Sure, the transmission of the credit card information is reasonably secure, and we've got to trust that the financial service provider has taken the necessary steps -- but what about the retailer?
The good folks at RSA have come up with a clever solution to that part of the equation -- and, I for one, will be looking for it in the near future!
As I mentioned above, the entire chain of credit card transaction handling is reasonably secure, except for one concerning aspect -- the retailer might be keeping a copy of your credit card information for various purposes.
Maybe you'll want a refund or adjustment in the future. Maybe you're a hotel chain and want to have a stored number around for additional charges after you've departed. Maybe you want to use the credit card number for data analytics, customer loyalty, etc.
Lots of good reasons for a retailer or other outfit to hang on to your credit card info after the transaction is ostensibly "done".
However, with hundreds of thousands of retailers, hotels, taxi companies, florists, etc. out there, they can't all be 100% bulletproof in securing your credit card information if they decide to keep a copy "on file".
The Solution
The token directly refers to the credit card account *and* the merchant -- so it can be used for many of the same purposes a real card number can be used for -- adjustments, prepays, refunds, data analytics, etc.
However, the token itself can't be used to charge stuff. It's perfectly harmless to store, hand out, etc.
As a result, any merchant that wants' to "hang on" to your credit card information isn't really storing a live credit card number -- just a reference to a real one. I like it.
Broader Applications?
If you think about it, there are probably many more uses for this approach that don't have anything to do with credit cards.
For example, here in the US, my social security number shows up in a lot of places -- I think I'd prefer a tokenization approach. Same with my health care records, financial account numbers -- anywhere you'd prefer not to have sensitive information being stored by anyone and everyone.
Now that I think about it, maybe my home number and my email address should be tokenized as well!
For More Information
The joint press release from First Data and RSA can be found here.
A more detailed article can be found here.
And, of course, a more technical treatment can be found here.
I don't know about you, but I'd feel better about handing out my credit card (or social security number, or account number, or whatever) to organizations that use this approach.
How about you?
Sounds/looks like what amazon does, I'm told they patented the process several years ago ("CC motel")..
I like using temporary credit card numbers myself, I generate one on a web site, set the expiration date, set the credit limit, use it, then I go cancel the #. Don't need to worry about how good/bad the vendor's infrastructure is. Also can generate numbers for recurring payments, so if I am charged $100/mo for a year I can setup a CC# for that purpose, if the vendor tries to charge $101 for a particular month it is declined. I even had a charge be declined when a vendor changed their name(they were bought out). So I generated a new CC#.
Doesn't work quite as well at retail outlets but awesome for e-commerce stuff.
One company I worked for dealt with a lot of credit cards, and at least for some time their app had the ability to encrypt the data in the database but it had no way to decrypt it(HAH!), so we had to store the data unencrypted until the app got fixed(I left before it was fixed).
I don't know how common it is anymore but on "lesser" sites I always try to inspect the html to see how the CC information is being submitted, on occasion I have come across a site that just sends everything in a HTML form via email. My information may be encrypted between the server and my browser but who knows where the email is routed to..
I've had my CC# stolen one time in my life(to my knowledge), shortly after getting back from vacation, so I suppose one of the hotels or restaurants I was at swiped it. The bank caught it quick and called me and suspended the account, gave me a new #. I had to sign some form saying I didn't make those charges but I never did find out in detail what charges they were(I hadn't used the card in weeks so was certain those charges were not from me).
The more secure the better of course, I try to be as secure on my side as I can to compensate for any failings on the remote side, because it's pretty rare that an organization will admit to you how they go about collecting/storing/etc that sort of data. Maybe their employees can snag the data by turning up DEBUG logging on the apps *cough*.
Posted by: nate | November 30, 2009 at 07:45 PM
Many companies have been offering this now after PCI's clampdown.
Posted by: Accept Payments | January 23, 2010 at 10:40 AM