Page 13 - Cyber Warnings
P. 13
Different Solutions, Greater Security
Using the consumer-based token model that can be accepted by any retailer gives a token
universal value — and therefore universal risk.
If one of these consumer-tokenization providers released their full list of tokens tomorrow, you
can bet there would be an instant increase of fraud among merchants that accept them.
On the other hand, if a list of organically random, globally unique, alphanumeric tokens were
released, hackers would still be no closer to stealing the original card numbers.
PayPal, Samsung, Apple and others have been successfully assigning consumer-based tokens
for years; the point here isn’t to tear them down.
They do offer a certain level of protection to cardholders at the point of purchase and have —
knock on wood — been relatively effective in preventing mass-scale breaches.
The issue with these technologies is simply that they should not be called tokenization. They are
much closer to an encryption or cryptographic hash method.
However, these mobile technologies can work together with tokenization and point-to-point
encryption to accomplish a greater level of security. Tokenization (according to the original
definition) can — and does — tokenize the consumer tokens that are received from a mobile
wallet or other payment instrument.
This prevents the merchant from having to maintain a database full of sensitive cardholder data
— even if that data in this case is an encrypted surrogate.
As we saw with the Apple vs. FBI media storm, encryption is always vulnerable, which is why
organically random tokenization values will always be more secure.
About the Author
J.D. Oder II serves as Shift4’s CTO and SVP of Research and Development. J.D. is a Certified
Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations
and development efforts as well as the security and compliance teams. J.D. is the architect of
®
the DOLLARS ON THE NET payment gateway solution.
He is credited with introducing tokenization to the industry in 2005 and was also an early
adopter/member of the PCI Security Standards Council.
13 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
