Chief Technology Officer/CISO
These days, some online payment processors, particularly mobile processors, rely upon tokenization to help improve security. For example, this technology empowers Apple Pay. Major credit card companies, like MasterCard, Amex, and Visa, are also now backing projects to help improve digital security with tokenization.
Problems With Traditional Credit Card Payments
Insecure payment processing schemes leave merchants, card holders, and card companies vulnerable. This kind of crime results in the loss of money and reputations.
For instance, consider these statistics about payment fraud from Gemalto:
- In 2014, online and mobile credit card fraud resulted in losses of $16 billion.
- That same year, digital criminals targeted almost 13 million Americans.
- Well over a quarter of consumers won’t deal with a merchant again after they suffer from credit card fraud.
Credit card holders are all familiar with 16-digit credit card numbers. These numbers are called the primary account number, or PAN. The PAN and the card expiration date make up typical payment credentials. All of this information is clearly visible on major credit cards. Consumers can use these credentials to make purchases almost anywhere.
Of course, digital criminals can also use those same credentials to steal money or make illegal purchases. They might take the information by compromising payment processors, phones, and even ATM machines. Most people have read about several high-profile hacks that resulted in bad press and financial losses. Some consumers have grown reluctant to make online or mobile payments because they fear becoming the victim of fraud.
How Does Gemalto Tokenization Work?
The tokenization platform that Gemalto provides rolls up into the KeySecure system as one of the many flavors of encryption that it can support. The concept is relatively straight forward. Instead of storing sensitive information, which would be credit card numbers, social security numbers, or basically any field in a database, the tokenization platform will replace that entry with seemingly “junk” data. This “token” is then referenced to a secure vault that exists separate from the database that supports your web based operations (usually where a company will receive this information from their customers). The actual card information, social security numbers, are stored in a separate system only accessible by the KeySecure platform. A Token Manager acts as an intermediary service that helps manage tokenized fields in your production database while ensuring that only the right resources access the protected information when it is necessary.
A great attack scenario to evaluate is the exploitation of a flaw in your web or database design that would allow a bad actor to dump out data fields from your systems. If they were to exfiltrate fields that were originally intended to contain your customer credit card numbers they would only receive the tokenized data, or essentially “junk” data, which will have no value to them. As this is not a hash based generation, or traditional encryption process, there is no way that any brute force efforts would be able to unmask the original data used to generate the token.
The great thing about this is that your customers won’t experience any difference when they use their stored card information for payment. The end user experience is completely transparent. Enhanced security with little impact to those that benefit the most from the tokenization process.
The Future of Tokenization
Most likely, the use of tokenization will continue to grow. At the same time, it’s only one method of securing payments and sensitive information and may not be the best option for every payment processor or card issuer. Individual companies will need to evaluate if tokenization is right for them, their customers, and the data they’ve been entrusted with.
Is your company vulnerable because of the way you process or store sensitive data? If you have existing issues or just aren’t sure if you have done everything you can to protect your business and your customers, contact us right away to discuss your situation.