There’s a simple way to end the theft of millions of credit card numbers from merchants like Target or Home Depot: Stop giving merchants credit card numbers in the first place. One way to do that is to replace credit card account numbers with “token” data that merely represents the numbers — useful to the merchant, but useful to the criminals. It’s a concept called tokenization, and ready or not, it’s coming. I explored tokenization in a recent post on CNBC.com. An excerpt, stressing the surprising challenges of the seemingly simple idea, is below. You can read the entire story at CNBC.com
Independent security researcher Harri Hursti said past attempts at tokenization have encountered exceptions that make the idea of disposable, proxy account numbers much more complex than it may seem at first glance.
It turns out the tokens aren’t really disposable at all.
“The token used has to be left ‘alive’ for refunds, restaurants adding tips to the bill, car rental companies charging road tolls charges, hotels adding minibar items. … This means that there are multiple ‘active’ token numbers for each customer at any given time,” Hursti said, adding that he recalls a tokenization trial for “black cards” for high net worth cardholders that resulted in each user having “thousands of active numbers issued to them at any given time.”
The more live tokens in the payment universe, the larger the footprint hackers have to attack. And the longer the tokens have to stay alive, the more time criminals who obtain stolen data have to figure out how to gain access to the accounts attached to them.
Ultimately, the tokens have to be linked to the original account number somehow. Should criminals determine the matching method, they could unlock the secret to obtaining all the associated account numbers.
Payments industry expert Avivah Litan, a vice president and analyst at Gartner Research, said well-designed, modern token systems won’t be vulnerable to those kinds of attacks. Her main concern is that tokens will be hastily and poorly implemented.
“Tokenization and other payment card security technologies are only as secure as their implementation,” she said. “Many things can and have gone wrong with participants in payment card networks.”
Critically, merchants and financial institutions are still in disagreement about how tokens should work. Many merchants have spent years developing their own in-house systems, which differ in format from the system adopted by Apple and the payment networks. This will lead to “token collision,” Litan warns.
Merchants who use their own tokenization system and also accept Apple Pay or other EMV (smart credit card) token payments will end up with multiple tokens for one card number, defeating a major reason merchants adopted tokenization in the first place, she said.