'Tokenization' touted to increase credit card data securities (Part 3)

Magic? Or mayhem?
Making credit card data disappear sounds simple enough, but like all good magic, there are a few tricks to it -- tricks that merchants, processors and card issuers want to learn more about before they embrace it as the panacea to data theft.

So far, Dave Taylor, a former Gartner analyst and founder of the PCI Knowledge Base, a panel of experts that supports best practices in payment securities, has been impressed by the potential of tokenization.

"It is gaining traction now," says Taylor. "Even six months ago, there was very little awareness of it, even among larger organizations. Merchants are very likely to save money with tokenization."

With awareness comes scrutiny, however.

"There is an increased awareness that this is not child's play, it's not something that is that easy to do," he admits. "If an organization has had problems dealing with encryption, they're probably also going to have problems dealing with tokenization."

In addition to concerns over the securities of the hardware intercept at the POS terminal, Taylor says merchants are unsure how tokenization will integrate with other automated systems that also use card data for things like sales auditing, loss prevention and loyalty programs.

Leach agrees: "There is confusion about charge-backs and whether merchants need to retain that information. Another concern is debit card transactions. Is tokenization a solution for all kinds of payment transactions? How does a tokenized solution manage the PIN block, for example?"

Those are all questions Leach hopes to answer when his council digs into emerging technology proposals this year.

If tokenization does gain momentum, Taylor says it could serve to steer consumers away from merchants whose cups are half-full of cardholder data toward those whose databanks are empty.

"Customer service organizations market that they're keeping the data for the convenience of the consumers," he says. "They could just as easily market that they don't keep data, and that that is safer for you. Why don't they market that?"

'Tokenization' touted to increase credit card data securities (Part 2)

Rescuing the princess
So far, tokenization technology comes in a handful of flavors, with Shift4's 4Go SafeSwipe, EPX's BuyerWall and Merchant Link's TransactionVault being the major ones.

Shift4's Randy Carr likes to use the princess analogy to explain tokenization and the real-world obstacles it faces in the payment industry.

"Say you have a castle with a princess, and all these bad guys keep riding up trying to kidnap her," he says. "The way the industry has approached securities is to put a moat around the castle, bar the doors and windows and put archers on the roof. What we did was ask, 'Why don't we just remove her from the castle?'"

Aye, good move for the princess, i.e. your card data. But not such good news for the folks who make their living by digging moats, barring windows and launching arrows, i.e. the data securities industry.

"If you like selling firewalls and intrusion detection systems and encryption, this is very bad news," says Carr. "We have detractors at every turn. There are people who want to solve the problem, and there are people who don't, who still want to build the moat."

The card brands themselves may pose the most formidable obstacle to tokenization, given that they make a tidy sum each year by charging data securities fees to their merchant customers.

"The reason this technology is not being used is financial," says Carr. "The card companies want to talk about it, hold hearings about it, form a committee, but they don't want to actually solve it. It's like saving the whales: If anybody actually saved the whales, there are going to be a lot of people out of work."

Carr believes the game-changer in the equation is today's hacker. "These aren't college students doing it anymore; they're ex-Soviet operatives, and they're serious guys. They're not there to get 20 card numbers; they're there to get 100 million card numbers," he says.

Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea.

Carr, for his part, would like to see tokenization become a federal data-securities standard.

"We have issues right now that demand a real solution, not just something you talk about," he says. "You've got to put this in play. I think if Congress were to call all the card brands to the [Capitol] Hill and said, ‘Look, you guys know about this. Why aren't you using it?' they would be hard-pressed to answer that question."

Your credit card, Social Security numbers: Are they online?

By Jeremy Simon

A new free online tool can help consumers find out if their Social Security and credit card numbers are available publicly on the Internet. Using TrustedID's StolenIDSearch.com, consumers can search a limited database that includes 2.3 million pieces of information.

Social securities numbers, unlike credit card numbers, are widely exposed through public documents. While it is fairly easy to get a new credit card in the case of loss or theft, it is much tougher to receive a new Social Security number. In fact, individuals are limited to three replacements of their paper Social Security card each year and 10 over their lifetime.

Why are Social Security numbers so easily accessible? One reason is the frequency with which they are used. Companies that provide a service first and bill you later (such as utilities and cell phone providers) ask for a Social Security number in order to check your credit report to ensure you are reliable borrower.

Meanwhile, every doctor and dentist's office in the U.S. has a record of patient's Social Security numbers -- the securities of which is up for debate. And, up until 2004, states were allowed to include Social Security numbers on drivers' licenses, while before 2001 states could sell lists with those numbers.

Separately, thieves may obtain Social Security and credit card numbers through the use of "key logging" software that is secretly installed on computers to record what is typed, as well as through phishing schemes that trick consumers into entering personal information onto fake Web sites that are designed to look like those of a bank or credit card issuer.

Luckily, recent developments are working in consumers' favor. States and counties have started to remove images of documents from their Web sites that include Social Security numbers, or to block out the numbers themselves.

New York is among four states that have taken down links to images of public documents containing Social Security numbers, while the Texas attorney general on Feb. 21, 2007, issued a legal opinion that county clerks could be committing a crime by revealing Social Security numbers online.

TrustedID has assembled a database of compromised Social Security and credit card numbers that could be bought or traded online. While its StolenIDSearch.com tool is free, TrustedID sells services to consumers that provide them with greater control over who views their credit reports.

For consumers that find their data has been compromised, ordering a copy of their credit report from three main credit bureaus is the first step. CreditCards.com visitors should use http://www.creditcards.com/free-credit-report.php to request a credit report from credit bureaus Experian, Equifax and TransUnion.

Should you turn up any unexplained accounts on your credit report, alert the credit bureaus, credit card issuers and merchants involved. You can also let the Federal Trade Commission and local law enforcement know, and you may decide to freeze your credit to block anyone from opening new accounts in your name.

But all consumers, regardless of whether their Social Security and credit card information is floating in cyberspace, should request copies of their credit reports each year. Also, computer users should install anti-virus and anti-spyware software on their PCs and make sure it stays updated.

'Tokenization' touted to increase credit card data securities

With 'tokens,' proxy numbers substitute for card data

By Jay MacDonald

Remember the business bestseller, "Who Moved My Cheese?"

Even the most sophisticated hackers may be asking that very question the next time they attempt a Heartland-size credit card heist if a new data securities technology called tokenization catches on with the payment industry.

The concept behind tokenization is remarkably simple: Data thieves can't steal what isn't there.

Tokenization intercepts your card information at the point-of-sale terminal or online payment interface and replaces your cardholder data with randomly generated proxy numbers, or tokens. The transaction then continues, under an assumed name as it were, through the normal authorization process.

The biggest difference: Your card data is never stored intact anywhere, making it nearly impossible for hackers to reassemble it through decryption or reverse engineering.

Hack into your merchant's database or that of the payment processor and all you'll receive for your trouble are worthless tokens.

The only place your card data actually resides is at the data facility of the third-party provider that administers the tokenization program. But hack into their databases and all you'll find is the digital equivalent of jigsaw puzzle pieces scattered across multiple locations.

"People ask, 'Why can't what happened to Heartland happen to you?'" says Randy Carr, vice president of marketing for Shift4, developer of the 4GO tokenization technology. "You would have to steal numerous people in numerous buildings to actually steal a credit card number from us." While no system built by man can be considered 100 percent hack-proof, tokenization may be the next best thing.

"I think the concept of tokenization is good," says Troy Leach, technical director of the Payment Card Industry (PCI) Security Standards Council. "That is why the council is exploring the concept this year. We're asking, 'Does tokenization simplify the process of PCI compliance for merchants, or does it provide additional complexity?'"

Some securities you need to know when using Credit Card online

Site Securities

Ensuring the security and protection of your personal information is important to us. When you choose to apply for any credit card offer shown on our website, you will be taken directly to the card issuer’s secure website to complete the application.

We only partner with card issuers whose online credit application forms are secured by 128-bit SSL encryption. SSL technology encodes information as it is being sent over the Internet, helping to ensure that the information transmitted remains confidential.



You will know the card issuer’s application form is secure when you see:

• A secure symbol (for example, closed padlock or key)

• https:// in the address bar, instead of http://


SSL technology requires the use of compatible browsers which allow you to communicate with our website in a protected session by encrypting information that flows between you and the site. Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption. We recommend you use the latest browser versions available.