Card Stripes, Prison Stripes and the Question of Security
PDF Print

As the card industry evolves to strengthen the security of cardholder data 
through compliance with PCI standards and federal initiatives, the criminal 
element is evolving, too – shifting into areas where information is easier to obtain, 
in order to ply their trade.  Theirs, too, is a business. Illegal or not, it must be 
seen as that – and businesspeople of all stripes (including those destined for 
the prison variety) defend their livelihoods.

Today, many criminals are shifting their focus from cardholder data to checking 
account data.  The Revolution Card, CAPITAL ONE’s decoupled ACH card, Debitman 
and Tempo generate a card-initiated transaction that creates an ACH debit to the 
business or personal checking account.  They’re similar to debit cards, but are 
outside the MC or Visa environment – and do not incur those fees.  A $100 
transaction in the credit card or debit card world is $.55 to .60;  in the 
ACH world, it’s about $.20, thanks to direct linking.

Being external to the MC/ Visa environment makes ACH different from credit card 
transactions, and while security laws will eventually catch up, they have not as yet.  
And therein lies the criminal opportunity.

Tempo cards, of course, are not new.  Debitman has been with us for a decade;  
Revolution card, 12-18 months.  CAPITAL ONE’s decoupled ACH card is the newest 
of the group.  Introduced in the spring of 2007, it severs the link between debit 
cards and demand-deposit accounts. As with other emerging payment systems 
riding the ACH rails, funds are drawn from the consumer’s DDA via ACH, with 
CAPITAL ONE taking on the risks associated with fund availabilities for debit 
purchases.  This MasterCard debit card is marketed to anyone with a checking 
account at any bank, not just to CAPITAL ONE checking account holders, 
and is expected to do well.

Readers of this publication and others realize there’s significant migration to 
ACH  transactions and that more businesses, mostly for recurring payments, 
are moving to ACH.

With merchants and others creating automatic debits to customers’ checking 
accounts, data and software must be resident on someone’s system, like credit card 
information was.  We as a company decided, when PCI standards first emerged, 
not to hold credit card information resident on our systems.  I saw a need to apply 
the PCI standards to our ACH program and that is what we are doing.  We have not 
yet endured a white hat hacking attempt, but we are encrypting routing and checking
information within our system.  Equally important, we operate within a server 
separate from our primary server, and separate from our internet server.  
In these ways, we are actively applying PCI standards to our ACH environment.

The greatest vulnerability in any system, credit card or ACH, is the link between 
the secure encrypted server data and people in the organization who have need to 
know/ right to know access.  And herein lies the problem.  Someone must open the 
information valve for it to be used.  Someone must have access, and that creates 
system vulnerability. That’s the area we’re addressing today – tightening the 
security locks on our ACH system.

As criminals move from stealing credit card data, checking accounts, and the 
data attached to them, are logical targets.  There are fewer data elements involved 
in ACH  than credit card transactions. A credit card transaction requires an account 
number, expiration, amount, who the funds go to and an authorization signature.   
Expiration dates and who the money goes to is not part of the ACH system.

Years ago, prior to changes in federal regulation, written authorization was required 
for an ACH transaction.  When you took out an auto loan, there was a separate 
document authorizing the bank to debit your account.  You could rescind in writing 
within a reasonable time. Now, only verbal authorization is needed for ACH, and we 
and others are relying on just this for lease contracts and other important commitments.  
We can demand signatures – and we do - but when someone calls for a swap-out 
or a supply order, we offer a direct debit option and increasingly, customers take 
advantage of this.

ACH volume is headed up and credit card volume straight down.  The trend is 
undeniable, and is being pushed by powerful marketing budgets.   Banks are 
clearly concerned that “decoupled” cards – gratis, revolution, tempo and capital 
one do not process through the credit card system and therefore do not generate 
interchange revenue.  Their concerns are justified: this is a real threat to the 
standard credit card fee structure model.

But there is an entirely different threat to interchange that will, in time, make all 
of this moot.  The Interchange fees charged by banks have been ruled “exorbitant, 
anti-consumer” -  and illegal in Australia, New Zealand, and the EU. For four years, 
the National Retail Federation and The National Association of Convenience Stores 
have worked to lower, if not eliminate, interchange fees.

As a point of perspective, interchange fees for a C-store operator are often higher 
than labor cost.  90% of C-store business is in the petroleum environment and 
the number of employees is low, so these fees are the greatest expense.  The 
interchange skim, as c-store operators regard it, is a major revenue source for 
the issuing players.  The ACH  environment is a parallel threat to the interchange 
revenue stream, and one that is guaranteed to gain ground.

Anyone selling decoupled cards needs to understand the importance of PCI security 
standards and apply them, before it’s mandated, to the ACH environment.  There is 
no defense equal to preemption.   If you are PCI compliant for credit card transactions, 
it’s a short step to secure ACH transactions equally.  You’ve invested 90% of dollars 
to accomplish this, so invest the additional 10%.

Not only is this an easy step, but it’s a sales tool as well.  “Not only are we PCI 
compliant, but we’re equally secure for ACH transactions.”  That speaks powerfully 
about your priorities, and way of doing business.  Companies like ours will surely ask, 
in increasing numbers, how you are dealing with data security.   Paypal, Google 
Checkout and other online marketers will eventually embrace ACH in addition to 
credit cards.  For now, early adaptors will have the advantage.

If you are an ISO discussing PCI compliance with merchants, and you’re selling 
ACH processing, you should be talking about security for credit card and ACH 
transactions.  And if you are an auditor, you should be talking about PCI, too . . . 
“while I am here, for additional $500. let’s look at your ACH.”

Legislation is in the pipeline, so let’s all just get over it.  The choice is to spend 
$10k for PCI compliance for credit cards and another $1K for ACH.  Or, wait, 
and start over later, at which time the bill will be higher.

Think water pumps.  The auto mechanic says, “while we’re replacing it, we’ll have 
access to the timing belt and gear, so you may as well change those as well – 
they all have service lives that are similar.”  If you decide otherwise, you’ve saved 
a few bucks today, but a year later, when the timing belt does go out, not only 
are you without your car again, but the price is double.  The analogy is accurate 
on all counts: cost, inconvenience and the hazard of waiting.


Biff Matthews is President of Thirteen Inc, the parent company of 
CardWare International.  He is one of 12 founding members of the ETA, 
serving on its board, advisory board and committees.  (740) 522-2150