card online instantly and automatically is a great thing for business. I would agree, automation is a key factor in improving efficiencies, but from a strict security stand point I call it pure insanity.
The difficult and uncomfortable truth is almost all of the entire world's online credit card fraud is perpetrated via this exact means and is usually why businesses get that dreaded letter from their bank letting them know the transaction done six weeks ago was in fact a fraudulent one and all the money is to do back.
It appears there is a disturbing culture of 'acceptance' in that the risks being taken and the likelihood your business will one day fall victim to credit card fraud and even all the online fraud statistics are all part of the business of accepting credit cards on the internet.
This line of thinking is in itself very dangerous. It is perhaps the main reason why people appear reluctant to challenge the "must have" notion of automation.
-------------------------------------------------------
John: "I lost $300 last month in another two frauds"
Bill: "Yeh but your payment gateway system is automated, automation is a great way to grow your business"
John: "But I didn't even get the chance to check anything and its costing me a bloody fortune in losses"
Bill: "Yeh but you don't want to go backwards do you"
-------------------------------------------------------
The point is this utterly appalling vulnerability which provides criminals with the perfect mechanism to perpetrate fraud online with ease in the first place can end right now if people are prepared to change their thinking, to look beyond automation.
With e-Path, or any other CDU Compliant manual payment gateway, you now DO NOT need to play Russian roulette with allowing anybody anywhere on the open internet to transact live and blindly directly into your merchant account without you knowing.
e-Path completely terminates this vulnerability. With e-Path the private merchant account of the business owner is removed from allowing direct access to any anonymous individual on the net. It is the bank approved merchant account owner themselves who become the ones in charge over what gets transacted into their own private merchant account.
It has long been recognised that when you give potential victims of credit card fraud themselves the chance to avoid falling victim to fraud in the first place, you have one of the most powerful of all fraud screening methods. Real true human scrutiny, real true human eye perusal of order and buyers details. It is not that difficult to identify a fake order when it arrives ... and then delete it.
With e-Path this level of total control over things is part of our package. No longer can blind and anonymous transactions be performed live on the open internet and straight into the merchant account of the business owner without them knowing.
I'll probably do a Blog entry about this specific topic in its own right. It deserves it.
But the reason I am mentioning this now is that almost all automated payment gateway processing systems will permanently store credit card and identity data within their systems and usually without the cardholder being aware of it.
Move from the expensive automated real time payment gateway system and to the new manual payment gateway method of accepting credit cards online, that is CDU Compliant, and you not only ensure credit card and identity data will not be permanently stored online but you also give yourself total and absolute control. No more blind and anonymous transactions from the open internet and into your merchant account without you knowing.
And if that wasn't enough to get you seriously thinking, its a lot cheaper too!
Is CDU falling on deaf ears?
In order for CDU to turn the tide against credit card fraud it will need widespread industry acceptance. Credit card handling service providers, online payment gateways, confidential data handling organisations and e-commerce enterprises will need to significantly change their approach to security in order to comply with CDU.
e-Path can not change the world for the better on our own. And here rests the problem.
But lets be realistic, even with the end reward being the elimination of the majority of credit card and identity data theft and the end to the majority of credit card fraud, organisations and businesses are not going to dump the joys of automation in favour of reverting to manual processes.
Doing things manually is not a practical or even possible option for many organisations and businesses in this day and age. Or is it?
Step back a bit, think beyond the square
I personally believe there will come a time when people will look back with disbelief that there was ever a system that allowed anyone anywhere connected to the open internet to instantly and anonymously transact any credit card they like directly into the private merchant account of a business owner without them knowing.
I believe there will come a time when people will look back with disbelief that people's highly confidential credit card details and identity details actually had to be permanently stored somewhere online by the payment processor for them to be able to pay by credit card on the net.
If you were devising a safe and secure way for people to pay by credit card online today and suggested a system that performed the above two functions, you'd be escorted to the nearest park bench ..... and left there.
Nobody in the right mind would devise a system that in effect provided the criminal community with perfectly tailored mechanisms allowing them to perpetrate online credit card fraud live on the net with total and absolute ease and anonymity.
Nobody in the right mind would devise a system that provided the criminal community with a pot-of-gold horde of millions of permanently stored credit card and identity data details all sitting in the one place.
But they have and that's the system of today, that's the system that's been in place for over twenty years and no surprise to me that that's the very system that is directly and fundamentally responsible for almost the entirity of online credit card fraud in the world today. Any by the way, there remains one bank in Australia that still insists if you want to accept credit cards online, that's the system you are only allowed to use!!
Maybe 'cyber criminals' and 'hackers' are not really criminals at all, perhaps a better term would be opportunists. The opportunity has been manufactured for them and is sitting there, I can't really blame them for taking it.
Can CDU really make a difference?
Yes, but the question perhaps should be will it be allowed to make a difference.
In just the online credit card payment processing industry alone, if CDU compliance (or similar) became a required security standard this would perhaps force a complete redesign of the online automated processing system. It would also render the current system that stored card data and identity data within its systems as defunct. I can't see the online payment processing industry allowing this to happen.
When you have the real time automated credit card payment processing industry as the most well represented participating organisation group within the industry's security governing body (Payment Card Industry Security Standards Council) itself, the obvious concern would be that any talk of introducing CDU compliance or anything similar would be dismissed at lightening speed.
Therefore it follows that there is the very real risk the major thrust of PCI and any future security standard will remain focused on continually battling the symptoms of a vulnerable system rather than focus its efforts towards terminating the true cause of the actual vulnerability itself, i.e., stay trying to protect permanently stored critically sensitive data instead of simply disallowing it in the first place.
Currently not one single participating organisation of PCI operates to CDU standards.
Not one single participating organisation of PCI is a manual credit card payment gateway like e-Path is.
Its like back in the 1970's trying to push the virtues of an electric car when the authority body is made up of oil company representatives!
Therefore, critically sensitive credit card and identity data as well has highly confidential business transaction records and data will continue to be permanently stored by online real time payment gateway processors whether cardholders and businesses like it or not.
PCI DSS helps but CDU gets the job done
While it is true the introduction of PCI DSS (Payment Card Industry Data Security Standards) has resulted in card handling and storing practices becoming much more secure, the fact is PCI compliance alone can not, and does not claim to, guarantee 100% credit card and identity data protection.
Here are some more facts - the largest security breach in the history of e-commerce which saw tens of millions of credit card details being stolen was from a PCI Compliant real time payment processor that was externally audited by a PCI Qualified Security Assessor (QSA) ...
See: Massive data breach on PCI compliant gateway
.. and that's by no means the only PCI compliant credit card payment processor to have been breached by hackers using cutting edge technologies which resulted in massive quantities of credit card and identity data being compromised. A quick search on Google, Bing or Yahoo will reveal many more.
PCI Compliance is a huge positive, no doubt about that, but PCI can not possibly protect against all hacking and penetration technologies, especially not future hacking technologies that are yet unknown ....
... but CDU does.
Enough is enough
There's a growing ground swell of frustration towards an industry that appears to be doing little more than inventing more complex ways to take more of your money while making it more difficult and more costly for online businesses to accept credit cards online. All for the sake of "improving security" of course.
It certainly seems to me that when any type of media coverage is afforded to the issue of credit card and identity data security the security experts, highly respected and exceptionally qualified the may be, all arrive on the scene to bombard us with endless assurances enveloped in complex and impossible to understand terminology. It does the job, we are all left feeling as though security is on the right track.
But did you ever stop to ask yourself why it is that every single year for the last twenty or so years there's been no appreciable reduction in instances of credit card fraud, no appreciable reduction to the quantities of credit card and identity details being stolen. Alarmingly, its all still on the rise.
The only authority that doesn't mix words is Police and law enforcement authorities. They have an uncanny habit of telling it like it is and getting to the point rather bluntly. And when they say the best way to truly protect sensitive and confidential data in the age of the internet is to "unplug" that data from the internet, then people like me stand up and take notice. I hope I'm not the only one!!!
See: Fear in the Fast Lane (Four Corners production, Andrew Fowler, ABC TV)
If the industry became so inclined they could make CDU an enforceable security practice which would instantly terminate the core root cause of around 90% of all credit card and identity data theft in the world today, which would also see credit card fraud dry up to a trickle.
Think about that point for a moment. I've just spelt out how the actual industry itself could end, once and for all, the majority of credit card and identity data theft and credit card fraud in the world today. Period.
CDU - everyone can practice it
You do not need to wait for CDU to become official. Applying CDU practices that ensures critically sensitive information becomes safe and secure can be done right now.
Using a CDU Compliant payment gateway to accept credit cards online where highly confidential credit card and identity details are not permanently stored online is available right now.
Using a CDU Compliant payment gateway that puts a complete stop to allowing any anonymous individual on the net to directly and instantly transact online live and into your private merchant account without you knowing is available right now.
CDU is quickly shaping up to be the very ideal under which ordinary people and security conscious online business owners can enjoy a level of security that far exceeds what the payment card industry is prepared to provide or support.
CDU security practices are being adopted, by choice, by people and businesses courageous enough to move away from permanently storing sensitive data on internet connected systems, storage devices and networks in order to afford themselves and their customers with, arguably, by far the most effective data protection practice ever proposed.
e-Path is one such company.
To learn how e-Path came about, see: About e-Path Pty Ltd.
Conclusion
I would like to remind people that e-Path is a manual credit card payment gateway. The process of charging credit cards is a manual one performed by the bank approved merchant account owner only - and not by any person connected to the open internet without the business owner knowing as is the case with the real time 'live' payment gateway processing system. Therefore, e-Path will only suit those businesses receiving small numbers of credit card payments per day.
The handling of large volumes of online credit card payments daily still remains the exclusive domain of the more expensive automated 'live' online processing system for obvious reasons.
So while this message is about there now being a far safer and secure option that I truly believe can make more of an impact in the fight agaist credit card fraud of any service or product in the world to date, automation may already be too well entrenched within business models and thus it would be near impossible for large scale businesses and organisations to look beyond.
Perhaps then it will be small business, where CDU Compliant manual processes give the distinct advantage, that will be the sector to help lift us all out of the credit card fraud crisis we are in.
By venturing well in advance of established automated architecture and mechanics and by operating to CDU security ideals, e-Path is able to deliver a brand new method to accept credit cards online that is now closer than ever before to achieving the 'Holy grail' in online card data security ...
You can't thieve something that doesn't exist - the absolute perfect impossibility.
With CDU practices and principals now existing and indeed available to be adopted by any person or business, including the payment processing industry itself (should they so choose), the overwhelming majority of credit card and identity data theft and indeed the resulting credit card fraud that can occur because of this is now NOT something that has to be part of our online world.
From now it could be well argued that it largely exists by choice.
And e-Path is one company that's boldly made the choice for it not to exist any longer.
... just a thought
----------------------------------------
Peter Thwaites
E-PATH CREDIT CARD PAYMENT GATEWAY
Not quite the same as disclosing the cure for cancer but considering highly sensitive credit card and identity data theft and credit card fraud are all considered the electronic cancers of our day and age, then perhaps pretty close.
It is called CDU (Critical Data Unlpugged).
Have a read of that section and you'll end up with the knowledge that has either completely eluded the mega-billion dollar online payment processing industry or perhaps is being quietly ignored by choice.
But first let me make the important point that CDU (Critical Data Unplugged) is not an official data security standard. It is not enforceable by any established authority.
CDU (Critical Data Unplugged) is a genuine e-Path initiative to term the absolute fool-proof security practice of terminating the core root reason why the vast majority of critically sensitive and private information becomes available to be compromised in the first instance.
The force behind the new CDU initiative originated directly from Police and law enforcement authority advice to the general public and business communities on how to guarantee total and absolute protection for all forms of critically sensitive information in the internet connected world, not just credit card and identity data.
Police and law enforcement authorities don't mess around. Keeping people safe and secure is their purpose, they are not motivated or influenced by what makes money or what doesn't make money.
Cold hard facts spell out cause, effect and .... solution
There will perhaps always be card skimming type scams (or similar), or wallets and purses being stolen, but in reality the fraud derived from these methods accounts for less than 2% of credit card fraud today. Some statistics compilers suggest much less, some more. It is very difficult to get an accurate figure.
But by far the real issue is internet borne activity.
It is reported that near 90% (this figure could rise after the recent Heartland payment gateway processor breach is taken into account) of the world's stolen credit card and identity data can be traced back to that data being compromised (hacked, copied, stolen etc.) when permanently stored online, within payment gateway systems, on e-commerce websites, from networks, from storage devices or from internet connected systems.
Real time credit card payment gateway processors have the unenviable reputation of being 'where its at' for hackers, cyber criminals and online criminal gang syndicates. And with the possibility of huge numbers of highly sensitive credit card details permanently stored within their systems, its like a red flag to a bull, the perfect made to measure pot of gold target for online criminals.
Same is the case with any website, online storage device or anything similar that permanently stores sensitive credit card and identity data within its internet connected systems.
And to be frank I find it near impossible to solely and simply lay blame on the criminal element for the terrible credit card fraud crisis the world is in.
I believe equally responsible are the ones who insist that extremely sensitive credit card and identity data be permanently stored online and thus potentially at risk of being compromised or stolen in the first place ... especially now since new secure manual systems, like e-Path, mean that data no longer needs to be stored online at all!
Even the PCI DSS (Payment Card Industry Data Security Standards) explicitly state NOT to store credit card details when there is no need to. And for very good reason because here are just a few examples of what can happen ...
See: Possibly 100 Million Credit Cards Compromised
and: Visa Confirms Another Payment Processor Breach
and: 40 Million Credit Cards Hacked
Making e-commerce safe and secure should not require you to continually have to dig deeper and deeper into your own wallet or purse. It should not mean businesses that want to accept credit cards online are forced to the wall with having to pay ever increasing costs, fees and charges.
And dare I even further suggest that card vendor companies themselves, such as Visa International, Master Card, American Express and Diners Club could well do without the extra cost of creating and re-issuing a new credit card every time its reported that credit card data has been stolen or compromised. At a reported $10.00 per instance this cost burden could possibly amount to a yearly figure well into the high multiple tens of millions of dollars.
But the common sense solution to the majority of the world's credit card fraud is, believe it or not, contained in one simple indesputable fact. When critically sensitive data doesn't exist it can't possibly be stolen. Data can not be stolen if it doesn't exist.
And without any credit card or identity data being stolen or compromised then credit card fraud can not possibly exist.
The understanding of those indisputable and fundamental facts and the bold preparedness to implement ground-breaking practices, policies and processes based on them has the potential to turn dreams of a world without credit card fraud into an absolute distinct possibility.
Automation - an enemy in disguise?
It seems that technology companies, real time automated payment processing gateways and others within the industry are continually urging us to "Automate your online card processing" or "grow your business - don't go backwards".
I can't blame them, there is big money to made when people feel there is no choice other than to utilise expensive automated systems.
Automation saves time and effort, it is obviously an appealing message. But the unfortunate by-product of the online automated credit card processing system is largely the reason why the world faces a mega billion dollar credit card fraud bill every single year, and its growing.
It is common knowledge in the criminal community all one needs to do with a stolen credit card is to find a website connected up to a real time payment gateway processor and presto they have direct and instant access into that website business owner's private merchant account.
The transaction will be attempted live on the net even without the business owner knowing. If it comes back "transaction approved" credit card fraud has been instantly perpetrated. The crime has already been committed. How easy was that?
Some say the total ease by which anybody anywhere can pay by credit card online instantly and automatically is a great thing for business. I would agree, automation is a key factor in improving efficiencies, but from a strict security stand point I call it pure insanity.
The difficult and uncomfortable truth is almost all of the entire world's online credit card fraud is perpetrated via this exact means and is usually why businesses get that dreaded letter from their bank letting them know the transaction done six weeks ago was in fact a fraudulent one and all the money is to do back.
It appears there is a disturbing culture of 'acceptance' in that the risks being taken and the likelihood your business will one day fall victim to credit card fraud and even all the online fraud statistics are all part of the business of accepting credit cards on the internet.
This line of thinking is in itself very dangerous. It is perhaps the main reason why people appear reluctant to challenge the "must have" notion of automation.
-------------------------------------------------------
John: "I lost $300 last month in another two frauds"
Bill: "Yeh but your payment gateway system is automated, automation is a great way to grow your business"
John: "But I didn't even get the chance to check anything and its costing me a bloody fortune in losses"
Bill: "Yeh but you don't want to go backwards do you"
-------------------------------------------------------
The point is this utterly appalling vulnerability which provides criminals with the perfect mechanism to perpetrate fraud online with ease in the first place can end right now if people are prepared to change their thinking, to look beyond automation.
With e-Path, or any other CDU Compliant manual payment gateway, you now DO NOT need to play Russian roulette with allowing anybody anywhere on the open internet to transact live and blindly directly into your merchant account without you knowing.
e-Path completely terminates this vulnerability. With e-Path the private merchant account of the business owner is removed from allowing direct access to any anonymous individual on the net. It is the bank approved merchant account owner themselves who become the ones in charge over what gets transacted into their own private merchant account.
It has long been recognised that when you give potential victims of credit card fraud themselves the chance to avoid falling victim to fraud in the first place, you have one of the most powerful of all fraud screening methods. Real true human scrutiny, real true human eye perusal of order and buyers details. It is not that difficult to identify a fake order when it arrives ... and then delete it.
With e-Path this level of total control over things is part of our package. No longer can blind and anonymous transactions be performed live on the open internet and straight into the merchant account of the business owner without them knowing.
I'll probably do a Blog entry about this specific topic in its own right. It deserves it.
But the reason I am mentioning this now is that almost all automated payment gateway processing systems will permanently store credit card and identity data within their systems and usually without the cardholder being aware of it.
Move from the expensive automated real time payment gateway system and to the new manual payment gateway method of accepting credit cards online, that is CDU Compliant, and you not only ensure credit card and identity data will not be permanently stored online but you also give yourself total and absolute control. No more blind and anonymous transactions from the open internet and into your merchant account without you knowing.
And if that wasn't enough to get you seriously thinking, its a lot cheaper too!
Is CDU falling on deaf ears?
In order for CDU to turn the tide against credit card fraud it will need widespread industry acceptance. Credit card handling service providers, online payment gateways, confidential data handling organisations and e-commerce enterprises will need to significantly change their approach to security in order to comply with CDU.
e-Path can not change the world for the better on our own. And here rests the problem.
But lets be realistic, even with the end reward being the elimination of the majority of credit card and identity data theft and the end to the majority of credit card fraud, organisations and businesses are not going to dump the joys of automation in favour of reverting to manual processes.
Doing things manually is not a practical or even possible option for many organisations and businesses in this day and age. Or is it?
Step back a bit, think beyond the square
I personally believe there will come a time when people will look back with disbelief that there was ever a system that allowed anyone anywhere connected to the open internet to instantly and anonymously transact any credit card they like directly into the private merchant account of a business owner without them knowing.
I believe there will come a time when people will look back with disbelief that people's highly confidential credit card details and identity details actually had to be permanently stored somewhere online by the payment processor for them to be able to pay by credit card on the net.
If you were devising a safe and secure way for people to pay by credit card online today and suggested a system that performed the above two functions, you'd be escorted to the nearest park bench ..... and left there.
Nobody in the right mind would devise a system that in effect provided the criminal community with perfectly tailored mechanisms allowing them to perpetrate online credit card fraud live on the net with total and absolute ease and anonymity.
Nobody in the right mind would devise a system that provided the criminal community with a pot-of-gold horde of millions of permanently stored credit card and identity data details all sitting in the one place.
But they have and that's the system of today, that's the system that's been in place for over twenty years and no surprise to me that that's the very system that is directly and fundamentally responsible for almost the entirity of online credit card fraud in the world today. Any by the way, there remains one bank in Australia that still insists if you want to accept credit cards online, that's the system you are only allowed to use!!
Maybe 'cyber criminals' and 'hackers' are not really criminals at all, perhaps a better term would be opportunists. The opportunity has been manufactured for them and is sitting there, I can't really blame them for taking it.
Can CDU really make a difference?
Yes, but the question perhaps should be will it be allowed to make a difference.
In just the online credit card payment processing industry alone, if CDU compliance (or similar) became a required security standard this would perhaps force a complete redesign of the online automated processing system. It would also render the current system that stored card data and identity data within its systems as defunct. I can't see the online payment processing industry allowing this to happen.
When you have the real time automated credit card payment processing industry as the most well represented participating organisation group within the industry's security governing body (Payment Card Industry Security Standards Council) itself, the obvious concern would be that any talk of introducing CDU compliance or anything similar would be dismissed at lightening speed.
Therefore it follows that there is the very real risk the major thrust of PCI and any future security standard will remain focused on continually battling the symptoms of a vulnerable system rather than focus its efforts towards terminating the true cause of the actual vulnerability itself, i.e., stay trying to protect permanently stored critically sensitive data instead of simply disallowing it in the first place.
Currently not one single participating organisation of PCI operates to CDU standards.
Not one single participating organisation of PCI is a manual credit card payment gateway like e-Path is.
Its like back in the 1970's trying to push the virtues of an electric car when the authority body is made up of oil company representatives!
Therefore, critically sensitive credit card and identity data as well has highly confidential business transaction records and data will continue to be permanently stored by online real time payment gateway processors whether cardholders and businesses like it or not.
PCI DSS helps but CDU gets the job done
While it is true the introduction of PCI DSS (Payment Card Industry Data Security Standards) has resulted in card handling and storing practices becoming much more secure, the fact is PCI compliance alone can not, and does not claim to, guarantee 100% credit card and identity data protection.
Here are some more facts - the largest security breach in the history of e-commerce which saw tens of millions of credit card details being stolen was from a PCI Compliant real time payment processor that was externally audited by a PCI Qualified Security Assessor (QSA) ...
See: Massive data breach on PCI compliant gateway
.. and that's by no means the only PCI compliant credit card payment processor to have been breached by hackers using cutting edge technologies which resulted in massive quantities of credit card and identity data being compromised. A quick search on Google, Bing or Yahoo will reveal many more.
PCI Compliance is a huge positive, no doubt about that, but PCI can not possibly protect against all hacking and penetration technologies, especially not future hacking technologies that are yet unknown ....
... but CDU does.
Enough is enough
There's a growing ground swell of frustration towards an industry that appears to be doing little more than inventing more complex ways to take more of your money while making it more difficult and more costly for online businesses to accept credit cards online. All for the sake of "improving security" of course.
It certainly seems to me that when any type of media coverage is afforded to the issue of credit card and identity data security the security experts, highly respected and exceptionally qualified the may be, all arrive on the scene to bombard us with endless assurances enveloped in complex and impossible to understand terminology. It does the job, we are all left feeling as though security is on the right track.
But did you ever stop to ask yourself why it is that every single year for the last twenty or so years there's been no appreciable reduction in instances of credit card fraud, no appreciable reduction to the quantities of credit card and identity details being stolen. Alarmingly, its all still on the rise.
The only authority that doesn't mix words is Police and law enforcement authorities. They have an uncanny habit of telling it like it is and getting to the point rather bluntly. And when they say the best way to truly protect sensitive and confidential data in the age of the internet is to "unplug" that data from the internet, then people like me stand up and take notice. I hope I'm not the only one!!!
See: Fear in the Fast Lane (Four Corners production, Andrew Fowler, ABC TV)
If the industry became so inclined they could make CDU an enforceable security practice which would instantly terminate the core root cause of around 90% of all credit card and identity data theft in the world today, which would also see credit card fraud dry up to a trickle.
Think about that point for a moment. I've just spelt out how the actual industry itself could end, once and for all, the majority of credit card and identity data theft and credit card fraud in the world today. Period.
CDU - everyone can practice it
You do not need to wait for CDU to become official. Applying CDU practices that ensures critically sensitive information becomes safe and secure can be done right now.
Using a CDU Compliant payment gateway to accept credit cards online where highly confidential credit card and identity details are not permanently stored online is available right now.
Using a CDU Compliant payment gateway that puts a complete stop to allowing any anonymous individual on the net to directly and instantly transact online live and into your private merchant account without you knowing is available right now.
CDU is quickly shaping up to be the very ideal under which ordinary people and security conscious online business owners can enjoy a level of security that far exceeds what the payment card industry is prepared to provide or support.
CDU security practices are being adopted, by choice, by people and businesses courageous enough to move away from permanently storing sensitive data on internet connected systems, storage devices and networks in order to afford themselves and their customers with, arguably, by far the most effective data protection practice ever proposed.
e-Path is one such company.
To learn how e-Path came about, see: About e-Path Pty Ltd.
Conclusion
I would like to remind people that e-Path is a manual credit card payment gateway. The process of charging credit cards is a manual one performed by the bank approved merchant account owner only - and not by any person connected to the open internet without the business owner knowing as is the case with the real time 'live' payment gateway processing system. Therefore, e-Path will only suit those businesses receiving small numbers of credit card payments per day.
The handling of large volumes of online credit card payments daily still remains the exclusive domain of the more expensive automated 'live' online processing system for obvious reasons.
So while this message is about there now being a far safer and secure option that I truly believe can make more of an impact in the fight agaist credit card fraud of any service or product in the world to date, automation may already be too well entrenched within business models and thus it would be near impossible for large scale businesses and organisations to look beyond.
Perhaps then it will be small business, where CDU Compliant manual processes give the distinct advantage, that will be the sector to help lift us all out of the credit card fraud crisis we are in.
By venturing well in advance of established automated architecture and mechanics and by operating to CDU security ideals, e-Path is able to deliver a brand new method to accept credit cards online that is now closer than ever before to achieving the 'Holy grail' in online card data security ...
You can't thieve something that doesn't exist - the absolute perfect impossibility.
With CDU practices and principals now existing and indeed available to be adopted by any person or business, including the payment processing industry itself (should they so choose), the overwhelming majority of credit card and identity data theft and indeed the resulting credit card fraud that can occur because of this is now NOT something that has to be part of our online world.
From now it could be well argued that it largely exists by choice.
And e-Path is one company that's boldly made the choice for it not to exist any longer.
... just a thought
----------------------------------------
Peter Thwaites
E-PATH CREDIT CARD PAYMENT GATEWAY
Subscribe to:
Posts (Atom)
