The Security Carousel
It is axiomatically true that point of sale equipment companies live and die in upgrade cycles. We need to stop this. A look back into the past correctly predicts the problems we have today:
“…at this time, many merchants are in a wait-and-see mode with Chip and PIN technology potentially on the horizon, and thus are hesitant to acquire new readers in the near term.”
This quote comes from a 2011 white paper authored by Tim Horton, and Robert McMillon and published by First Data about the value of tokenization and encryption in the payment system.
What I find interesting is that it was written four years before the original “EMV deadline” and during the chaotic switch to Triple DES encrypting pin pads. Ironically, all these years later, this transition to Triple DES was never completely realized, less than ½ of retailers are fully PCI compliant, and one could argue in large part because of the looming equipment update cycles, and the Security Carousel.
Sadly, it is all completely needless.
Had hardware-based encryption at the point of sale been implemented, it is a guarantee that the Target breach, and thousands of others, never happens, and the wholesale theft of cards, which is the cause of all fraud is severely limited if not eliminated. The most fundamental review of Target's breach shows that Pin Block data was never stolen. Why? Because it was encrypted at the point of entry.
The scary takeaway is that as we ponder new ways to modify the payment ecosystem, we deter security solutions from being implemented. Hopefully, we can stop the Carousel soon!