Protecting Payments
John South has a lot to worry about. He looks out for “generation plastic”—users of credit cards for everything from a cup of coffee to a trip around the world. With every swipe, chip dip, hover (over near-field communications devices), and entry of a sixteen-digit card number into an online field, transactions are executed that may involve South’s employer, Heartland Payment Systems.
South’s role at Heartland is chief security officer. And in an era of massive data breaches, South and his comrades in the credit card processing business—which includes at least two banks, a merchant, and a processor involved in every transaction—have massive amounts of data and money to protect. On top of that, there are thieves to thwart. Just mention the security breaches that affected Target, Home Depot, Wendy’s, JPMorgan Chase, or Citibank, and it’s enough to bring headaches back to merchants, banks, and consumers alike.
According to the AFCEA—an alliance of military, government, and industry organizations that collaborate on tasks such as information technology and cybersecurity—US online credit card fraud alone is projected to increase from $3.3 billion in 2015 to $6.6 billion by 2018. Online fraud is easier to pull off in some respects because the actual presence of a card is not required. But brick-and-mortar merchants who take cards in person are subject to a great deal of fraud from stolen credit cards as well. Fraud rates in the United States exceed those in Europe, which some say is because American card issuers were the last to adopt EMV chips—now being phased in by most banks and card issuers—as a means of protecting consumers for in-store transactions.
An Ongoing Battle
South cautions that some worries are overblown. “The first big breaches happened about ten years ago and were very shocking to the public,” South says. “People thought, ‘Oh my goodness, my credit will be ruined.’ But as more breaches happened—not just in payment systems but in health data, and a $45 million ATM heist in 2013—we realized there’s a built-in limit to the impact on individual cardholders.”
South stresses that gains against the bad guys are made possible with tighter encryption and newer tactics, such as tokenization and point-to-point encryption.
Tokenization essentially creates a new algorithm for every transaction. “It’s a one-way function of the token, with another encryption used for the next transaction,” he says. Point-to-point encryption instantaneously converts credit card data into indecipherable code to would-be hackers. “Companies simply have to be willing to spend the money on security,” says South, emphasizing how security worries affect virtually all industries. “Expect that it will be between 11 and 15 percent of your information technologies budget. And that the best outcome will be boring days when nothing happens.”
Getting an appropriate amount of funding for security may be less of a challenge today because of those threats. “I have to lay out the possibilities to senior executives. It comes down to fears, uncertainties, and doubts,” he explains. “But it’s also a solid business function, a part of operations and organizational effectiveness. Security definitely has a seat at the table.”
Experiential Learning
He’s been in IT for thirty years, but of course the game constantly changes. As a systems administrator for Alcatel, South says he derived satisfaction when he became a systems programmer at EDS. His father was in programming and he in fact worked on his first program in Fortran at the age of ten “on an old IBM,” he says.
South teaches the next generation of cybersecurity professionals about the legal and compliance implications of IT security as an adjunct professor at the University of Dallas. He instills students with the sense that fraudsters are an inventive breed. “Malicious actors have lots of resources,” he tells them.
He also insists that in order to have a promising career in this field, kids need to have a love for science, which worries him. “A lot of the teaching they’ve had has been to meet state testing criteria. It’s incredibly boring,” he says. “Experiential learning is incredibly powerful, whether launching a rocket or dissecting a frog.”
One could take that literally or figuratively. But it’s clear that South understands the intersection of human behavior and advanced technology. And he’s willing to understand where that can get ugly. The outcome is credit card users have less to worry about and more boring days where nothing bad happens.
Editor’s Note: At press time, South was no longer with Heartland Payment Systems.