The Y2K Bug Was in the Channel

My lovely bride of 22 years was part of her company’s “Y2K Survival Team.” She went into work at 11 p.m. on the 31st. They gave her a “survival kit” complete with a water bottle, a T-shirt, and some peanut butter candy. Everyone laughed, and life went on.

But it turns out there is a serious Y2K problem, still, and it originates from the same outfit, Cybercash’s ICVerify unit, recently victimized by a cracker-embezzler who tried to post 300,000 credit card numbers online.

The problem lies in those terminals merchants use to process credit card transactions, and how they got them. It’s estimated that some 6,000 stores are impacted.

Let’s go back over this to see what we can learn.

ICVerify sells its software to hundreds of banks, card processors, and value-added resellers who then push solutions to merchants. The solutions usually come in the form of a piece of hardware next to the cash register.

You’ve seen it – there’s a slot to swipe the card through, a keypad in which to input the merchant number, maybe a printer to create a receipt. (If there’s no printer, the merchant has to create a carbon paper form for the receipt.) These things have been around for years, and while most of them are Y2K compliant, some of the older versions of the software are not.

While Cybercash has been putting out the story that merchants are to blame for their own problems because they didn’t change their terminals (and some in the media have bought that story), this is, to a large extent, bunk.

Understand this from the merchant’s point of view. You’ve got a terminal, you trust the bank or re-seller who put it there, and they haven’t told you about this Y2K problem, so how can this be your fault? Maybe you haven’t heard for years from the re-seller who put this thing in, maybe they went out of business – how can you be blamed for that?

You probably didn’t know credit card processing went through channels, did you? Well, it does. Some of these re-sellers are selling plain vanilla solutions based on their ability to pound pavement. Some are selling custom solutions for specific industries, like restaurants or hardware stores. Some work directly for credit card companies, like Discover; others work for card processors, like Nabanco; and still others simply fulfill orders for banks, like Wachovia.

I suspect the real problem is that the re-sellers didn’t check version numbers of what went into their firmware. It may be that some re-sellers, more interested in sales than service, didn’t know or didn’t care about the version numbers, and there was no way for ICVerify to follow up because they’d sold to the channel, not the merchant. It may even be that some re-sellers went belly-up, and the processors went merrily on because if it ain’t broke, why pay for a service call.

This is the kind of boo-boo all the Y2K hullabaloo was designed to prevent. But it also illustrates what happens when software goes into hardware, and hardware then goes through channels. The fact is channels dry up, and when they do, customers get left high and dry.

This could have been a lot worse, especially given the fact that the last Congress gave us strict limits on Y2K liability, so there’s little the victims can get here in the way of satisfaction.

It’s not enough to say Cybercash should have had a bunch of terminals ready for this emergency, because each terminal needs some custom programming if it’s going to be a true replacement. The real question is whether, if you do sell through channels, you have the tracking of final sales that will let you take responsibility for your customers later on. That’s a Clue we can all use.

Related reading