A token effort to keep your credit card accounts safer

tokenonCNBCThere’s a simple way to end the theft of millions of credit card numbers from merchants like Target or Home Depot: Stop giving merchants credit card numbers in the first place.  One way to do that is to replace credit card account numbers with “token” data that merely represents the numbers — useful to the merchant, but useful to the criminals. It’s a concept called tokenization, and ready or not, it’s coming.  I explored tokenization in a recent post on CNBC.com. An excerpt, stressing the surprising challenges of the seemingly simple idea, is below. You can read the entire story at CNBC.com

Independent security researcher Harri Hursti said past attempts at tokenization have encountered exceptions that make the idea of disposable, proxy account numbers much more complex than it may seem at first glance.

It turns out the tokens aren’t really disposable at all.

“The token used has to be left ‘alive’ for refunds, restaurants adding tips to the bill, car rental companies charging road tolls charges, hotels adding minibar items. … This means that there are multiple ‘active’ token numbers for each customer at any given time,” Hursti said, adding that he recalls a tokenization trial for “black cards” for high net worth cardholders that resulted in each user having “thousands of active numbers issued to them at any given time.”

The more live tokens in the payment universe, the larger the footprint hackers have to attack. And the longer the tokens have to stay alive, the more time criminals who obtain stolen data have to figure out how to gain access to the accounts attached to them.

Ultimately, the tokens have to be linked to the original account number somehow. Should criminals determine the matching method, they could unlock the secret to obtaining all the associated account numbers.

Payments industry expert Avivah Litan, a vice president and analyst at Gartner Research, said well-designed, modern token systems won’t be vulnerable to those kinds of attacks. Her main concern is that tokens will be hastily and poorly implemented.

“Tokenization and other payment card security technologies are only as secure as their implementation,” she said. “Many things can and have gone wrong with participants in payment card networks.”

Critically, merchants and financial institutions are still in disagreement about how tokens should work. Many merchants have spent years developing their own in-house systems, which differ in format from the system adopted by Apple and the payment networks. This will lead to “token collision,” Litan warns.

Merchants who use their own tokenization system and also accept Apple Pay or other EMV (smart credit card) token payments will end up with multiple tokens for one card number, defeating a major reason merchants adopted tokenization in the first place, she said.

Sign up for Bob Sullivan’s free email newsletter.

About Bob Sullivan 1332 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.