By Thomas Owen, head of security, Memset
As Christmas approaches the threat of payment fraud and financial loss grows larger, but the success of commerce around the festive period creates new opportunities for cybercriminals.
Some suggest tokenisation could be the panacea for the increasingly public threat of large scale customer data breaches. This means the replacement of sensitive data (payment card details, sensitive personal information fields, bank account numbers,) with non-sensitive data (the tokens).
To keep it safe, the mapping connecting the sensitive information and the tokens is stored in a token vault in a secure location; this means the sensitive information itself no longer needs to be sent.
Apple Pay goes Christmas shopping
This Christmas will be the first to see Apple Pay used widely for festive shopping. It uses a tokenisation process to keep data safe. The token can only be mapped to a specific card by the payment network; no data is ever saved to the device or by merchants. It is encrypted and tokenised as it passes through Apple’s servers and those of the seller.
This is a step beyond many previous tokenisation approaches, where the token vault would normally be stored by a tokenisation provider, adding another organisation into the chain of possible targets for compromise.
But no new approach can ever mitigate all risks. As an overall concept, tokenisation aggregates a huge amount of risk thanks to the tokenisation provider and the security of the token vault. This single location to compromise has a significant payload of juicy data.
In the case of Apply Pay however, these locations instead sit with the payment networks that actually process the payments and so do not add to the risks in the same way that a third party provider might.
It is worth bearing in mind though that a payment gateway provider is likely to be more focussed on security than a typical e-commerce or physical merchant.
Comparing mature models
Where tokenisation is used to protect other sensitive information such as personally identifiable information (PII) or broader financial data, the security model of the tokenisation provider may be less mature, presenting a softer and no-less tempting target.
Another important aspect for tokenisation is authenticity. The ability to prove the identity of the individual initiating an action is crucial, for instance, the right person paying with a contactless card.
Apple uses fingerprint security on its devices to ensure that the person using an iPhone to make a payment is the rightful owner. This means that if your smartphone is lost or stolen, fraudulent payments and purchases cannot be made with your payment details.
However, the separation of identity with payment details opens up new opportunities for fraud, a smartphone-based version of card-cloning, creating a new ‘fake’ card from information stolen by skimming, and it’s not just restricted to Apple Pay. It is a problem that affects anyone seeking to launch a mobile payment system if it does not take steps to authenticate the owner of the payment details before the transaction completes.
Tokenisation systems alone would struggle to mitigate against this. They will just process a transaction securely like any other legitimate one, up until the point that the transactions trigger a fraud check threshold or the card details themselves are reported as stolen.
Role of tokenisation
Where tokenisation does have a role is in reducing the need to send and store, and therefore intercept or hack, sensitive information to the minimum possible. It can protect payment data, PII or financial information and establishes a way to remove the need for many companies to even hold sensitive customer data in the first place.
But a weak point that will always be available to attackers is at the point where the data itself is entered for the first time, as in the example of an online shopper first registering their account and payment information.
The use of sessions and volatile memory (RAM) to store this data whilst being processed has led to the growth of “in-memory” attacks, which, among other things, are gaining in popularity to take advantage of the moment before any tokenisation takes place.
Memset doesn’t sell tokenisation as a service, but we do use it internally and for customers within our cloud-based platform as part of our PCI compliance. It reduces the risks to us and to our customers, but does not solve all risks.
Tokenisation should never be considered ‘the’ method for security protection of sensitive data and personal and financial information, only another tool in the box.
Security is not a zero-sum game. Tokenisation has undoubtedly reduced a number of serious risks, but we’d be blinkered if we didn’t accept that it’s also moved some of the problems and threats elsewhere.
Memset is a provider of high security, cost effective utility infrastructure-as-a-service cloud products to the UK private and public sector.