Forget the Credit Card. The Way We Pay May Be About to Change.
As you whip out your credit card this holiday season, you may wonder how secure your data are at the stores where you're shopping. After all, it's almost the one-year anniversary of the massive Target credit card breach, and high-profile database thefts show few signs of slowing down.
Given the consistent stream of announcements, you might be asking why merchants like Home Depot, Target and Bebe have piles of credit card account numbers that can be stolen in the first place.
What if there was a way to buy things without ever giving your credit card number to the store?
Actually, there is. It's a concept known as "tokenization."
The idea is simple. A token is an item that stands in the place of something else, as a subway token once represented the dollar it cost for a train ride. In the credit card world, tokenization means taking credit card account numbers out of merchants' hands, replacing them with strings of characters–essentially, digital tokens–that would, theoretically, be useless if stolen by criminals.
A new token can be created for each transaction, making even a one-time purchase at a small online retailer feel more secure. Or busy merchants can assign their own token to each consumer, meaning a stolen database couldn't be used at any other retailer. Only banks would know consumers' real account information.
The rise of tokenization
The tokenization concept has been around for years. But it's gained momentum over the past year as major retail and restaurant chains—ranging from Kmart to Neiman Marcus to Dairy Queen—have been hit by massive security breaches.
Tokenization also got a boost when it was adapted by Apple for its ApplePay system, which assigns and encrypts what the company calls a unique "device account number" to your iPhone or Apple Watch so each transaction is authorized with a one-time unique number.
Even the major credit card issuers are jumping in now. In its announcement last month, American Express said its new tokens can be used during online transactions, or in a store when paired with a cellphone using near-field communication. Consumers won't even have to pull out their wallet to shop with plastic.
"The idea of taking the actual account number out of the flow ... common sense says that's a good thing, especially in the light of the data compromises that we've seen," said Visa CEO Charles Scharf at a payments conference last month. (The card issuer launched its own token system in September. MasterCard announced its "token platform" would be available in the U.S. the same month.)
So if tokens are such a simple and common-sense solution, why has it taken this long for them to arrive?
More complex than it seems
Independent security researcher Harri Hursti said past attempts at tokenization have encountered exceptions that make the idea of disposable, proxy account numbers much more complex than it may seem at first glance.
It turns out the tokens aren't really disposable at all.
"The token used has to be left 'alive' for refunds, restaurants adding tips to the bill, car rental companies charging road tolls charges, hotels adding minibar items. ... This means that there are multiple 'active' token numbers for each customer at any given time," Hursti said, adding that he recalls a tokenization trial for "black cards" for high net worth cardholders that resulted in each user having "thousands of active numbers issued to them at any given time."
The more live tokens in the payment universe, the larger the footprint hackers have to attack. And the longer the tokens have to stay alive, the more time criminals who obtain stolen data have to figure out how to gain access to the accounts attached to them.
Ultimately, the tokens have to be linked to the original account number somehow. Should criminals determine the matching method, they could unlock the secret to obtaining all the associated account numbers.
'Many things ... have gone wrong'
Payments industry expert Avivah Litan, a vice president and analyst at Gartner Research, said well-designed, modern token systems won't be vulnerable to those kinds of attacks. Her main concern is that tokens will be hastily and poorly implemented.
"Tokenization and other payment card security technologies are only as secure as their implementation," she said. "Many things can and have gone wrong with participants in payment card networks."
Critically, merchants and financial institutions are still in disagreement about how tokens should work. Many merchants have spent years developing their own in-house systems, which differ in format from the system adopted by Apple and the payment networks. This will lead to "token collision," Litan warns.
Merchants who use their own tokenization system and also accept Apple Pay or other EMV (smart credit card) token payments will end up with multiple tokens for one card number, defeating a major reason merchants adopted tokenization in the first place, she said.
Again, the more tokens, the more opportunities for criminals to attack. There are also opportunities during the transaction process to gain access to the linked bank data.
Last year, card hackers were able to attack a U.S. retailer that already had a tokenization system in place by stealing the data during the transaction—before it was tokenized, Litan said. She declined to identify the merchant.
Change is coming
Still, tokenization will almost certainly become more widespread next year because it is tied to the new chip-enabled credit cards consumers have already begun to receive in the mail. Those cards make classic card counterfeiting–in which criminals take stolen account data and encode it on stolen plastic that can be used to shop in stores–nearly impossible. Beginning next year, retail stores that don't have smart card readers will face new liability for fraud, which should hasten their adoption.
Still, as with all security enhancements, tokenization is certain to progress more slowly than many parties wish. While most retailers face a 2015 deadline to switch to the new systems, gas stations have until 2017 because of the expense of "breaking concrete" to install new credit card readers at pumps.
In other words, it will be years before you can leave your plastic credit card in your wallet for good. But change is coming. In light of the steady drumbeat of attacks, both banks and merchants need consumers to believe they are doing all they can to keep payments safe.
"I do think more issuers will move to the tokenization concept," said Bill Hardekopf, CEO of LowCards.com "The incredible number of data breaches in the last 12 months has played a part in this. Consumers are extremely concerned."