Credit Card Security: Are We There Yet?

Credit CardCredit card technology in the US is outdated. Magnetic stripe technology has proven an easy avenue for fraud and the time is more than past due to move to chip-and-pin technology.  But there are even better technologies out there, including tokenization, something that American Express is exploring.  While chip-and-pin is more secure than mag stripe, tokenization could hold more promise.

Tokenization creates a temporary number that is not a valid credit card number, but that is mapped to a valid account. This alleviates the burden of having to store customer credit card numbers from retailers. So what, you might say? One number is as good as another, right?  Well, um, no.

Tokens can be managed. They have a lifespan that can be suspended or reinstated. A token could also be a single use token that would work for one purchase then be invalid for any other transaction.

Taking the data out of retail servers also solves a larger problem of the near impossibility of protecting a large infrastructure against malicious hackers.  PCI is a good set of guidelines, but even those that are PCI compliant still experience breaches on a regular basis. Some could argue that it’s because companies weren’t actually compliant, but that’s another blog post. The bigger problem is that there’s just too much at stake to allow card processors — pardon me, to require card processors — to store and protect consumer data. That should be the realm of the card issuers who, by the way, have a lot at stake.

So, no, we’re not there yet. But we’re close.  Get rid of mag stripe and move toward tokenization and chip-and-pin. There will come a day when some intelligent yet mean-spirited hacker will figure out how to commit large-scale fraud with any system. But let’s not make it any easier than we have to.

Follow my posts and tweets on this topic that will be labeled #arewethereyet


Add Comment