Tokenization: the answer to retail data breaches?

Replacing credit card numbers with random characters would have prevented 59 percent of major retail data breaches, according to a new report.

The replacement process, known as tokenization, is designed to prevent fraud by randomly generating numbers that stand in for sensitive information during transactions.

ADVERTISEMENT
The Payment Card Industry Security Standards Council is urging the payment industry to adopt tokenization products.

But security firm CBI found that 97 percent of records stolen in recent retail data breaches would still have been compromised in tokenized systems.

In the 22 retail breaches studied, most customers’ data was compromised at the point-of-sale terminal.

Malware aimed at breaking into that equipment is proliferating online, and would remain an effective tool for hackers that want to catch data before it is tokenized.

"The tokenization takes effect after the credit card has been swiped, and the data is protected at that point forward," CBI security strategist J. Wolfgang Goerlich told CSO Online.

"But it is still not protected in the memory of the machine,” he said.

Tokenization would have protected consumer data in 41 percent of the retail breaches because they involved cyberattacks on servers or databases, the report stated.

The process of tokenizing transactions has become associated with products like Apple Pay, which use it to defend consumer data.

The White House recently announced that Apple Pay would be available as an alternative to federal payment cards in systems like GSA SmartPay and would be available for transactions in national parks.