Page 12 - Cyber Warnings
P. 12
Tokens were designed to never maintain a one-to-one relationship with a card (although Shift4
later built additional secure technologies that allowed for tokenized merchants to still track card
usage for analytics).
This ensures that tokens aren’t predictable and cannot be reversed or unencrypted. Also,
because tokenization is alphanumeric, there are enough possible permutations that they will
never be repeated within even the largest payment ecosystems (collisions, in industry parlance).
Instead of being linked to a card as a constant, a token should only be linked to a particular card
only for a single transaction in order to be truly secure.
This varies from what you may have heard about tokenization in recent discussions that
reference security features driven by mobile wallets and credit or debit cards, such as EMVCo
tokenization.
Although they are referred to as tokenization, these services aren’t truly tokenization at all.
Instead, they are consumer-based token services that seek to protect the cardholder — not the
merchant.
This is a noble undertaking, but slightly misguided, since having a token that always references
the same card number has, in essence, done nothing more than create a new card number that
is just as useful to thieves as the original data; this is not what tokenization was designed to do.
Defense Against the Data Breach
When we created tokenization, the goal was to protect merchants from becoming victims of a
data breach. Business needs require some merchants to store transactional information to allow
for returns, refunds, etc.
For example, before tokenization was introduced, hotels would typically store card numbers
from the time an initial reservation was made until after the final checkout.
This meant that hundreds — if not thousands — of card numbers were kept on file.
However, by creating tokenization, Shift4 proved that sensitive, vulnerable card data doesn’t
actually need to be stored, even in card-on-file environments.
By using tokenization, merchants can continue their everyday business practices and simplify
the customer experience without the looming fear of a data breach.
They can also rest assured that all of their sensitive card data — not to mention their brand —
is safe from malicious cybercriminals.
12 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
