Expanding Target Breach Shows Need for Highly Secure Payment Systems
Usher presents your identity to the other system, but it's stored in the Usher vault. With Usher, your phone works as a conduit to confirm your identity, but your identity never resides on the phone. "To use, Usher, you have to validate yourself to your phone using your voice, face or even a pass code," LaRow said. "Once it's absolutely certain it’s you, it can offer your identity to other things such as POS systems, using it for log-ons or even to open doors. Your identity is never on your phone." LaRow said that the way Usher would work in actual use is that when you approached a POS system, you'd first identify yourself to the phone and then press a button on the screen to confirm that you wanted to buy something. Once that happens, Usher would present a Quick Response (QR) Code on your phone's screen that the POS terminal can read, which would confirm your identity for the sale. LaRow said that communications between the POS system and the phone make use of a public key infrastructure (PKI) encrypted signal to prevent data theft.Unfortunately, at this point, Usher exists only in the lab. For it to be deployed in a retail environment, the payment processing software needs to be upgraded as does the software in the POS system. This is one of the same problems that is slowing down the adoption of EMV-equipped credit cards. The cards are becoming available; the card readers exist; but the software to tie the POS terminals and the payment processing system together is under development. Usher, like EMV, is a technology with great promise that needs a number of moving parts to work before it can be implemented. Some of those parts are mired in a regulatory morass, some in the inertia of major corporations and some because merchants don't want to increase their costs. For EMV or Usher to work, those roadblocks need to come down. Unfortunately, that will take time unless customers start complaining, which they should do once they have been caught up in a data breach on the scale of Target's.
LaRow said that while Usher is able to push payment card information very deep into a retailer's databases, it still can't prevent all data theft when security is poor, as appears to be the case with the Target breaches. However, it can make personal information difficult to find and even more difficult to connect to identity information so that a hacker can use it.