Tokenization May Be The Answer For Credit Card Breaches

More than 40 million account numbers taken from Target. Payment systems breached at 2,200 Home Depot stores. Customer data stolen from 33 P. F. Chang restaurants. And those are just the most recent examples of attacks aimed at stealing customer credit card information.

A recent Wall Street Journal article revealed that credit card fraud rose 45% in 2013 to $16 billion. Online fraud has increased as well, now accounting for 16% of US card fraud. Card issuers and merchants are trying to plug the growing security hole by replacing traditional magnetic strip credit cards with cards embedded with computer chips. According to the WSJ article, financial institutions are planning to issue 575 million of these cards by the end of 2015. But this is only part of the solution. As store transactions become more secure, hackers will move online to circumvent the physical card safeguards altogether.

Customers and merchants are clearly shaken by this cyber crime wave. So are the credit card companies. And they’ve come up with what just might be the ultimate answer.

Get ready for tokenization.

We recently met with the largest point-of-sale (POS) provider in the world to talk about the security of their system. They realize that having a secure closed-loop system from payment through processing benefits their clients (the merchants) as well as their clients’ customers (you and me).

A key piece in building that kind of ironclad system is a new technology called tokenization. With this process, merchants no longer possess sensitive, personal credit card information. Instead, at the point of sale, a random series of numbers - a token - is substituted for the actual data. The token then retrieves the customer data from a locked “virtual vault” in the credit card issuer’s database. Once the transaction is completed, the token is no longer connected to the customer data. So in the case of the Target breach, as an example, the hackers would have come away with 40 million useless tokens with no exploitable or extrinsic value.

This beauty of the technology is that it works both offline and online and is perfect for recurring transactions involving subscriptions or membership fees where a merchant holds your information on file.

Tokenization is music to the ears of merchants who don’t want to be in the security business. Unfortunately in the current environment they have to be since they ultimately suffer the brunt of any breach. Home Depot has already announced they will cover all losses their customers suffer as a result of the stolen information.

The concept of tokenization just received a boost with the release of Apple’s new Apple Pay payment system. Because of the recent hacking of iCloud, the public is skeptical that Apple can safeguard personal financial information. The fact is Apple Pay is built on an entirely different security platform- one based on tokenization.

Hackers and IT security experts will always be locked in cyber-battle. Tokenization has the potential to give the good guys a formidable weapon.