Yet another potentially massive breach of cardholder data has occurred. The latest involves TJX, a large retailer that owns brands such as T.J. Max, Marshalls and HomeGoods.
These seem to have become expected news, with large breaches being announced seemingly every couple of weeks. When chatting with an associate of mine who works in the PCI (Payment Card Industry) assessment field, it occurred to him that a very large number of these issues are occurring within offline traditional retailers. After thinking about this a bit it occurred to me, why couldn’t we take a ‘PayPal‘ payment model to the traditional retailers. This would allow the consumer to narrow down their points of trust to a single entity. We would establish this entity that would verify it’s security around cardholder data (through PCI or otherwise) where consumers could store their credit card information. The company would issue a form of a smart card that would authenticate the cardholder at the point of sale and conduct the cc transaction on the retailers behalf. In other words, the card is read in at the retail counter and transmitted to this company which verifies the identity of the cardholder. Once the cardholder is authenticated it must then conduct the credit card transaction on the store’s behalf and then submit a payment to the retailer. The credit card would never be handled by the retailer, thus limiting the sources of trust the consumer must maintain. Instead of a consumer having to worry about the security of the hundreds of retailers that handle their data, they would only need to be concerned about the one (or certainly a lot less). This doesn’t take the banks or card associations out of the equation, but does remove the biggest point of failure, the retailers.
Paypal seems to have done a pretty good job with this in the online transaction world. The logistics, I imagine, are a bit more difficult in traditional retail. There would be a significant cost in provisioning the cards, signing up retailers, and deploying the card reader devices. I imagine the service would be free to the consumer and initially free to the merchant. Ultimately it would be a combination of the card association business and the Paypal online model.
What do you think? Is this a feasible business? I’d love to see someone poke holes in the idea.
UPDATED 2/26: Updating this post to note the launching of G Cash by Globe Telecom in the Philippines. This appears to be the early stage of the service discussed in this post. It also removes some of the infrastructure requirements noted above. G Cash allows a mobile subscriber to pay bills, send cash to other subscribers, and make purchases at participating outlets and ties directly to your account. I hope this service catches on.
