How to Stop Payment Fraud with Encryption – Ruston Miles

Episode Overview

Ruston Miles is a cybersecurity visionary and the Founder of Bluefin, a leader in PCI-validated point-to-point encryption (P2PE). For over 15 years, Ruston has championed security at the point of interaction, advocating encryption at the hardware level and tokenization for stored data.

A member of the PCI Council’s Board of Advisors, Ruston has helped shape the standards used by payment providers and institutions worldwide. His thought leadership has driven adoption across 400+ universities, major retailers, and Fortune 500 brands. Ruston is currently focused on preparing for emerging threats like AI-based phishing and quantum decryption by evolving encryption practices that stay one step ahead.

Episode Transcript

Ruston Miles: The chip. Data can’t be stolen. Not true. Actually, the card number on the chip itself is not encrypted. So even a chip going back into the system, if it’s not using P2P, is going back to the system, probably being hacked again and then sold back out and being used for e-commerce fraud or mobile fraud. So really you got to look at these technologies and what they can do versus fraud versus security. And while one is important, it’s important in its lane. And so I really think all three technologies are important. I’m not here to say we shouldn’t do chips. I mean, absolutely, we should have chips and cards. It’s a no brainer.

Kevin Rosenquist: Hey there and welcome to Paypod, where we bring you conversations with the trailblazers shaping the future of payments and fintech. My name is Kevin Rosenquist. Thanks for being here. We usually think of cybersecurity as something that kicks in after data moves across networks or hits the cloud. But what if the real danger lies at the very beginning? Today I’m chatting with  a company that’s changing how we think about payment security. Rustin explains how encrypting payment data at the point of entry, right when you tap, swipe, or type, can prevent breaches before they even begin. We dive into the mechanics of point to point encryption, the role of tokenization in securing stored data, and why even the most advanced chip cards aren’t enough without true encryption. It’s a really, really interesting episode for anybody who owns any sort of device, which is, of course, all of us. So please welcome Rustin Miles. We often think of cybersecurity as a back end problem, but Bluefin argues the real risk happens at the front door. Can you explain why that first moment of capturing data is so critical?

Ruston Miles: The payments ecosystem is vast and sprawling and worldwide, and it depends on how you’re looking at it. From the consumer perspective, you’re going into a business, you’re going into a website You’re working with an app and and you’re presenting sensitive details could be your cardholder data, could be your personally identifiable information, your health information, etc. but in many, you’re making a transaction and that transaction has certain sensitive details. And so it’s important for us to protect it right at the front door. Right. And to encrypt that really inside of the hardware.  a lot of times when you see folks talk about end to end encryption, which we can talk a little bit about the difference between that and point to point encryption later. But, you know,  they’ll say, yeah, let’s get that data in and encrypt it and software, but hey, it’s too late because guess who else is in software? Guess who else is in the Ram? Guess who else is living inside of that app?  Or an app right next to it? Probably the bad guys, right? So it is important right inside of where the chip hits the firmware or,  your finger touches the keypad or the NFC radio taps inside of the firmware of that even before it gets to applications. Gott be encrypted. Otherwise,  you know, your application gets the same access that the bad guys get. So that’s really,  kind of a fundamental change that we were really pioneers on and saying that’s,  you know, that point of interaction that POI needs to be secured at the firmware level.

Kevin Rosenquist: Yeah, that’s interesting because I don’t think anybody would, you know, the average person would ever consider that that were you tapping on your phone and it needs to be encrypted right from there. Do you like it? It’s more like we always think about it as when, okay, when we shoot our data out into the cloud or into the ether, you know, wherever, you know, wherever we send it, that’s the point where it needs to be encrypted. But you’re saying, like, right off the bat.

Ruston Miles: Off the bat, the largest breaches in history are maybe not the largest, the most high profile ones if you go back and not to pick on them. But it’s been a long time, so I guess everything’s okay now, but like when you look at the target breach, right. That wasn’t in the cloud. That was a HVAC vendor of theirs left the back hole in where bad guys put malware in and sat there and listened on the network. Had that data been encrypted in firmware, in the hardware before it even got to local networks, then the breach would have never happened. So it is absolutely vital, important through all stages. And again, that LAN or that local area network inside of a supermarket. Of course we wanted to protect before it gets there even out to the cloud. But really they’ve gotten more sophisticated in putting their apps and software inside of devices, inside of the computers, you know, that are not just next to it on the network. So that’s a point to point encryption is table stakes now?

Kevin Rosenquist: Yeah, I wanted to move on to that. Actually. If we could talk about how P2P really works, for those unfamiliar, can you kind of walk us through it and in everyday terms?

Ruston Miles: Sure. Yeah.  so P2P point to point encryption,  you got to kind of think about it as an engineer from a nerdy perspective. Well, end to end encryption, wouldn’t you want that? But yeah, but end to end or vague terms. Where is the end? When is the transaction ever done? You know, it flows all the way through to the gateway to a processor, to a bank, to an issuer, to another bank. Back to this, to the consumer. Does it ever really end? And then it’s reported online somewhere and you go see. Okay. So really all we can secure is between two points point to point.

Kevin Rosenquist: That’s a good point but didn’t mean to say it like that. That’s a good point.

Ruston Miles: That’s a good point. So in other words, point to point encryption is a standard that says, okay, I don’t care where you call the start and end, but between these two points it’s gosh darn secure. Right. And so we’re going to inject billions of encryption keys. And these are symmetric encryption keys into each device. So every time it’s tapped dipped swiped you know typed however it in the car data goes in. It’s encrypted with a one time unique use. You know, a duck put,  you know, a high level encryption symmetric key. And so,  and so that’s where that confidence is. And really when you look at it, you might say, well, gosh, aren’t there like, uh. Pki, you know, public key encryption, or you might watch Prime target, you know, on, on,  on, on Apple TV and be like, oh, wow, I understand, I understand asymmetric or RSA encryption now from watching this fun series.  always.

Kevin Rosenquist: The best way to get your, get your,  your education from, from, you know, from dramas on TV.

Ruston Miles: Exactly. Well, it can at least spark the interest that you. That’s true.

Kevin Rosenquist: That’s true. Yeah. I mean, I know a lot of people that Mr. Robot did that for, like, they were like. Yeah, this is interesting, you know? So. Yeah. For sure.

Ruston Miles: Exactly, exactly. So,  so, yeah. So that’s an important technology. And we use it in our browser Https and SSL and TLS. Like every day we’re using this asymmetric RSA. It’s also called public key cryptography or you know public private key. We’re using that all the time. But what’s the problem with that is it’s susceptible to things like quantum. It’s susceptible to other attacks. It’s really good at telling you know, Kevin Rust and sending And Kevin Data and only Kevin can read my data. It’s really good about that because it’s asymmetric in that way. But what we really ought to be doing is with the individual data that’s flowing through these, quote, secure tunnels, we should be encrypting each anything that’s sensitive, even inside of the encrypted tunnels. That way, any of the ISPs, internet service providers or anybody in between those networks that have access and visibility,  are also not able to get at the data. So point to point encryption really takes the sensitive bits. You can imagine. You know, credit card data is really small, you know, 16 digits, for example.  and so this is a highly sensitive, very small piece of data.  and so and so what we do with point to point encryption is we encrypt that,  at the point of interaction.

Ruston Miles: So even as it’s flowing over other secure encrypted networks,  that data packet, that data element itself is uniquely secured,  end to end or point to point. And so really what P2P is is a standard that visa, Mastercard, Visa, Mastercard, American Express, discover, and name them all have come together to create the PCI Payment Card Industry Security Standards Council.  and so that’s been there for a decade or more.  My company, Bluefin, is on the board of advisors for that. And  they created a standard. And so those standards are what the whole industry has to use. And so there is an encryption standard. And that standard, instead of calling it end to end, they called it P2P because as I said, it needs to be the standard for those two things. And really, when you look at it without a standard, you have no confidence. For example, you look at Underwriters Laboratories, UW, right, or UL, I mean,  you know, you buy a lock at, at Walmart or Target and, and it’s got you turn it over and it’s like, you know, UL certified lock. It’s basically this combination lock that has been created against the standard for locks so that, you know, when you buy it, you know, it’s not just going to fall apart in the rain or, you know, have some easy way to get into it.

Ruston Miles: Well, it’s the same way that there exist standards for encryption. So when you see, when you hear of a lot of companies and this was much more prolific before bluefin really started pushing this out there, most companies were using end to end encryption, but there was no standard around it. And so really you got as good as what the vendor gave you. You really didn’t know what you were getting even when you bought it. And so we’ve spent the last I spent the last 10 or 15 years of my life,  you know, pushing forward that standard, getting it adopted. And you’ve really seen major profile breaches fall off a cliff. And,  when it comes to credit card payments and you’ve seen universities and large,  large folks, now our breach is still happening. Sure. But it’s not payment breaches so often now it’s more PII, personal data, health data and other things. Right. But payments data, you know, the industry is taking it seriously. And so that’s really what P2P is. It’s it’s end to end encryption standard. But it’s also encrypting specific, sensitive pieces of data inside of the stream versus,  you know, other kinds of regularly available encryption schemes. I hope that answered it. There’s a lot there.

Kevin Rosenquist: No, no, that that that is that makes a lot of sense. You put it into terms that my brain can understand and that’s always impressive. But so another thing I wanted to talk about is tokenization, because that’s another thing that you guys do. And it’s sort of like using a fake key instead of the real one. Right. Can you kind of explain how that protects?

Ruston Miles: So yeah. So I always call it the one two punch of data security.  and that’s encryption and tokenization. So encryption is wonderful because we talked about data in motion right at that point of interaction where you where the data comes in, you swipe, tap, tip, tap, dip or type the data. And it’s encrypted right there. And while it’s in motion through the network, it’s protected. It’s devalued. Right. Nobody if anybody gets it, they can’t do anything with it. But eventually that data stops moving and somebody wants to store that data for card on file for recurring billing for, you know, you go to Amazon and you don’t have to put your data in or use your Google Pay. You don’t have to push your card again. Yeah, somebody eventually wants to store this darn thing. Well, you store a token. So that token is a reference to the data. It’s not the data itself. Kind of like when you go to play at the,  you know, a game at the arcade and they give you tokens instead of quarters, right? Well, those tokens are valuable. They represent money, but they don’t. But they’re not really the money.

Kevin Rosenquist: Right? Yeah yeah yeah.

Ruston Miles: Yeah.

Kevin Rosenquist: You can’t, you can’t go, spend it somewhere else.

Ruston Miles: Can’t go spend it somewhere else. Right. That’s exactly the point. So that token is that way. It only has use between the payment provider and that merchant, that retailer or that website.  but if the bad guys go stole the tokens, they just have a bunch of data that’s useless to them. And so that’s really the difference. So really data in motion, data at rest, encryption and tokenization. So for a very long time, you know, we were focused on encryption because that was where the,  you know, the innovation was being made. And,  really, tokenization has become more and more important,  at least innovations in the space. We’ve had tokens going back to 2002. We just didn’t call it that.  Because, you know, that was a newer term that came along the way. But we were doing referenced data like that way back as long as that ago. But now you’re seeing a lot more of these things as we come into omnichannel or what they call now payments, orchestration,  these kinds of things you see in the tokens and tokenization,  become an area for innovation. And when I say innovation, like, you know, taking a simple concept and adding other value to it, making it easier to use, doing, disrupting certain things with it. So tokenization and encryption, really,  you can’t go, you can’t go to the security supermarket and say, well, I just want to use one of these. You kind of have to use both of them. In my opinion, if you want holistic security.

Kevin Rosenquist: And with tools like this available, there’s still a lot of organizations out there putting themselves at risk the way they store their data. It feels like it’s taking people, especially the larger companies, time to catch up to this. Is that a fair assessment?

Ruston Miles: It has, and it did. There were some other innovations that came out over the last decade and a half, which kind of stole the thunder from the two things that I. As you can see in here, I’m highly passionate about as the answer, and I’m not leaving a lot of room for a lot of other answers, only because I’ve been doing this for so long, and speaking about this for so long, that I haven’t really found too many other answers other than encryption and tokenization. But what what came out like right after the big breaches started to happen around that 2013 time frame, you started to see the chips, the cards with the chips in them, right? Show up. And so from the consumer perspective, like, okay, I’m going to now have this feeling of comfort because my interaction has changed. There’s something I can see here. This is a more secure thing, which is not true. All of what.

Kevin Rosenquist: We were led to believe.

Ruston Miles: That’s what we were led to believe. And I’m not going to point fingers anywhere, but it stole the thunder. And really, you have to dial that back and look at, well, what is it good for? Because it sure is good for something. And so we have to come. We have to split data security from fraud. So they’re both bad, but they’re both very different. And even the people that conduct these probably look different and act different than others. So you got data security and fraud. And so,  for example, data security has gone out of the back door of the company. In other words, like you’re breaching and you’re losing data and you’re hackers are out there getting the data. They go to the dark market, black market, you know, the dark economy, if you will. And then they go and sell that to fraudsters. Well, fraudsters then go and create credit cards or go to a website. They’re buying that data, buying that card card numbers and they’re using it to conduct fraud. So there’s really two sides to the market and one feeds the other. And so our technology is stopping data from being breached that will ultimately end up being sold to fraudsters. Chips chip technologies which are called EMV chips. Those are to stop fraud from coming in. So someone creates a fake plastic card with a magnetic stripe and they come in to use it at your business. You can’t. They can’t if they really can’t recreate that chip on the card.

Ruston Miles: So it stops one kind of fraud, which is, you know, retail chip card present fraud. And that’s great. But that still doesn’t stop the breach from happening. And that same card data can then be used over on websites, even if it can’t be used for a card. And here’s the other dirty little secret. So you’re like, well, at least the chip data can’t be stolen. Not true. Actually, the card number on the chip itself is not encrypted. So even a chip going back into the system if it’s not using P2P P is going back to the system, probably being hacked again, and then sold back out and being used for e-commerce fraud or mobile fraud. So really you got to look at these technologies and what they can do versus fraud versus security. And while one is important, it’s important in its lane. And so I really think all three technologies are important. I’m not here to say we shouldn’t do chips. I mean, absolutely, we should have chips and cards. It’s a no brainer. But it really took the Thunder away from a lot of companies investing. You know, what am I going to spend over here on security to stop breaches for me. And we took like a five year detour around protecting fraud and not security. And folks still had breaches the whole time. So that’s kind of the way I think about it.

Kevin Rosenquist: Are you more secure with Google Pay or Apple Pay?

Ruston Miles: So Google Pay and Apple Pay are wallets, right. And so that’s great because now you’re sitting here, I’m the user, I can sit there and drive and I shouldn’t be on my phone, but with my thumb, I can check out of a website by just doing this about 5 or 6 times right. Yes yes yes yes yes yes yes. The t-shirts on the way. That’s awesome. I don’t have to enter my card data. I don’t have to trust this website that I don’t really do business with very often. I might do business with Amazon all the time, but I don’t do business with, you know, Rusty’s t-shirts all the time. And I’m not sure I want to give him my credit card. Oh, but I’ll use my Paypod or my Google Pay wallet, or my saying some wallet or my. Okay. That’s great. So it has a positive effect on reducing friction. It is more secure. It doesn’t leave security into the hands of a t shirt creator’s website. You know.

Kevin Rosenquist: Rusty’s t-shirts.

Ruston Miles: Rusty’s t-shirts. So it’s really it really is. It really is a great technology. And it has its place. Absolutely. And of course, as we know, you can tap with it, too.  it’s really based on tokenization,  at the end of the day, so and so and.

Kevin Rosenquist: So and so the tap part is that tap part better than a more secure than a card tap.

Ruston Miles: Well, the thing is, when you tap that cell phone onto the device, a credit card machine at the retailer. That credit card machine doesn’t know you tapped it with a cell phone. It just heard an NFC hit. It could have been a card. It could have been a cell phone. So it’s the same communication that it’s receiving. And so if it’s done right with Bluefins and other people’s P2P technologies, it’s going to encrypt that chip dip in the same way it would have encrypted a tap or a dip from a chip.  So it’s still using P2P to protect that. Really, all the phone has done is become either a digital wallet for you on a website or a I can’t call it a physical wallet, but a wallet that’s virtually holding the chip in your card for a tap.

Ruston Miles: So that’s really what’s going on there. And so they kind of it all still works together. They don’t really replace each other.

Kevin Rosenquist: Right, right.

Ruston Miles: But to answer your question, if you’re asking me as a, you know as is it more secure. I mean, I like it more than a card because a card is plastic and static and can and you know. And even if the card gets stolen. Stolen. The card doesn’t have a face ID with me, right? You know, my phone does. So it’s. Actually, yes. To answer your question, yes, it is more secure. I totally believe that’s true. Because it’s a dynamic living cell phone versus a static card.

Kevin Rosenquist: Yeah. I’ve recently started using Google Pay more. And, uh. And I was wondering about that. I was like, am I being more secure? Am I less secure? But it sounds like it is more secure when you tap your phone over a card, which is.

Ruston Miles: Somebody steals your card. In this country, I don’t know, country you’re in right now.

Kevin Rosenquist: I think we’re in the same country, the US.

Ruston Miles: Okay, good. Yeah. In the US specifically,  when you,  when you have a chip card, there’s no Pin required. So if someone steals the card out of your wallet or you leave it out, they can go up somewheres and they can tap or put it in.

Kevin Rosenquist: Absolutely.

Ruston Miles: So, so really in other countries they require, you know, chip and pin what you know, your Pin and what you have your card in this country. We didn’t go that way. So because of that specific thing here in the US, in my opinion,  cell phones are vastly more secure because your phone is authenticating with you either using Https or face or thumb or biometrics, whatever you’re going to do.

Kevin Rosenquist: A lot of people pay attention. You know, a lot of attention is paid to, you know, lawsuits, fines, those kind of things when it comes to a data breach. What are some of the long term trust issues that companies face when they really get hit?

Ruston Miles: Yeah. Well that’s a rainbow of the impact or you want to call it a histogram or whatever. So like if you’re DSW shoes and this might even be a bad example, but it’s okay.  you know they got a big breach, right? Long, long time ago. And when I go to DSW shoes to buy some new loafers, I’m usually going because there was a sale, you know, back then in the paper now in an email, whatever it might be. And so like, my loyalty to that brand is my own loyalty to savings for myself. Right. So if they have a breach, I’m likely going to forget about it because there’s so many other breaches going on. Now, if my university or the University of Tulsa here has a breach, that’s loyalty. I’m upset. You know, there’s a lot you know, and they can’t just go change their name. They can’t just, like, come out with a better sale. It’s true. Like, you know, so there’s a breach of trust there. Also, universities have a much, much larger attack vector because it’s tuition, it’s ticketing, it’s gyms, it’s daycare, it’s parking, it’s retail, it’s food services. It’s this whole little city, right? It’s a lot bigger things that can go wrong. So you have certain areas. And by the way, we have 441 universities that Bluefin supports. Many of the ones that, you know, we all probably went to or know about,  because it’s become such a standard within those folks that you just have to do it this way.

Ruston Miles: So those kinds of areas have have much, much more impact.  and by the way, those folks also often have healthcare like, you know. You know, University of California, UC health. I mean, so,  so there’s a. Vastly much more personal data, health data and payments data that can be attacked. And they were getting hit real hard with lots of breaches. Lots of universities were getting hit. And so, you know, there’s a reason why that whole group kind of turned in mass towards point to point encryption. Also, you have people that work at those organizations that are there for a lifetime and care about their jobs and their people, and also tend to be a little bit more,  focused on,  educating themselves or, or thinking about things versus somebody that’s in for a job and out for a job, that kind of thing. And so really, really higher education was awesome because it allowed bluefin to create all these partnerships with all the different vendors that serve those ecosystems and those little metropolitan areas. Is in order to, to really,  to really protect that which then made us sort of a natural case. And then from there you really went on to brands and I can’t, I can’t name some of these because we’re part of their security posture. Of course, it’s like one of the few areas in business where you can get really excited about your clients, but you can’t talk about them. But like.

Kevin Rosenquist: I.

Ruston Miles: Think about, like, you know, like, you know, one of the top four airlines in the world or the number one rental car agency in the world that has 50,000 devices globally. You know, these are companies that care about your bags and your dogs and they care about you. And some of them are family owned companies, even though they’re 20, $30 billion companies. And so those folks that had large legacy kinds of companies really then were the next big adopters of this because they wanted loyal, fanatical. They had loyal, fanatical customers that they wanted to keep and not to breach that loyalty as well. And then it kind of just went on from there. And then you have other organizations and companies that just have to do it because everyone else is doing it. And when it comes to fines and breaches, obviously there’s there’s, there’s there’s there’s fines that come, you know, from, from groups like industry groups like maybe a visa or Mastercard or something like that, that happen Post-breach. But what we’re starting to see more as we go to privacy, definitely with GDPR. And we’ve already seen some big cases with privacy regulators here domestically, that are those fines  are far ranging and they’re not based. And also, by the way, the whole suit is not based against a standard. So much like for Visa and Mastercard. Did you use P2P? That was our standard where you are PCI compliant.

Ruston Miles: That’s our standard. You weren’t. Here’s your fine right. It’s not over-prescriptive, but it’s prescriptive to a certain degree when it comes to these government things. They kind of look around and be like, you know, well in your industry, what was the state of the art? What was the lowest common? What should you have been doing that was reasonable for a security individual in this hotel group, in this chain.  based on costs and other factors. And so if you’re not keeping up with your cohort, that’s negligence. And now that fine is going to be punitive for that negligence. And so really it became more about folks keeping up in privacy. All these privacy regulations have been really pushing folks towards security,  and, and to keeping up. So I have to say it’s gotten better. Could it get better? Well, absolutely. We don’t have every customer in the world.  but we’re not the only folks that do this, by the way. Of course. But,  you know, I have to say, the tide has turned now, where if we’re sitting in front of a large organization that doesn’t have PCI validated P2P, they almost have to explain to us why they don’t, not us, why they should. So okay. Yeah, that’s a dynamic change. That’s a.

Ruston Miles: And there are reasons why some of them don’t like let’s imagine you’re on a plane. So these devices are tamper evident. Like if if you try to break into it, it knows if it’s unplugged from the wall, it has to have a lifetime battery in it so it can know I’m trying to be broken into because someone’s trying to insert hardware and software into me, so they have to be like, alive all the time. Yeah. You know, for ten years,  even if unplugged. Well, think about that. If you’re in a dynamic environment and it’s part of the uniform is what they call it for a flight attendant and they drop the thing. Well, you can’t have these devices constantly bricking, you know,  for tamper resistance. So there are certain industries where it’s like, okay, the standard is this: what do we have to do? Okay. All airlines, you know. Okay, fine. But also this device is monitored by a human because it lives and it goes home with the flight attendant. Right. Well, that’s an added benefit. Other devices stay at work when people go home. Right. So there’s that’s where you kind of get into this and figure out okay within your vertical airline transportation here is where this is where this needs to be. And that way if something happens, you know.  a regulator will look at this and be like, okay, you were not grossly negligent. And your security even though. So I think that’s kind of the way it’s shifted in working.

Kevin Rosenquist: I don’t know, it’s total security. Total payment security possible or is it always going to be sort of a cat and mouse game between the defenders and attackers? Because it seems like that’s what we’ve seen thus far.

Ruston Miles: Put it this way.  if someone rolled up a tank in front of your business and pointed it at you and your employees and said, come out with your credit cards, you come out with the credit cards to save their lives. Okay.

Kevin Rosenquist: Unless I have a bigger tank, which.

Ruston Miles: Unless you had a bigger tank.

Kevin Rosenquist: Which I don’t.

Ruston Miles: Which I don’t, but you know what I’m saying. So there is a certain level that you are that you should only be required as a business person and a business to invest in security. You’re not the NSA. You are not, you know. So we have to have reasonable expectations of what this is. And also, by the way, it’s a responsibility, in my opinion, of the schemes or as we call them in this country, the brands visa and Mastercard, etc., to secure their own systems enough so that they don’t put businesses into an impossible to win scenario and then point the finger at them and say, oh, you’re breaching. It’s like, well, that’s not fair either. You need to take care of the system that we’re adopting. Yep. So you’ve got some responsibility in this game too. So to answer, I don’t think we can ever get to a total,  because state actors are pretty darn, pretty darn awesome. And quantum is happening and AI is happening. So it’s like it’s so to that level, technology has to come up to, to, to offer a reasonable offset, because what we’re ultimately trying to do is make it more costly for the bad guy to hack our data.

Ruston Miles:  So that there’s no economic incentive for them to go off and spend that amount of energy to get that one card and then go sell it for 40 bucks? Well, they have other areas that they can use their technology worth more than $40 for the 16 digit string of numbers. So? So that. So you’re trying to economically de-incentivize things. I’m kind of going around to say, I think that triple A is triple triple, you know, derived unique key per transaction as 256.  you know, in conjunction with tokenization, maybe going over,  over a,  a properly secured asymmetric channel. These are sufficiently secure and it’s part of the brand. So as you said, as I said, our company is on the PCI board of advisors, and we’re out there as an industry looking at, you know, what are the new ciphers and encryption methodologies that are going to be impacted by quantum? How do we do that? Because we have to be a step ahead. We’re never going to be able to fully find, you know, zero zero loss, 100% total security. But we always have to keep that, that economic incentive balance in mind. And so that’s really what we do a lot on the technology advisory board and these other groups is to look at,  how do we stay ahead of the hackers in a way,  to, to work that.

Ruston Miles: However, having said that, I think if you take what I talked about from a security perspective and then you do things, you know, like,  a more mobile,  mobile authenticated situation that’s got, you know, a mixture of in an optional mixture of thumb or face or OTP,  because that really messes with hackers, too, right? Where it’s like,  or fraudsters really that, you know, on my cell phone, I might be okay with face and you might not want a thumb. Well, they don’t know which permutation of different factors you chose to lock your phone. Right, right. And so that in itself has and then put that over millions of people. That really messes with the fraudsters and then the data security. So I think both of those things together make for the system to be robust.  I wish I could say yes, total security is possible, but,  there’s some pretty darn big,  international bad actors out there that have all the computing power in the world, more than we probably know.

Kevin Rosenquist: Well, it’s also, I think what you said was really interesting. I never thought of it like that of making it economically unfeasible or or not incentivized because we always think of data security and all that as we’ll stop the bad guys, we got to stop them, stop them. They can’t get in. This is an impenetrable wall. But maybe it doesn’t have to be impenetrable, but it could be really freaking hard to get into and cost a lot of money and a lot of manpower. And what’s it worth to you? And that’s an interesting thought.

Ruston Miles: So, so, so what will happen there is that you’ll still have breaches from some bad state actor, but it’s for a different reason. They’re doing it to embarrass capitalism, or they’re doing it to embarrass America or some country. They’re really not in there to do it. Like perhaps other folks are in there to get data and sell the data.

Kevin Rosenquist: And make money.

Ruston Miles: And make money. So, so, so you still have a, still have a and by the way, those are far and few in between. And why is, you know, some bad state actor going to go after Rusty’s t-shirts? You know, they’re not right to embarrass me and embarrass capitalism. And these are real things that happen, right? I’m not making this up. So,  that’s so that’s kind of where it is,  in, in that spectrum. But,  you, you’ve seen,  you’ve seen,  payments breaches really kind of fell off a cliff over the last half decade as with the adoption, I think it’s directly attributable to the, to the adoption of these technologies because they’ve gotten smarter in their computers have gotten better. So if they’re doing a worse job, something else is stopping them. That’s true.

Kevin Rosenquist: That’s true. Yeah. It’s not like they’re not using the technology that’s coming out. But there’s something that’s keeping them at bay. Correct. You mentioned quantum computing and I, I kind of finished out our discussion. What do you see on the horizon? I mean, I feel like there’s some people who think quantum computing is right around the corner. Some people think that it’s a ways away. Obviously AI is here, you know, biometric authentication. What new challenges do you see on the horizon?

Ruston Miles: Well, it’s you know, your audience can go look it up. Quant  is much worse against asymmetric encryption methodologies. And what that means is RSA public key cryptography, which by the way is what’s in your browser https, SSL. Most of the things that we use right now on a day to day basis have that kind of encryption involved. And quantum is like a killer for that. Okay. So that’s, so it’s important,  for us to be looking at and investing. And it’s a good thing that the payments world is really using symmetric encryption and key rotation, things like derived unique key per transaction as I call it, duck put and these other things. So my point being,  we know quantum is coming and so we’re moving our payments security more towards something that can fight it better, and we can get into the why of cracking encryption and all that and why quantum is better at it, etc.. From the prime target thing, you know, you can chase primes and you can get there. So you know, so if you’ve got quant you can chase those primes faster and you can break any kind of, any kind of encryption that’s based on primes like this. So that’s that, that’s that’s a reality, I think,  you know, when, when and where,  will quantum quantum computing get cost effective enough to be used to crack card data? That’s an economic disincentive right now because it’s so dang expensive. It is maybe only bad state actors can afford that and maybe even be putting into that. And are they going to point that weapon at, you know, Rusty’s t-shirts, credit card numbers? I don’t think so.

Ruston Miles: Like they’re going to point that at larger things, you know, governments, governments, you know, get the specs on the new f-47 that we’re trying to put out. Right. You know, things like this. So I think that that’s more reality there. I,  I, I think,  is something that we need to pay attention to more from its ability to mimic human interactions.  and so this really goes towards fraud,  fraud and also phishing. I would even say phishing is a way because phishing is, you know, a way to get that angle in against which you get the malware in and then you get the data from the breach. So really, phishing is a way to get around a human to let you into their network. And then you can crack the data. So I’m seeing it. I’m seeing it as attack vectors along the lines of all kinds of phishing and other fraud things.  Right now,  I’m sure it will be used for much, far worse things in the future. But right now, in the immediate future, you know, future, I think that that’s where,  where it will be. We’ll see it being used more and more. And,  that really has more to be helpful with companies. Excuse me. You know, in order to address that, companies should be looking at multifactor authentication,  For, you know, anything mid-level and higher. It should just become a part of our everyday life. I know we don’t all like chasing around sms’s and one time passwords and all that word.

Kevin Rosenquist: No one wants to hear friction. You know, that’s friction.

Ruston Miles: So we need to do a better job as an industry to making. When I sit down at my computer and thumb in, well, that was a biological thumbprint into my ThinkPad here, you know. Okay, well, look at that. What? Why isn’t that being why isn’t that being used with my website, with my access to the back office and my accounting and all my other things? Why is it just being used to help me authenticate to my laptop? Right. So there’s more frictionless technologies that we can get to that we already have that just haven’t been wired up in the right way to make it a frictionless human experience. And so I think we need to do that more. So all.

Kevin Rosenquist: Right. Well Ruston Miles with bluefin. Thanks so much for being here. Really appreciate all the insight on cybersecurity and technology and everything that you guys do. It’s it’s it’s it’s really interesting stuff. And  I thank you for your time.