Be the first to like this
The one-two punch breakout of the Target data breach and the Heartbleed bug intensified a focus on the vulnerability of personal credit card data in both the physical and digital realms. As a natural consequence, consumers have become increasingly concerned about giving their card data to physical and online merchants. EMV chips for physical cards served as the solution to the Target breach. But what can prevent or at least mitigate e-commerce incidents similar to Heartbleed, wherein hackers gain the encryption keys to unscramble payment information? What is the security product that will keep information secure at online points of sale? We’ve already identified the way to strengthen security at cash registers, but online shopping carts are inevitably the next security battleground. As consumers shift to online shopping at greater rates, it is crucial for credit card companies to turn their attention to developing more effective cybersecurity products. In this whitepaper, a current best practice will be identified with the hopes that other credit card companies will implement it in the near term.
Credit card issuers, positioned at the intersection of merchants and consumers, for the most part have not focused on minimizing identity theft in online checkout systems specifically. There is an established and accessible cybersecurity product with the capability of masking card data in online points-of-sale – however, it is only currently in use by Bank of America and Citibank. This product, known formally as a controlled payment number, generates proxy account card numbers that stand in for a user’s actual card number. In providing a proxy number, users never supply a merchant with real data, even at the checkout page. The “heartbeat” sent between the servers never includes the real number, giving a hacker no chance to unscramble the payment data of the user’s physical card. At best, the hacker would de-encrypt the proxy number, giving them much less power to spend recklessly.
Like EMV chip technology, this substitute credit card number service is not a new invention, but is surprisingly hard to find as an offering among credit card firms. Unlike the EMV chips, however, substitute card numbers do not require an overhaul of any payment systems for either the merchants or the card issuers. For these reasons, this product could be implemented across all credit card firms and could help prevent future e-commerce breaches.