Caveat 1.20.22
Ep 109 | 1.20.22

Compliance regulation in the payment security world.


Ruston Miles: And so what you have is you have compliance and security regulations happening within the industry coming from one end, and then you have regulation coming from the government on the other end. And so you find folks in a bit of a scramble to solve for not just payments information, but also for privacy regulations.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On today's show, Ben looks at the recent Russian takedown of alleged REvil masterminds. I look at warrantless requests for WhatsApp metadata. And later in the show, my conversation with Ruston Miles from Bluefin. We're discussing compliance regulation as it relates to the payment security space. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, we've got some good stories to share this week, but before we do, we have a little bit of follow-up from a listener named Casey, who wrote in and said, regarding the "Caveat" podcast 108, two things. First, when considering whether to make constitutional amendments easier, we should always first consider how easy we would want it to be for our political opponents, those who see things oppositely than we do to change the Constitution. Yeah, I would agree with that, Ben. I would say we're kind of in the midst of that. We're in the heat of that right now with the filibuster debate, right? 

Ben Yelin: Yeah. You know, I'm cynical enough to believe that most people don't have really firm principles when it comes to procedural things like how easy it should be to pass a constitutional amendment or whether there should be a filibuster, that, for most people, it's situational. I think there are people who have spent a lot of time thinking about both of these issues, the filibuster and constitutional amendments. And in the long run, you know, I think you can make a proper normative judgment as to whether it is too easy or too hard. 

Ben Yelin: You know, I think it certainly has to be a much higher bar when we're talking about constitutional amendments than simply passing a law, you know, because our Constitution is our sacred document. It should - we have to go through a bunch of hurdles in order to change it. And, you know, I think the rationale of our founders is, you know, we need to get the states involved. It was the states that, you know, predated our federal Constitution. And so the state legislatures should have a say. And I certainly respect that. 

Ben Yelin: And yeah, you know, anytime you're evaluating making these changes, you should always think about, what if it's the other guys? What if it's the people you most vehemently disagree with who make constitutional amendments? I still think, even if you think about it like that, there is a case for arguing that the process should be not quite as cumbersome, given that we are a very closely divided country. And getting three quarters of our state legislatures to agree to anything is just kind of exceedingly difficult. But that is the process we have. It's not going to change anytime soon. So - but I certainly - I think that listener's note of caution is well-founded. 

Dave Bittner: OK. OK. Casey has another question. He says, how would Rule 407 of the federal rules of evidence apply to post-cyberattack remedial efforts? Ah, yes, Rule 407, I know it well. 

Ben Yelin: We all know that one. Yeah. 

Dave Bittner: Actually, no, I don't know it well. Well, Ben, what is it? 

Ben Yelin: So it is a rule in the Federal Rules of Evidence, which are publicly available, by the way, online if you're ever extremely bored and want to check those out. Those rules are basically what information can and cannot be admitted in federal court, so they only apply to federal cases. Rule 407 is about evidence of somebody taking remedial measures in the aftermath of an alleged wrong, so an alleged tort or something like that. Basically, if you're being sued for negligence and, you know, subsequent to that lawsuit, you take some type of remedial measure - maybe you make your product a little safer, maybe you streamline the distribution process - a court will not admit evidence of that to show that you were negligent in the first place, if that makes sense. Because they want to encourage people to take those remedial measures. So they don't want something like that to be admissible in court in order to prove that you were negligent in the first place. 

Ben Yelin: This question is about cyber incidents, and certainly Rule 407 applies. Let's say you're being sued because, you know, you were negligent. Data was breached, something happened. And in response to the lawsuit itself, you take remedial measures, say, by instituting multifactor authentication. The fact that you took that action after being sued can't be admitted in evidence to show that you were negligent in the first place. It can be admitted for other reasons, you know, so if there's any dispute about whether you had ownership of the software, it could be, you know, the fact that you were the one who made changes to it, it can be admitted for those purposes. And it can be admitted, you know, to impeach somebody's credibility. So, you know, let's say you took remedial measures, but you have lied about whether you had taken those same measures in the past. You can introduce evidence to show that, you know, the witness here is a liar. 

Dave Bittner: I see. 

Ben Yelin: But yeah, I mean, just like any other federal case, we want to encourage people to take remedial measures to correct past mistakes without worrying about whether it's going to hurt them in a lawsuit. So the rule certainly applies. Most state courts follow a version of the Federal Rules of Evidence. There are some differences here and there. But it really is a template for most state cases as well. So yeah, I think that this is an excellent question, a great point. And that federal rule of evidence does apply. 

Dave Bittner: All right. Well, our thanks to our listener, Casey, for sending that in. We would love to hear from you. If you have a question for us, you can send it to All right. Ben, let's jump into some stories here. Why don't you kick things off for us? 

Ben Yelin: So my story comes from our friends at Motherboard by Vice. And it is entitled "Russia Says it has Arrested Members of the Notorious 'REvil' Ransomware Gang." We talked about REvil last year. They were the alleged perpetrators of the Colonial Pipeline attack - or rather, they're associated with the alleged perpetrators of the Colonial Pipeline attack. That group is called DarkSide. So this is seemingly a really encouraging step. I mean, we had taken diplomatic measures over the past year as a country to try to encourage Russia to hold cybercriminals to account. And seemingly, that's what they've done here. Their domestic law enforcement agency has made arrests of 14 members of this REvil group. Before we get, you know, a little too rosy about what this means, there are some plausible explanations other than, you know, Russia suddenly turns benevolent in the world of cyberspace. 

Dave Bittner: Right. 

Ben Yelin: So you know, we could choose to believe that they've really decided, based on, you know, our diplomatic encouragement, that they need to take ransomware attacks more seriously. And they're doing this out of the goodness of their own heart. It's, you know, good for their international relations posture. That's possible. The more cynical explanation is they're looking to placate the West because they are currently engaged in activities, as we all know, around the Ukrainian border. And, you know, so not only would they have incentive to show the West, like, we're - you know, we're not the lawless society that you're portraying us to be. But also, you know, yeah, we're doing this for you now. But if we invade Ukraine or violate Ukraine's borders and you institute, you know, some sort of sanctions or other diplomatic pressure on us, maybe we won't be so nice to you about these, you know, cybercriminals in the future. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: So yeah, I mean, this story has a little bit of international intrigue to it. We don't know the motivations behind the Russian government's decision here. I do think, you know, regardless of the motivations, it's good news that, you know, the alleged perpetrators of some of these very serious attacks are being brought to justice, have been arrested. 

Dave Bittner: Yeah. I saw cybersecurity ransomware expert Allan Liska - he's from Recorded Future. He mentioned on Twitter - he was sort of - half jokingly wondered if this makes Russia's FSB eligible for the U.S. government's $10 million reward (laughter). 

Ben Yelin: The prize grant? Yeah. 

Dave Bittner: Right. Right. Exactly. 

Ben Yelin: I'm not sure how well that would sell politically. Yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: Oh, this, you know, good old American group who, you know, checked all the boxes and helped us improve our own cybersecurity posture, good for you. But we're going to give that $1 million to Russia, actually, Russian intelligence agencies. 

Dave Bittner: (Laughter) Right. Right. Yeah. Or is it just professional courtesy? Yeah (laughter). 

Ben Yelin: Yeah. Allan Liska was actually quoted in this piece. And he postulates - and I think this is certainly, you know, something that we should keep in mind - that maybe ransomware groups aren't safe in Russia once they've out-used their usefulness. That's the cynical view. I happen to think it's probably right. There are reasons for them to take law enforcement action post hoc, you know, after there have been a series of attacks that have inflicted the type of damage that agents in the Russian government, perhaps, wanted to inflict on their foreign adversaries. And once that's done, as we mentioned, they might have their own reasons to hold those perpetrators accountable. 

Ben Yelin: But nevertheless, I mean, as he says in this article, they caused a lot of damage to many different types of organizations around the world. And having them face any consequences could serve as a disincentive for future cybercriminals. So whether or not, you know, this is actually Russia getting serious about tackling ransomware or, you know, this is just a way to alleviate international pressure, the fact that they're being held to account is good news. And it's something that we should celebrate. I just think, you know - you and I are almost always cynical. So it's not a problem for us. 

Dave Bittner: (Laughter). 

Ben Yelin: But if anybody was wearing rose-colored glasses and thinking, you know, this was a major breakthrough in our international fight against ransomware, you know, I'd think twice about that. 

Dave Bittner: Yeah. We're all going to get together, hold hands and sing "We Are The World." 

Ben Yelin: Yeah. I mean, you never know. 

Dave Bittner: (Laughter). 

Ben Yelin: We certainly had visions of that in the '80s and '90s. 

Dave Bittner: That's right. Yeah. 

Ben Yelin: But, you know, I tend to think this is not the beginning of a future path that leads to us and our Russian and Chinese adversaries singing "We Are The World." Maybe I'm wrong. 

Dave Bittner: Yeah. Well, I mean, I... 

Ben Yelin: If I'm wrong, you can hold me accountable. 

Dave Bittner: Well, I think we'll see if this is a one-off or if we continue to see more arrests from Russia's FSB or, you know - or not. That'll be the proof in the pudding, I suppose. 

Ben Yelin: Right. And the circumstances around these arrests - so what's going on geopolitically with Russia at the time? And, you know, what other motivation might they have for holding these organizations accountable, that might be below the surface. So that's the, you know, they've outlived their usefulness. They're a sacrificial lamb. They're a - it's a misdirection. We always have to keep those people in mind - those theories in mind. 

Dave Bittner: Yeah. Yeah. 

Ben Yelin: But yeah, I mean, I think it's certainly worth keeping an eye on. I'm not going to completely discount the possibility that this is a good-faith effort to hold cybercriminals accountable. And if it is, we should welcome it. So yeah, I mean, we will be following this closely, for sure. 

Dave Bittner: (Laughter) Yeah. Absolutely. All right. We will have a link to that in the show notes. My story this week comes from Forbes, written by Thomas Brewster, who we certainly feature here regularly. And the article is titled "WhatsApp Ordered to Help U.S. Agents Spy on Chinese Phones - No Explanation Required." And this centers around some documents that were recently unsealed. And it has to do with surveillance from DEA investigators who demanded that Facebook track some users on WhatsApp. And they're making use of the Pen Register Act, which evidently goes back to 1986. Ben, can you give us a little CliffsNotes on the Pen Register Act? 

Ben Yelin: Yeah. So you know, many of us were young or not yet born when the Pen Register Act was, you know, at its most relevant stage. But basically, there used to be this device you would attach to a phone that would record the numbers being dialed and the duration of the calls back in the age of landline phones. 

Dave Bittner: Right. 

Ben Yelin: And the Pen Register Act of 1986 said that as long as it's part of a authorized criminal investigation, you do not need a warrant to install a pen register to obtain that type of metadata. So it doesn't collect any content. It's not a recording device. It's just information about the people involved in the communication, so the phone numbers, the accounts, et cetera. 

Dave Bittner: And so when we transfer that to the modern age with apps like this, text messaging apps and so on, same sort of thing applies, where they're just collecting who connected to whom, but not the actual content of the message? 

Ben Yelin: Yeah. I mean, when we're talking about WhatsApp, they can't collect the contents of the message because it's end-to-end encrypted. So the only useful information they could potentially glean from WhatsApp or any other provider, really, that has an end-to-end, you know, encrypted messaging service is the metadata. Metadata might be extremely valuable when we're trying to - you know, I think this ends up being a case about the distribution of opioids. And if we can start to make connections as to who was communicating with whom, and then, you know, we use human intelligence means to connect devices to individuals, phone numbers to individuals, account numbers to individuals, that's just good, you know, intelligence work. And it's certainly permissible without a warrant as long as this isn't being done to harass people, if it's part of a criminal investigation. 

Dave Bittner: And it seems, in this case, the DEA was trying to track down folks who were selling opioids and other drugs on the web, dark web markets and things like that. 

Ben Yelin: Yeah, you know. So things that clearly, you know, the U.S. Justice Department would have a significant interest in. You know, that's the purpose behind the Pen Register Act in the first place is getting a warrant when you're in the middle of a criminal investigation, when you don't have sufficient information to have probable cause to arrest somebody, would just be too cumbersome. And that's why we have this Pen Register Act. Its purpose is to - you know, if you have an inkling that somebody is involved in criminal activity, if you can assert in front of a magistrate judge that the information likely to be obtained is relevant to an ongoing criminal investigation being undertaken by your agency, then yeah, I mean, you - law enforcement will be able to collect that information. 

Ben Yelin: That's unsettling to a lot of people because it means that the government has warrantless access to all of our metadata. And that's largely true. Although, there are starting to be some exceptions. And the constitutional reason for that is we just don't have a reasonable expectation of privacy in that metadata. So when it was phone numbers - and this comes from a famous 1979 Supreme Court case, Smith v. Maryland - the court held, you know, we know that the phone company is making your records - making a record of all of the calls that we make for their own business purposes, so that they can send us a bill at the end of the month. And because we know they're making those records, we don't have any expectation that those records won't be transmitted to law enforcement. 

Ben Yelin: It gets a little complicated when we're talking about end-to-end encrypted applications just because, you know, I don't think people are quite aware that the metadata itself might be logged and retained, you know? It's the communications themselves that are encrypted, that are inaccessible to law enforcement. But I still think, you know, from a constitutional perspective, people do not have a reasonable expectation of privacy in that sort of routing information, you know? We don't have a reasonable expectation of privacy on what's on the outside of an envelope. We only have a reasonable expectation of privacy as to what's on the inside of an envelope. So I think, from a constitutional perspective, it certainly makes sense even though, you know, the tone of this article and, I think, maybe for a lot of our listeners, is that's a little screwed up that you can obtain that information without getting a warrant. 

Dave Bittner: So help me understand here. You still need to go in front of a judge to activate a pen register? 

Ben Yelin: Yeah. You still have to go in front of a magistrate judge. But the, you know, standard is significantly lower than it is for any other type of surveillance that would involve... 

Dave Bittner: For a warrant? 

Ben Yelin: Right. For a warrant, which you would need... 

Dave Bittner: I see. 

Ben Yelin: ...If you were - if you wanted to peruse the content of one's communications. 

Dave Bittner: I see. I guess I'm wondering if the notion here is that you're - that part of the reason for having something like this is expediency. If I still have to stand in front of a judge, is that any faster than standing in front of a judge for a warrant? 

Ben Yelin: I don't necessarily - I mean, I think you can establish expediency just through the process. And I think our Justice Department has a good process where they can get these applications in front of magistrate judges pretty quickly. I think the bigger impediment to them is getting past the standard. So having probable cause that somebody is committing or has committed a crime when you're just at the early stages of an investigation is too high of a hurdle to climb for people who are involved in law enforcement. 

Dave Bittner: I see. 

Ben Yelin: If you're, you know, studying a drug smuggling operation, you might be at the very beginning stages, just trying to make connections of who the players are, you know, who's selling, who's dealing, what the roots are. You can't obtain that information unless you do some type of surveillance. And to do that - you know, to do that preliminary surveillance, you're not going to have enough information to have a warrant. You're not going to have enough information to show that somebody has committed or is about to commit a crime. So in that sense, you know, the fact that it's a lessened standard really does make it easier for law enforcement to do its job at the beginning of these investigations. 

Dave Bittner: I see. All right. Well, we will have a link to that story in the show notes. So please do check that out. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Ruston Miles. He is from a company called Bluefin. And our conversation was about compliance regulation in the payment security space. Here's my conversation with Ruston Miles. 

Ruston Miles: In the payments world, as you know, going back, oh, about 10 or 15 years, because the data, payment card data, is very easily monetized on the dark web by hackers, that particular industry had stood up early on to create its own self-regulation, if you will, compliance and security, namely, the - what came to be known eventually as the PCI Security Standards Council and so were doing that for quite some time and lots of technologies, lots of disruptive entrants, like my company and others, coming into that space in order to bring security. What happened, then, is that the hackers really started looking at other ways to monetize data for personal health information and also personally identifiable information. 

Ruston Miles: And so they started looking at not just - so these companies weren't just having to protect the payment card data; they needed to extend that. And then you had regulations over across the pond - GDPR, PSD2 and others in Europe - that were dropping very hefty fines, millions and millions and millions of dollars of fines, onto companies after a breach would happen if they had not followed, you know, reasonable security standards. And then you have CCPA, California Consumer Privacy Act, and then other states joining in, sort of doing the same thing here stateside, in the United States. And so what you have is you have two things. You've got compliance and security regulations happening within the industry coming from one end, and then you have regulation coming from the government and passing out fines when you get it wrong from the other end. And so you find folks in a bit of a scramble to solve for not just payments information but also for privacy regulations. 

Dave Bittner: You know, it's my perception - and please correct me if I'm mistaken here - that the U.S. has kind of lagged behind, say, Europe when it comes to the security of some of these payment options, you know, that they had, you know, chip and PIN before we did. It seems like we've lagged with some of the - I guess the technology solutions. Is that an accurate assessment from your point of view? 

Ruston Miles: So let me answer that by - with two parts. No. 1, the actual chip and PIN over there in Europe did not come as an innovation or - there for payment security; it actually was an innovation that came out early on because of the lack of really good telecommunications and networking. So what happens is, is you might be out in the middle of nowhere with very poor telecommunications, and you needed to authenticate that card while it was going into the machine without being able to go off and do a real-time look-up at a bank. So what happens is the chip would have the PIN in it on the card, and it would say, hey, put your PIN in, and it would self-authenticate against the card there. So that technology was not put in place for security so much as it was the fact they didn't have real-time telecom. 

Ruston Miles: Now, eventually, as we know, as time moved on, it has other benefits because the magstripe read that we depended on both there and here really started to be something that was easily reproducible. So there was a built-in benefit that came in down the line with that. In the United States, we did not put in a chip and PIN, and we took a long time to get to chip, as well. You know, we could have had the same security by just doing magstripe read and PIN. There really wasn't anything too great. Obviously, the chip has some advantages. But really, where the biggest benefit is coming up when you talk about these kinds of technologies is the fact that there's two factors. There's the card you have in your hand and the PIN you know in your mind. 

Ruston Miles: So a lot of the benefit happening over there is the fact that there are two factors of authentication. Over here, stateside, even now that we have chips, we still don't have that second factor of authentication, being the PIN that's required. So that means lost or stolen chip cards - someone can just pick up off the ground and go use it as if they would have used a swipe. So it really doesn't fix everything completely. Anything, even a magstripe read with a PIN, would be more secure in just the fact that, you know, in basic security fundamentals, there's two factors of authentication going on there. 

Ruston Miles: But to answer your question more broadly, we have taken more time - we're a very much larger market. We actually are - much more penetration of cards. You look into some areas, like Germany, where, like, there's only maybe two or - let's just say, under 10% penetration from Visa and MasterCard and some of these other brands. So we're heavily dependent on these card brands over here, and we're very wide and spread out - larger company - country, excuse me. And so there has been some slow to adoption. 

Ruston Miles: And I'd say that one of the other things that folks don't think about is that it takes a lot of energy and effort for all of these software vendors, hardware providers and sort of long chains of value in technology that's been growing very quickly over the last 20 years to go in and say, hey, everyone, in order to accept cards, we demand or we mandate that you do this. In other smaller markets - and also where, culturally, mandates are more - are traditionally more accepted of any kind, even just within the culture of the folks, you see in those markets that are smaller and are used to those kinds of things where the governments have just come in and mandated it. It would have been very difficult and probably slowed down the payments revolution here had we focused too much on a mandate. Obviously, there's a balance there, and probably ought to be looking a little bit at both, right? 

Dave Bittner: Yeah. Yeah, I mean, I think - you know, you mention culture. It still leaves me raising my eyebrows, you know, when I go out to eat at a restaurant and when we wrap up the meal and I hand my credit card to a stranger, who then walks away with it and takes it to another room. You know (laughter), I still, you know, sort of scratch my head and think, OK, we're still doing it this way. And, you know, on the one hand, I suppose it's good that, you know, the vast majority of time, nothing bad happens there. But the security side of me says, perhaps there's a better way to handle this. 

Ruston Miles: Yeah, it's true. And it is kind of - it - certainly, when you step back from it, it can look a little silly. One of the things here in - stateside, in the United States, is that we have a zero-liability policy for the cardholders, which means even if something should happen, they can charge it back, and the issuing bank or the - let's just say, the issuing bank or the merchant's acquiring bank - they'll fight over who gets the liability. Over in Europe anymore, they are starting to push, in certain cases, this liability on to the consumer, where you have no chargeback rights. So I think, as - if we start doing that here in the states, we'll see a strong consumer demand, let's just say, because we've taken away the zero liability rights for the consumers. But I have not heard much about anything heading in that direction for some time. 

Dave Bittner: What about, you know, these next-generation payment systems? I'm thinking of, you know, Apple Pay and Google Pay and, you know, these systems that are using - I suppose, is it enhanced tokenization that would be an accurate way to describe what's going on there? Where do they fit into the overall ecosystem? 

Ruston Miles: Yeah, great question. And it's really, I think, what is coming - we're going to see a lot of - more and more news over the next year, even incentives coming from the card brands in order to adopt what's called issuer tokens or network tokenization. And so these wallets - the Google Pay wallet, Android pay wallet and other wallets like - from the EMVCos, SCR, which we see MasterCard, Visa and others are rolling out - these do use issuer tokens. And really what's happened here is that we've seen - you know, so my company, Bluefin, we were the first to provide point-to-point encryptions, PCI-validated or certified encryption, end-to-end encryption in the space. And what that really represented is a lot of merchants saying, hey, look; we don't want to be responsible for a breach. We don't want to be vulnerable or even have a compromise. Let's encrypt this stuff end to end. 

Ruston Miles: And so where you have a lot of enterprises doing that - and certainly it's been really great for our company - you have a lot of folks at the smaller end of the scale, these small businesses, who don't have any appreciation for security. And they're not going to pay extra for encryption. Their biggest risk might be going out of business, you know, rather than maybe having a breach, at least as they perceive it. And so what happens is, as there's large parts of the market that simply aren't minding security - and so the brands have taken up pushing network tokenization, which basically replaces the card in the wallet with sort of a virtual number - right? - or a token that then gets used, you know, for that or a few transactions or as many transactions as they deem fit before they sort of change the underlying connection in the token. 

Ruston Miles: So that - definitely, you're going to see a lot. We're going to see incentives from the card brands - financial incentives and other - in order to push that because I think - spent a lot of time over the last decade trying to push security down into the small and medium and micro merchants. And you can only get so far before someone just expects it to be secure by nature. And so there really - this is maybe even, say, 2.0 of what a card number should be, are these new issuer tokens. 

Dave Bittner: You mention that, you know, PCI compliance was sort of self-imposed by the industry itself. Does that seem to be the path that we're on that, in terms of the payment industry's relationship with regulators, that, you know, there's more collaboration than an adversarial relationship? What do you expect to see as we go forward? 

Ruston Miles: So the PCI Security Standards Council, which I'm also on the board of advisers, and as it turns out, on - as a - on the board of advisers, I actually represent a group called EPSM, European Payments and Service Providers for Merchants in Europe. So strangely enough, I'm actually a big - working with the board of advisors. But the point I wanted to make there is that the SSC, Security Standards Council, is a global organization spanning Europe, Asia, Latin America, Caribbean and south - that - basically the entire globe. And the executive committee members of that are the card brands Visa, MasterCard, American Express, you know, Discover, JCB, and I think China UnionPay is involved now as well. 

Ruston Miles: So you - they are the executive members of that council. But what the idea there is to have participating organizations like Bluefin and thousands of others that are participating in the creation of those standards. But, of course, you know, the brands are involved as well, card brands, in order to help, you know, push and govern and make sure that we as an industry are representing, you know, every different industry and every different country and every different card type that participates. 

Ruston Miles: So I think it's been a really good model. I mean, I've been very closely involved with it. It does go towards security. And we're seeing a lot of the regulation of things not focused on security, but rather focus on privacy. And there are some distinctions there. Really, largely, from my perspective, it means the regulations are not prescriptive. Like, here's how you have to do it. They say, oh, if you don't get it right, then here are the fines. So the regulations seem to be more focused on when things go bad, here's the stick. And we see, I think, from the Security Council, hey, here's - here are the standards, you know, not too prescriptive, but have to be somewhat prescriptive. And here are the ways that we would recognize the state of the art. And that's constantly changing. 

Ruston Miles: And so they have sort of the standard. The government regulators have sort of the stick. And then you have the brands, card brands, maybe providing incentives, providing the carrot, saying, hey, by the way, if you do these things, not only will it help with privacy and security, but it's going to lower your costs. Maybe the fees that you pay or the fines that you pay are different things like this. So I think right now, it is working. Our challenge is to figure out how to grow this model and these technologies outside of payments. 

Ruston Miles: We are in health care, just give you a quick example there. Well, I've been in front of, you know, a few in my time, but it's interesting to hear, you know, the CISO say, gosh, you guys fixed 100% of 10% of my problem because the other 90% of my problem is PII and PHI and all this other data that's very scary if it gets out into the wild. And it's not like this credit card that can be, you know, renumbered. You can't really, like, renumber someone's biometric or their health care data. You know, there's very sensitive stuff there. So the goal here, and that's what we've been charged with these last two years, is extending that outside of payments. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: You know, I was kind of sad as, you know, an American exceptionalist, thinking we're the greatest country on Earth, that it took us a long time to catch up with our European rivals when it came to payment security. 

Dave Bittner: Yes. 

Ben Yelin: So, you know, it's just interesting how that's happened and how it's evolved. And I think I'm - what strikes me is we're still sort of behind in making sure that these payments are secure. And that's dangerous. I mean, a lot of what happens in terms of rectifying these problems happens after there has already been a security incident, meaning somebody has already used our credit card somewhere, and we can cancel that payment and work with our financial institution. But yeah, I mean, it's a little concerning that we haven't caught up with the rest of the world in terms of the most robust security measures. 

Dave Bittner: Yeah, absolutely, still scratch my head that, you know, go out to a restaurant, give a stranger your credit card. They take it to another room (laughter) to process it. You know, our European friends seem to have this much better figured out. They bring a little, you know, a little portable device out to the table and it all gets done right there. Seems to me that, in these days, that's a much more secure way to handle it. 

Ben Yelin: Sure. And having two factors of authentication. So chip and PIN, great. You know, the PIN is - the chip is the fancy computer thing. The PIN is the content of your own mind. Meld those two together, it's like chocolate and peanut butter. You know, it's a beautiful Reese's. Just having the chip is kind of just the peanut butter. You need that chocolate to make it extra secure, extra delicious. And, you know, without having that second factor, we are making ourselves more vulnerable because anybody could just steal a chip card and put it into machine and charge it, get whatever you're trying to purchase. So, yeah, I mean, it's certainly striking. 

Dave Bittner: Now I want to snack. All right. 


Dave Bittner: Well, our thanks to Ruston Miles from bluefin for joining us. We do appreciate him taking the time to share his expertise. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.