This Target hack is a BFD. I’m at the mall this weekend because I’m a very last-minute shopper and it was the only time I could find to shop. My wife calls me because she gets this email from Chase which I’ll paraphrase here:
You got hacked. Lolz! It ain’t our fault, really. So sorry. So so sorry. Oh, BTW we’re putting new limits on how you can use your card in the middle of Christmas week because of Target. Hey hope this doesn’t screw you up, but I hope you weren’t planning on spending more than $100 a day with us. Happy holidays.
Think about this for longer than a few minutes, think about how this affects millions of customers, and then you’ll realize that this Target hack could potentially ding a percent or two off of this holiday season for a few retailers.
When we look back at this time, we’re going to laugh at how silly our approach to payment systems was from about 1980 – 2013. I think that the Target hack is likely just the beginning, but it is clear that (even with strict PCI-compliance) we need a radical change in payment.
Problems with Payment
- Our credit cards (at least in the US) are the technology equivalent of a cassette tape. While I’m running around town with a smartphone that can read my fingerprint whenever I shop, I’m still using the equivalent of an 8-track cassette tape to pay for everything. Instead of moving toward a system that uses my location and my fingerprint. We’re just walking around with wallets that are no more secure than an envelope labeled “My Credit Card Numbers” that is totally unprotected. Steal my wallet, and you’ve got my credit card numbers… there’s a better way.
- We still have this irrational belief in the signature (and checkout clerks still eyeball them). This is our idea of identity verification – here’s a quill pen, why don’t you just sign this. Now wait… there’s enough reliable location data flowing from my phone to enable every checkout clerk to say, “Welcome to the store Mr. O’Brien” without me saying anything. The store should know I’m there already, the technology also exists to have the store take care of payment authorization every time I pick something up. My phone could generate a piece of data that could encrypt not just who I am, but where I’ve been today and what the time is down to the microsecond authenticated by several GPS satellites.
- Online payment systems that offer more security are tiny in comparison to the 50,000 lbs gorillas that dominate the system. No one uses these systems. Add up the value of all the innovative payment companies in the Bay Area (Square, PayPal, + a thousand others), and you still don’t touch the $6.9 trillion total volume of Visa. That’s $6.9 trillion dollars flowing through billions of point-of-sale terminals (or “all the money”). Someone needs to figure out how to upgrade that instead of creating yet another payment system to trial in San Francisco and New York.
When I wrote about payment systems in 2010, the universal warning everyone was throwing at me was, “Don’t expect anything to change in the short-term. The retail industry moves slowly, and no one wants to make the capital investment necessary to upgrade point-of-sale.” At the time I was talking to a senior manager at a well-known payment company based in the Bay Area about NFC payment systems. According to him, the future was now a revolution was upon us. It wasn’t.
1. Ensure real competition in the payment processing space. Huge payment providers like the ones that have logos in your wallet have had a history of using confidentiality agreements with vendors and transaction fees as a tool to lock out the competition. For example, you are not allowed to offer discounts for different kinds of payment methods. Whether or not this continues to happen after the interchange fee settlement is up for debate, but we need to make sure that new technologies are not locked out of the physical point-of-sale space.
2. Put all the risk on payment providers. If you provide a card or technology that people can use for payment, put all of the responsibility for a compromise on the payment provider. This will motivate payment providers to move away from the current, insecure methods of payment that we use today. Your credit card won’t just be a series of easy to copy numbers, it will make use of the technology we have available. Also, this would force dramatic changes to PCI. “Storing a credit card #” at a merchant would go away, and instead your transactions would look more like PayPal’s authorization process for recurring payments.
With real competition, the payment processors that can control risk will be able to offer a significantly lower cost to the retailer, and retailers will provide the necessary motivation to consumers to adopt the more secure technology. If Square has the best risk management and fraud prevention technology available, a retailer should be able to offer customers that use that technology a 1-2% discount if they pay with Square. Competition (not regulation) is the way out of this mess.