The fix, as it is becoming clearer, is to take payment card information (account numbers, card verification values and the like) and devalue this data in an effort to make it less relevant to the hackers who seek to harvest and sell it. But the ways we are developing the fix are not very dissimilar, conceptually.
Is there more to this commonality and does this offer us a theme for what we should expect in the technologies that support payment processing through the front lines of the merchants POS systems?
I鈥檓 going to offer that this may be something we鈥檙e already quite familiar with, and that this technology is fairly easy to demystify鈥 it鈥檚 just using surrogates for the numbers we use to authorize every transaction, and they are both the problem and the solution. We鈥檝e been mostly using them 鈥渋n the clear鈥 or unencrypted (for decades!), and this is why we have massive merchant breaches and high rates of card fraud.
Clearly, our processing of these numbers wasn鈥檛 quite keeping up with the rest of technology as we entered the information age.
Tell me, when was the last time you entered a static password without it being hashed out for you?聽How often are we reminded that the static password is failing us?聽
We are finding better solutions using technology that are still user-friendly and disrupt the fraud cycle. If we really consider it, any credit card number on a magnetic stripe, the聽16-digit pan, is just a pseudo account number that was made a token for an account around 40 years ago, so it鈥檚 fairly long in the tooth.
For starters, the one technology topic on the tip of the tongue of most discussions is around EMV or Chip Cards.
So, what鈥檚 the big deal, we鈥檝e got a new chip on our plastics; it looks like a SIM card and it works like one. Do we really know how it works? Some of the industry leaders frequently get it wrong, and I have an idea why鈥 it鈥檚 actually pretty complicated behind the scenes.
There are some elements like cryptograms and other super-secret validations (both offline and online) that go on in the background that would frighten most technophiles in terms of their complexity. But rest assured, it works quite well and most of the rest of the world is already done with their deployments, so we can all exhale.
Alright, let鈥檚 bring this back to topic鈥 the killer element (as I see it) is the iCVV, a dynamic (it can change with each transaction) electronic version of that 3-digit code, and it can only be used with a chip transaction, where the cardholder is present at the merchant鈥檚 point of sale. If a bad CVV is used, the issuer will typically decline the transaction. Voil脿, we鈥檝e (mostly) fixed card present fraud when the transaction processes on the chip!
Yet, the argument is that this isn鈥檛 a silver bullet because it doesn鈥檛 fix card not present fraud (or worse, it 鈥渟hifts鈥 the fraud there鈥 and I can counter that).
So what might be the 鈥渃hip鈥 equivalent for card not present?
We鈥檙e still waiting for that standard to be released by the authors of the chip card, EMVCo, but there are some encouraging signs coming out of the industry鈥 I keep seeing attempts to pioneer a dynamic CV2 out of the industry, an algorithm that changes the CV2 every few minutes or hour, pop up as a potential solution.
So imagine that there is a second chip embedded in the card, and this chip changes the CV2 on an LCD window (which has an internal battery that lasts as long as the card does). This is a potential solution emerging in Europe (which is where the card present EMV/chip standard was pioneered) where some banks are already piloting the technology.
Tokenization is now most famous with Apple Pay and is much the same; we have a token that鈥檚 placed on the device that is used as a surrogate for the card number (PAN).
In any event, it鈥檚 removed the PAN from the transaction and thus, divorced itself from the capacity to be harvested and reused outside of the device on which it resides. This is the equivalent of the hashing the password, but associating it with the device is the equivalent of making the token dynamic (as in there is only one static token per device).
Here comes the science: With this pseudo-dynamic PAN, we have an authenticated token unique to the encrypted device and it can鈥檛 be used elsewhere, so it鈥檚 fairly secure (once the token-device registration is securely authenticated).
When the final nail is in the coffin for the mag-stripe and the static CV2, we鈥檙e solidly in dynamic-ville and we will likely see a tightened security infrastructure in the card space.
However, at this point in the future, who is to say there is a card needed at all. Perhaps we鈥檒l virtualize it, it鈥檚 tokenized on our device into that great mobile wallet in the cloud. Perhaps we鈥檝e eradicated all payment data sent in the clear and encouraged merchants to distance themselves from other data that can be tied to a customer.
This overarching strategy, sometimes known as 鈥渄ata toxification,鈥 is not just another buzzword, it鈥檚 happening鈥 a concerted strategy suggested by the major networks. All these disconnected technologies do in fact have a common core, and are being pushed and pulled and executed on by those powers that can not just suggest it as a policy, but enforce it.
It makes sense to look back in your business, where you have stored or are moving data in the clear, and start thinking about where and how to tokenize, or devalue data stored and sent in the clear. This will inevitably be disruptive to the endless payment card fraud cycle we鈥檝e been on for a decade now.
Although by then, there will likely be something else for us to focus our financial crime attention on. Our work never ends there.
