FindLaw's Common Law

Consumer protection legal news from

February 2016

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29          

FindLaw Blogs

FindLaw Blotter
Free Enterprise
Law & Daily Life

If you're looking for information on common law marriage, please visit the Common Law Marriage section on FindLaw.

« Ratings Agencies and the Financial Meltdown: California Investigates | Main | Latisse Side Effects: FDA Warns Allergan over Misleading Claims »

Credit Card Data and Encryption: Big Holes in Protection

These days many people fear the theft of credit card data during online purchases or through malicious software on their personal computers. However, the biggest risk to your credit card number probably isn't someone stealing it from you, but rather someone stealing it from one of the merchants you pay everyday or from the payment processor a merchant uses.

In the wake of the largest credit card data heist yet recorded, many are wondering how a twenty-something in Miami (plus his partners) can rob one of the nation's largest card payment processors blind for more than a year. They may also wonder how he could cruise down the highway and remotely detect which big box retailers have credit card transaction data open for the plucking.

The answer would surprise most: credit card data often goes unencrypted at some point along the chain. As it goes from cardholder to merchant to payment processor to credit card company and back, someone getting hold of it at any point while its not encrypted has gold in their hands.

Currently, credit card companies require payment processors and merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS). While the PCI DSS requires encryption for payment card data while it is in transit from one network to another (say the merchant to the payment processor), encryption is not required when payment data is within an internal network.

This has Robert Carr, CEO of Heartland Payment Systems, calling for the credit card industry to adopt an "end-to-end" standard for the encryption of payment card information.

One might view this as too little too late from the less than nimble victim of the theft of 120 million card numbers (and the defendant of a slew of lawsuits over its data practices), but it's a good point none the less: why is this data not encrypted all the time?

Carr's call may also be seen as a plea for continued self-regulation -- let the credit card industry (not federal regulators) revamp its internal rules (which up to now have not proved terribly reassuring). As Computer Weekly put it in January, after the year and half long plundering of Heartland came to light, Heartland's case proved that PCI compliance is not enough. Will revamped self regulation through revised PCI compliance be enough?

A Congressional committee might rake Mr. Carr over the coals for a day, but will Congress step in and create rules of the road for payment data?


TrackBack URL for this entry:

Listed below are links to weblogs that reference Credit Card Data and Encryption: Big Holes in Protection:



Common Law Vanguard Panel

The following firms have assisted the FindLaw editorial team in identifying emerging trends in consumer protection law and topics of importance to readers of this blog: