MagTek CEO: “Dynamic Data is the Core of Security” [TRANSCRIPT]

David Evans: Hi, this is David Evans; talking today with Mimi Hart, CEO of MagTek, for PYMNTS.com. Mimi, thank you very much for joining me today.

Mimi Hart: Oh, it’s my pleasure to be here, David.

David Evans: For those of you in the audience, I just want to mention that Mimi is a very well known thought leader in payment security. She recently founded the Security Mode Payment Council, and she was a recipient of the Movers and Shakers Award from Transaction World Magazine. Mimi, MagTek has been a business, I understand, for about 40 years now; I guess from about the early 1970s. Maybe we could just start by telling us just a little bit about MagTek.

Mimi Hart: As you just noted, we have been around. This is our 40th year of business. We’ve always been an innovator in the industry. Interestingly enough, 40 years ago we actually—I think it was 39 years ago— delivered this world’s first swipe reader. And prior to that, all credit card transactions were manually hand-keyed. So, the swipe reader really changed the world. It afforded some security. But more importantly, what it really did at point of sale was it made the transaction a lot faster, there were a lot fewer mistakes. We didn’t have to do as many redos. And we were really able to eliminate a lot of superfluous and time-consuming typing. So that was the first innovation of MagTek, and over the past 40 years we have continued to do some really interesting things in the card technology space—not just with mag stripes, but we’ve been probably the leader in mag stripe security.

David Evans: Why don’t you tell us a little bit about that? Tell us some of the innovations that MagTek has done in payment security over the last couple of decades.

Mimi Hart: I’d love to tackle that one. The very first security that MagTek was involved in had to do with ATM security. Because ATMs actually preceded point of sale in the rapid adoption of mag stripe reading technology, and at that point, we realized that it really wasn’t per se about the card; the security was really in the system. And so, MagTek was the first deployer after IBM of the triple DES algorithm for pin security. Because we realized that if you added a unique token, with the card that the consumer carried, and you added some strong pin security to it, it could be adopted across. Because it was an industry standard, you could adopt it across all different layers. And so, we invested heavily in that technology. But, a number of years ago, we began to look. And actually, this goes back probably 15 years. We were trying to find machine-readable technologies that could stop fraud at point of sale. And we were looking for technologies that specifically wouldn’t require human intervention. So all of the early security technologies revolved around, essentially, visual cues on the card; so, we had fine line printing. We had batch numbers. We had the early warning bulletins. We had to go look up the number to see what was on the fraudulent card list. We added holograms over time. But the difficulty with all of those features was that essentially, it just relied on the clerks to become the inspector and the detector of fraud. And those features, while a little bit helpful, they didn’t really do anything in terms of protecting the mag stripe data. And it didn’t give us an automated way to stop fraud. So we were investing, and we were investigating first of all, all the various options that you could use to add mag stripe security. So we worked with a number of different companies including Visa and MasterCard on things like water mark technology for the stripe, machine readable bar codes that would be added to the stripe. We were always looking for what is it out there that could actually be used to authenticate the card and the data on the card, and hence be able to recognize that the card was fraudulent, and stop the card in real time. And we discovered a technology that we called MagnePrint®. And it’s really a method of looking at the magnetic DNA on the card. And we can measure that magnetic fingerprint. And just like human fingerprints, we could look at it as we gather it; and, we put it in a database, and then we can refer back to it to make sure that the fingerprint is the legitimate one. But the biggest thing about the technology is that it essentially always provides us with dynamic data. And at the end of the day, it’s really dynamic data that can add security to the payment card world. Every single time, we rely on a primary account number that never changes, and we publish [that] on the front of the card, or we have to call it off over the telephone; or, you have to type it in over the Internet. You know, that data is very vulnerable. And so we’ve tried to focus on ways where we can protect the cardholder data with really a multi-layered approach. But at the end of the day, the final piece of it—and the one that will be most effective in the industry—is the ability to actually do a form of authentication on the entire transaction.

David Evans: Mimi, one of the foundations of your plot forum—and maybe you’ve touched on this to an extent—is the MagneSafe® security architecture. Could you tell us a little bit about that: what it is, what’s unique about it, and what makes that desirable for merchants?

Mimi Hart: I’d love to spend a little time talking about that. I did start off by saying that MagneSafe® is all about layers of security. There’s been a lot of focus lately on the subject of encryption, for example. And while encryption is really good, encryption all by itself is just not going to stop the type of fraud that we’re seeing. Encryption is actually going to make it a little bit more difficult for the fraudsters to get the data. But what we’ve been focused on is trying to help to make sure that when the fraudster gets the data, that he really just can’t use it. So this multi-layered security, it starts with encryption because we believe encryption is a really good thing. But we also add in tokenization, and we tokenize actually at the reader. So we don’t have to make that hop up to a processor to obtain a token. And we don’t leave the data in the clear in the process of getting it to the tokenization point. Then we’re adding that authentication deep in. And that’s really the key cause. That’s what allows us to recognize the counterfeit or the clone card, and stop it. And the other thing is that we’re gathering this dynamic data from every single transaction, and we’re doing it on existing payment cards. So what this does is it helps to protect the card from the moment it swipes—and really, all the way through the process. So, because we’re relying on this dynamic data, even if that data gets stolen, it can’t be used in the next transaction, and therefore can’t be used to commit fraud. So we believe it’s the dynamic piece that is actually the most essential piece of those layers. We have another layer of security there where we talk about it as the challenge and response, or a mutual authentication between the card reader or the terminal, and the host that it’s talking to. And this is a really good feature for preventing a data fest as well. We probably remember the likes of the Michaels stores—where rogue devices were implanted, and they were used to steal the cardholder data and the pin data, and had some type of a mutual authentication of the device and the host in place. We could have thwarted that type of fraud.

David Evans: So I gather what makes this really desirable for merchants is it’s a solution that reduces their liability for fraud; reduces the extent to which they’re going to get hit with fraudulent behavior.

Mimi Hart: That’s exactly right. And the other thing about it is that we’re doing it right now with today’s existing payment cards that have not been modified at all. They don’t have any expert security features on them. We just take advantage of the fact that the magnet stripe itself has some personality characteristics that we can evaluate, and we can determine whether a card is legitimate, or it’s actually a clone.

David Evans: Let’s talk a little bit more about that. In terms of counterfeit card fraud, what problems have you guys completely nailed? And what’s next?

Mimi Hart: So the short answer there, and that is we haven’t completely nailed anything. It’s still in the early stages. So we haven’t gone far enough yet, but MagTek is a company; we ship millions and millions of magnetic card readers into the marketplace every year. And we’re making fairly good progress. We designed and developed the very first secure card readers, and this was before the days when PCI, DSS even existed. And we put these encrypting and authenticating readers out there in the marketplace. And there are lots of them out there right now. Some of them are in a state where the security features haven’t been turned on yet. But they’re there, ready to be used when the merchant needs them. In one case, for example, of a nationwide, ATM bank network, we were the bank that installed this technology. It’s been used for years now. And literally, they have reduced their card fraud to zero. So we have proven that the technology works. And now we’re faced with implementing it, and an education process as well.

David Evans: What’s the biggest problem remaining with regard to counterfeit card fraud? And I know there are probably many problems, but what’s the biggest problem that you see out there now that really does need to be solved?

Mimi Hart: Well, right now as an industry, we’re focused on two technologies [that] have risen to the top. One is encryption, and the other is tokenization. And we believe that again, those two technologies, by themselves, give us some added benefit; but, they don’t actually stop fraud. And so we need to get the message across to the industry that more is required, and [that] authentication technology, where you can actually recognize the card and stop its use, and you can literally, at that point, say that the data that’s on that card just has no future value, so it can’t be used. It can’t be trapped and used again, and that’s he message that the industry’s not getting well enough right now, and our job is to educate them. We also need to work to actually do some other things to protect the consumer. There are aspects of fraud that go beyond just the financial losses. We talk about consumers that have to go file affidavits to say that it wasn’t them that perpetrated the fraud.

David Evans: It’s a real time sync.

Mimi Hart: Oh, it’s time, it’s lost wages, it’s endless phone calls. I mean, it’s just it’s a royal hassle. And we’re not doing anything to actually help the consumers get out of that process.

David Evans: It sounds like an important problem for the industry to address. MagTek currently operates in more than 40 countries. Just briefly, what are the differences and similarity in payment security that you see across now?

Mimi Hart: So what we’re seeing is that there are a lot of countries that are transitioning to alternative technologies like [Chip and] pin. Interestingly to note, EMV and Chip and pin technology was not originally designed to stop fraud. It was really designed to be an offline mechanism for settlement between countries that had very poor communications, and not good use of forensic databases. That’s really not the case in the domestic United States. So what we are seeing is that, and if we look at this EMV technology that is being rolled out in some countries, where we have to recognize that it has a weakness. It’s relying on process control or good key management. And as you probably know, we have a lot of difficulty right now with key management just between terminals and acquirers. So when you get key management down to the point where every single card has to have a different key on it, you know that puts a huge pressure on the issuer. And at the end of the day, it all relies on process management. And when I say process management, we have to underline that with human process management. Which we all know is prone to a lot of mistakes. And then we’re seeing that the DMV cards can be expensive. So we’re having difficulty justifying that. And between countries we don’t see as much fraud in the United States as some of the other countries that have implemented EMV (inaudible). And the other thing that is hurting both sides—whether it’s an EMV country or a non-EMV country—is at the end of the day, we’re still relying on a great deal of static data. So when the [pan] doesn’t change, and when that (inaudible) and entered at either a telephone transaction, or brick and mortar, or online. That is exposed in those locations, and it’s still vulnerable. So EMV isn’t doing enough to solve the problem. And I think the analogy’s the same in the United States. We’re not doing enough to actually solve the problem.

David Evans: How is MagTek confronting the issues and challenges that we face with payment security going forward?

Mimi Hart: So what I think, largely, our role is [is] to educate the industry. We have to get around to the realization that the end game is some form of authentication. And if we want to have the same level of confidence in plastic money or plastic cash as we have in paper currency. Then we really need to have some really strong machine readable, anti-counterfeit measures, and not just on the card level, but on all of the other aspects of the system as well. So in the payment community, we need to be able to validate a number of things. We need to talk about the fact that the card is genuine, but that the data on it hasn’t be altered; that the reader is legitimate; that the cardholder using the card is the rightful party; that the party receiving the data is actually the rightful recipient; and, we need to know that the details of the transactions haven’t been changed. So if I wanted to send you $100, you can’t translate that into a thousand. These are the very same elements for security that we need regardless of what our payment instrument is. It could be a wristwatch, it could be a [fob], it could be the card in my wallet. Those are the things that we need in order to be able to say each and every one of those is genuine. And when we can actually establish that with some high degree of trust, then we actually have a really trustworthy payment system that can can continue to inspire confidence.

David Evans: Mimi, last question for the day: PYMNTS.com is all about what’s next in payments. I’m sure you guys have a lot of stuff that’s going on now. And I’m sure there’s some stuff that you don’t want to tell the world about because it’s top secret. But are there innovations that you have on your road map that you like to share with the payments.com audience?

Mimi Hart: Oh, absolutely. This, again, goes to the heart of MagTek and what we’ve been doing with innovations over the years. We see it, first of all, in brick and mortar. We know that we need to move to the concept of authenticated card presence, rather than just card presence. There are too many clones out there to count. And the chance that your data has already been compromised is so high that we need to treat the transaction and all transactions as if they already; as if the data already has been compromised. And we need to be able to again, stop and detect that fraud in real time. And its authentication of the payment instrument that would allows us to do just that. We see some big changes coming down in the world of mobile payments and e-commerce. We know that these are going to grow faster than our traditional sectors. And that they are going to drive the need for better and stronger authentication. And put in the online and the mobile world, and MagTek’s ready. We have most of those solutions in place right now. We know we’re going to see a great deal of activity in the wallet and the alternative payments base, using smart phones or other smart devices. And we see ourselves really as a provider; we’re a bridge to mobile. We have a wallet solution right now called Qwick Codes®. It can be downloaded from the Apple store. Pretty shortly, you’ll be able to download us in the Android store as well. And what it can do is it can provision all the cards in your wallet safely and quickly. And our approach is unique in the sense that we’re not dependent on a mobile network operator, we’re not dependent upon a handset manufacturer, a secure element you know, controlled by a third party; the branded card networks, the issuers, and acquirer, or even NFC technology. We’ve got a solution that puts the consumer in control, but it provides a consistent, convenient, and comfortable experience that has the highest degree of security possible in today’s day and age. But moreover, right now it works across the board. It’s working across all channels. It can work in brick and mortar, it can work at the gas pump, it can work at the supermarket, it can work in mobile, it can work in e-commerce. So it’s a solution that tackles all the problems; all the conveniences we want in all of these alternative payments, but adding security across all of those channels.

David Evans: Mimi, payment security is a really important topic, and I agree that it really cuts across almost everything going on in the payment industry nowadays that is innovative; so, this is a great area to be in. We really appreciate your spending some time with us today, and thanks very much, and have a great rest of the day.

Mimi Hart: Thank you very much, David. Really appreciate the opportunity to talk with you, and best of luck to you for the rest of the day.

David Evans: Thanks.

Mimi Hart: Thanks, David.