Tue, Oct 10, 2000 3:47 PM
Subject: Safeguarding CC#s Under GLB
In Re: GLB 501 Rule, Adequate Safeguards For Financial Information (Credit Card Numbers)
September 21, 2000
In support of your decision to publish guidance for physical, administrative and technical safeguards of financial information under the Gramm-Leach-Bliley Law, I am writing to recommend strongly that the FTC Guidance advises Credit Card issuers to offer customers the choice of a one-time payment number.
In September, American Express unveiled "Private Payments," which enables its Cardholders to go online to generate a unique payment number for purchasing goods and services on the Internet. This simple, straightforward approach is a very effective means of protecting the security and integrity of credit card numbers, because, if the one-time number is ever stolen, it is worthless. http://www26.americanexpress.com/privatepayments/info_page.jsp
PrivaSys, a San Francisco company, has patented technology to allow Visa/MasterCard credit cards to generate one-time-use payment numbers. Under the PrivaSys system, the credit card will have a key pad and an "LCD" screen. When making a purchase, the cardholder will punch in his or her 4-digit PIN. A PrivaSys algorythm then generates a one-time payment number that includes the BIN number of the credit card issuer, but replaces the numbers that are unique to the individual cardholder. PrivaSys is talking to several major issuers and hopes announce formal deals in the coming month. I am a consultant to PrivaSys.
There are several other companies that are aspiring to offer one-time payment number solutions. These include Cyota, iPrivacy and Orbishield.
I strongly believe that schemes like American Express's Private Payments and PrivaSys represent the most effective kind of administrative, technical and physical safeguard for credit card numbers in the near- and mid-future. Such systems, if implemented universally, would dramatically reduce the number of places where valid credit card numbers could be found. In fact, it could eliminate everyone's access to the valid credit card number, except for the credit card issuer and the cardholder -- which is how it should be anyway, both from a privacy and anti-fraud point of view.
The one-time payment number system will also promote another of the FTC's goal: fostering e-commerce. Everyone from Chairman Pitofsky, to the Commissioners, to Jodie Bernstein has spoken eloquently of the pro-consumer aspects of electronic commerce. However, one of the biggest impediments to e-commerce has been the consumer's fear of trusing his credit card number to cyberspace. One-time payment number schemes will allay such consumer fears and, consequently, give a much needed boost to e-commerce.
Of course, the FTC and other experts know that the cases of credit card numbers being stolen is still relatively small, and that the Fair Credit Billing Act protects consumers' rights. However, the *reality* is that e-commerce is being hampered by the consumer **perception** of credit card number insecurity. Another reality is that many consumers want to avoid the "hassle-factor" of stolen credit.
Many years ago, the innovation of ATM cards turned out to benefit both consumers and banks. It was a new use of technology that ushered in a new era of consumer banking behavior.
Because credit fraud continues to escalate rapidly, and because e-commerce needs to do something dramatic to improve consumer confidence in it as a viable medium, I believe strongly that it is only a matter of time before one-time payment number systems are prevalent. The FTC can acclerate its adoption by including in its Guidance a recommendation that all credit card issuers offer cardholders the option of a one-time payment system.
Such a system will benefit consumers, financial institutions and merchants, and will improve the overall integrity of the payment processing system.
Evan Hendricks, Editor/Publisher