'Tokenization' touted to increase credit card data security
With 'tokens,' proxy numbers substitute for card data
By Jay MacDonald | Published: February 26, 2009
Remember the business best-seller, "Who Moved My Cheese?"
|Click on the image to see an interactive graphic about how tokenization works.
Even the most sophisticated hackers may be asking that very question the next time they attempt a Heartland-size credit card heist if a new data security technology called tokenization catches on with the payment industry.
The concept behind tokenization is remarkably simple: Data thieves can't steal what isn't there.
Tokenization intercepts your card information at the point-of-sale terminal or online payment interface and replaces your cardholder data with randomly generated proxy numbers, or tokens. The transaction then continues, under an assumed name as it were, through the normal authorization process.
The biggest difference: Your card data is never stored intact anywhere, making it nearly impossible for hackers to reassemble it through decryption or reverse engineering.
Hack into your merchant's database or that of the payment processor and all you'll receive for your trouble are worthless tokens.
The only place your card data actually resides is at the data facility of the third-party provider that administers the tokenization program. But hack into their databases and all you'll find is the digital equivalent of jigsaw puzzle pieces scattered across multiple locations.
"People ask, 'Why can't what happened to Heartland happen to you?'" says Randy Carr, vice president of marketing for Shift4, developer of the 4GO tokenization technology. "You would have to steal numerous people in numerous buildings to actually steal a credit card number from us." While no system built by man can be considered 100 percent hack-proof, tokenization may be the next best thing.
"I think the concept of tokenization is good," says Troy Leach, technical director of the Payment Card Industry (PCI) Security Standards Council. "That is why the council is exploring the concept this year. We're asking, 'Does tokenization simplify the process of PCI compliance for merchants, or does it provide additional complexity?'"
Shift4's Randy Carr likes to use the princess analogy to explain tokenization and the real-world obstacles it faces in the payment industry.
"Say you have a castle with a princess, and all these bad guys keep riding up trying to kidnap her," he says. "The way the industry has approached security is to put a moat around the castle, bar the doors and windows and put archers on the roof. What we did was ask, 'Why don't we just remove her from the castle?'"
The reason this technology is not being used is financial. The card companies want to talk about it, hold hearings about it, form a committee, but they don't want to actually solve it.
|-- Randy Carr
Vice president of marketing for Shift4
Aye, good move for the princess, i.e. your card data. But not such good news for the folks who make their living by digging moats, barring windows and launching arrows, i.e. the data security industry.
"If you like selling firewalls and intrusion detection systems and encryption, this is very bad news," says Carr. "We have detractors at every turn. There are people who want to solve the problem, and there are people who don't, who still want to build the moat."
The card brands themselves may pose the most formidable obstacle to tokenization, given that they make a tidy sum each year by charging data security fees to their merchant customers.
"The reason this technology is not being used is financial," says Carr. "The card companies want to talk about it, hold hearings about it, form a committee, but they don't want to actually solve it. It's like saving the whales: If anybody actually saved the whales, there are going to be a lot of people out of work."
Carr believes the game-changer in the equation is today's hacker. "These aren't college students doing it anymore; they're ex-Soviet operatives, and they're serious guys. They're not there to get 20 card numbers; they're there to get 100 million card numbers," he says.
Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea.
Carr, for his part, would like to see tokenization become a federal data-security standard.
"We have issues right now that demand a real solution, not just something you talk about," he says. "You've got to put this in play. I think if Congress were to call all the card brands to the [Capitol] Hill and said, ‘Look, you guys know about this. Why aren't you using it?' they would be hard-pressed to answer that question."
Magic? Or mayhem?
Making credit card data disappear sounds simple enough, but like all good magic, there are a few tricks to it -- tricks that merchants, processors and card issuers want to learn more about before they embrace it as the panacea to data theft.
So far, Dave Taylor, a former Gartner analyst and founder of the PCI Knowledge Base, a panel of experts that supports best practices in payment security, has been impressed by the potential of tokenization.
"It is gaining traction now," says Taylor. "Even six months ago, there was very little awareness of it, even among larger organizations. Merchants are very likely to save money with tokenization."
With awareness comes scrutiny, however.
"There is an increased awareness that this is not child's play, it's not something that is that easy to do," he admits. "If an organization has had problems dealing with encryption, they're probably also going to have problems dealing with tokenization."
In addition to concerns over the security of the hardware intercept at the POS terminal, Taylor says merchants are unsure how tokenization will integrate with other automated systems that also use card data for things like sales auditing, loss prevention and loyalty programs.
They could just as easily market that they don't keep data, and that that is safer for you.
|-- Dave Taylor
Founder of PCI Knowledge Base
Leach agrees: "There is confusion about charge-backs and whether merchants need to retain that information. Another concern is debit card transactions. Is tokenization a solution for all kinds of payment transactions? How does a tokenized solution manage the PIN block, for example?"
Those are all questions Leach hopes to answer when his council digs into emerging technology proposals this year.
If tokenization does gain momentum, Taylor says it could serve to steer consumers away from merchants whose cups are half-full of cardholder data toward those whose databanks are empty.
"Customer service organizations market that they're keeping the data for the convenience of the consumers," he says. "They could just as easily market that they don't keep data, and that that is safer for you. Why don't they market that?"
- Bluesnarfing is newest card fraud at gas pumps and ATMs – With a skimmer and Bluetooth technology, fraudsters can sit nearby and intercept your payment transaction details ...
- TransUnion to pay $60 million to consumers flagged as criminals – A jury sided with a consumer who claimed TransUnion violated federal law over OFAC alerts ...
- House passes CHOICE Act that would gut consumer protections – The House of Representatives passed a GOP-backed deregulation bill that would undo Dodd-Frank consumer protections, but it faces uncertain future in the Senate ...