Despite advances in technology, online fraud and payment security continue to be significant issues and cost drivers for e-commerce merchants. Web applications are the leading source of data breaches and account for the majority of compromised data records. The majority of these records contain payment card data — highly sought after because it is relatively easy for criminals to monetize.
This is a true “double whammy” for e-commerce merchants — they are not only targets for cybercriminals because of the large volume of valuable electronic payment card data they must handle and store in the course of conducting business, but also a frequent target when these criminals look to turn compromised data into cash through fraudulent transactions.
To solve the problem, a two-pronged approach is required. Tokenization technology enables e-commerce merchants to avoid handling or storage of payment card data altogether, while maintaining the ability to process transactions and use transaction data for post-purchase business operations. If there is no data for fraudsters to steal, merchants become less of a target and eliminate one of the main sources of risk and drivers of compliance spend in their enterprise.
In addition, sophisticated risk-analytics and automated antifraud tools can increasingly identify and eliminate fraudulent transactions that affect the merchant’s bottom line.
The first “prong” is an increasingly popular approach for the protection of sensitive data which uses data substitution with a token (or alias) as a replacement for a real credit card number. In the process of tokenization, actual cardholder data is used to initiate a payment transaction and, once the transaction is authorized, this sensitive data is sent to a centralized and highly secure server called a “vault,” where it is stored securely.
At the same time, a random unique number is generated and returned to the merchant’s systems for use in place of the cardholder data. The vault manager maintains a reference database that allows the token number to be exchanged for the real cardholder data if it is needed again for, say, a chargeback or a recurring billing.
Meanwhile the token number, which cannot be monetized, can be used in various auxiliary business applications as a reliable substitute for the real card data but contains no elements of the original sensitive data. In an e-commerce setting, payment gateways are typically the token providers and vault managers. Further, the use of a hosted payment page prevents the actual card-holder data from ever being present in a merchant’s systems.
Tokens can be either transaction-based or card-based. Transaction-based tokens reference individual transactions, whereas card-based tokens reference individual card numbers and are reused every time the corresponding cards are used.
While payment gateways or hosted e-commerce services frequently provide transaction references that can be used in this fashion, a card-based token provides a constant reference point that can be used to enable business applications that are based on card numbers — such as customer loyalty programs or behavioral analytics. Card-based tokens also allow the tracking of consumer purchase behavior across online and brick-and-mortar points of sale, which is impossible with a simple transaction reference.
Tokenization provides significant value to e-commerce merchants. It vastly reduces risk in the event of a data breach, because the process eliminates sensitive cardholder data from a merchant’s environment. If token numbers are breached, they are meaningless to anyone who would attempt to use them, because the tokens are simply random numbers.
Using token numbers instead of real card data in back-end business applications shrinks the merchant’s cardholder data environment (CDE) that is subject to PCI compliance requirements and audits. This reduction of PCI scope can save merchants significant time and money in their compliance programs.
Risk-Analytics and Automated Antifraud Tools
The second-prong in a solution involves adaptation, analytics and automation. With an intelligent, profit-seeking, adaptable opponent, it’s important that defenses likewise learn from experience what indicators are good predictors of fraud. This requires monitoring transactions and tuning behind the scenes to spot the presence of fraudulent activities and the emergence of new trends.
This is a selective process in an evolutionary sense: ensuring that the variables and patterns that are relevant become more significant and those that are less significant move out of the picture. In effect, this makes actionable information available for better triage, pruning and automation.
Automation itself can be tricky precisely because of the intelligence of cybercriminals looking for the “double-payout” or the “double-whammy.” Whenever there is a reflex built into a system, an opponent can seek to take advantage of that trigger and response. It becomes extremely important to “tune” the system for predictability, repeatability and, most important, context and improvement.
In this day and age, forensics, real-time monitoring and self-checking are all about intelligence; and the world of fraud is about context, context, context: where a transaction is coming from; whether it’s normal for this person; at the right time of day; with a normal delivery address; associated with a holiday, and so on.
At the end of the day, it’s critical that merchants and those in the payment fulfillment supply chain share intelligence and context as much as possible and build security into their systems and tools, while working on behavioral norms to establish operational doctrines and best practices that can reduce fraud and improve over time.
If merchants are successful with this two-pronged approach, they will be able to reduce time, effort and money spent on security and compliance for their e-commerce operations and re-invest their valuable resources on activities that can directly benefit the business — merchandising products and serving customers.
Sam Curry is chief technologist and Rob Sadowski is director, merchant solutions, at RSA, The Security Division of EMC.