Too big for their breaches?

pirating_credit_card_POSSometime prior to December 13, 2013, perhaps with the single swipe of a specially engineered credit card, one of the largest known and most costly security breaches was initiated.

A point-of-sale (POS) device at a Target store was infected with malware that penetrated the retailer’s corporate network and enabled cyber criminals to gain access to millions of credit card numbers and confidential customer information.

The Target breach was a perfect storm of circumstances that shook the confidence of an already shaky population of American consumers.

We already knew that our web browsing history and cell phone records were under surveillance. Couldn’t anyone figure out at least how to safeguard our shopping experience?

Along comes Apple Pay

Love it or hate it, when the preeminent technology company in the world enters a market with a new product, people stand up and take notice. With Apple Pay, finally a company with the necessary gravitas has offered a secure solution for both in-store and online purchases.Apple_Pay

The user experience is fairly simple. You link a credit card to the Passport application on your NFS-enabled iPhone 6 or iPhone 6 Plus, and at the store, complete your purchase simply by waving your phone at the POS device and provide the necessary authentication with the Touch ID fingerprint scanner on the phone.

For online shopping, in addition to the iPhone 6 models, you can also use an iPad Air 2 or iPad Mini 3 right within participating applications. You load up your shopping cart, and check out with Touch ID.

Simple, elegant—and secure.

Tokenization security

Behind ApplePay’s relatively easy payment methods are security technologies that ensure the safety of your personally identifiable information (PII) and credit cards.

circuit_board_securityIn addition to requiring the customer to verify the purchase with their fingerprint using TouchID on their phone, Apple has implemented tokenization, a security standard developed and refined by standards organizations in cooperation with Visa and other credit-card companies.

Tokenization basically replaces all sensitive data elements (e.g., account numbers) with a non-sensitive equivalent—a token that theoretically contains no recognizable (and, therefore, exploitable) data, and which, in and of itself, is useless without the ability to match up with a back-end tokenization system.

The back-end system, when it receives the token from the POS system, attempts to de-tokenize it back to the actual primary account number—that is, where the money for that one sale comes from.

After the sale is validated at the store, the transaction is completed, and the token expires and can never be used again. The retailer never stores the customers credit card or debit card account number on the POS device or in the corporate network, obsoleting the types of exploits that Target and other retailers have been subject to.

Attention Walmart shoppers

Now there’s no doubt that Apple wants to sell lots of new iDevices so consumers can take advantage of its marvelous new Apple Pay solution. Apparently, a lot of consumers wish to do so, as well, with Apple reporting that over a million credit cards have been linked to Apple Pay within the first 72 hours of its availability.

So it’s all sweetness and light out there with retailers clamoring to get on board, right?

Not exactly. While Apple claims that Apple Pay can be used at over 220,000 retail locations, notably McDonalds restaurants, Walgreens pharmacies, Whole Foods grocery stores, Apple stores (of course), Bloomingdales, Macy’s, Duane Reade, Sephora, Petco, Panera Bread, Staples, Nike, Subway, and others, there’s a list of retailers who are holding out.currenc_logo

Among those dissenters are Walmart, Best Buy, Sears, Target (yes, them), Gap, CVS, Rite Aid, and many others. This, even though many of their stores are equipped with compatible NFC-based POS devices that would work with ApplePay.

Those corporations, referred to as the MCX group, are on board with an e-pay system called CurrentC, which is scheduled to go live next year.

While there are reported problems with CurrentC, the retailers very much want a solution that takes the credit card vendors (MasterCard, Visa, etc.) out of the equation.

When a customer uses a credit card to make a purchase, the retailers pay one to three percent of the purchase price to the applicable credit card company. Over millions of purchases, this starts to add up. Taking the credit cards out of the equation, a company like Walmart would potentially save billions of dollars a year.

Is CurrentC safe?

The CurrentC implementation is cloud-based. When you sign up for CurrentC, the system stores your personally identifiable information (PII), debit card, and bank account information in the cloud.

Cloud computing conceptWhen the customer makes a purchase, the CurrentC POS machines link to the cloud to retrieve that information so the customer’s bank account is debited.

See a potential problem here? I do.

Remember, Target and other companies who’ve been hacked also stored names, addresses, credit card data, social security numbers, and other PII.

True, the data was on their corporate networks, not in the cloud, but all the same, this high-value information would be out there just waiting to be stolen, and hackers will definitely try to figure out how to do this.

It would be much more difficult to reverse engineer a tokenization system like ApplePay.

The right thing to do

Maybe CurrentC will figure out how to avoid being hacked, and convince customers that their information is safe. But wouldn’t it be better for retailers to support multiple solutions, including Apple Pay?

You know, actually giving customers a choice.

Leave a Reply

Your email address will not be published. Required fields are marked *