Learn Marketing & Strategy Insights, You Will.

Tag: mobile payment

Give Your Card A Security Update

Originally published on CUInsight.com

Update 7/12/16: An earlier version of this article claimed Samsung Pay did not use tokenization. They do, my mistake! Corrected. (CUInsight version not updated)

A family friend was in town this past week. She is part of the Boomer generation, so, a user of new tech, but semi-begrudgingly. At one point, we discussed how her Android phone supported mobile payment. “It’s easier and more secure for you!” I explained to her. “You’ll never need to go through the hassle of getting a new card number again!” Her response? “Yeah, still wouldn’t bother. I’d prefer to just swipe.”

This is the type of apathy you’re facing. She didn’t grow up in a world of data security breaches, and considers a reissued credit card “par for the course”. It’s not that she doesn’t believe me when I tell her that mobile payment is vastly better. She just doesn’t care.

Maybe I framed it wrong. As we all have, using terms like tokenization instead of just calling it what it is: A security update for your credit card. So what is tokenization (To-Ken-I-Zeh-Shun)? Besides a big, scary word, of course. It’s always thrown around when mobile payments are discussed, but a recent survey shows understanding is lacking.

Nearly a third of people admit to not knowing what it means and almost half say that it wouldn’t encourage them to use mobile payments. My interpretation: That latter group doesn’t grasp what it is either, but are afraid to admit it.

In reality, it doesn’t matter if people know the term, because the benefits work regardless. That said, I’m all about clarity, so here’s an explanation!

So, what is it and why should you care? Tokenization represents how your card number is handled during the transaction. Still fuzzy? That’s ok.

Here’s how a normal purchase works (greatly simplified and leaving out payment processor):

1. Swipe at terminal (or type number on computer).
2. The number on the front of your card goes to the merchant.
3. Merchant asks credit card issuer (your credit union or bank) if the number is good.
4. Bank or credit union looks at number and gives a “yay or nay”.
5. Merchant keeps your name and card number so they know who you are when you buy again.

As you can see, the number on your card passes through multiple hands, and even stays with some. While your financial institution guards the number, others along the line may not. This is how major breaches occur. Bad actors break into these non-bank systems and steal the list of names and numbers, then sell them on the black market. Sometimes they lie in wait, gathering new numbers for months before anyone even notices. Then, the numbers are sold or posted online, and that’s when your frustrations begin.

Here’s how a tokenized mobile payment works:

1. When you add a card to your phone’s “wallet”, it asks your bank or credit union to verify your identity.
2. Your issuer then creates a new number just for mobile payments (which you never see).
3. Upon paying with your phone, a fingerprint is required to show it’s really you.
4. The phone then uses your “mobile payment” number to make another one-time-use number and sends that to the merchant.
5. The merchant asks your bank or credit union if this number is good, but learns nothing from it, since it will never be used again.

The number on your card never leaves your possession. Best part of this? If every one of those systems was hacked, your card number would still be safe. The issuer just makes a new “mobile payment” number for you, and that’s it. No canceling accounts, changing numbers, or mailing cards. In fact, it might happen without you ever knowing. Think of it like a security update for your credit card.

Tokenization isn’t scary. Swiping your card the old way is. Your credit union put a lot of work into supporting the mobile payment systems…growth will remain stagnant if only 1/4 see the value. Help your members live a safer financial life and spread the knowledge!

Yeah, Another Hack

This isn’t the first CUbit you’ve read discussing a hack. Wasn’t the first about cars?

Well, there’s another high-profile hack to discuss today. This time, cyber criminals hit Starwood Hotels across the country. Starwood is the parent company, but I’m sure you’ll recognize Sheraton, Westin, even the Dolphin hotel at Walt Disney World. If you’ve stayed at any of these properties in the past year, keep an eye on your credit/debit cards.

How did they do it? “Who cares?” you say, “the data is already stolen, and it’s always the same thing.” To some extent, you’re right. Obviously, people looking to take your money gained access to your data somewhere down the line. What I consider important is the point on the line where it happens. First, kudos to the entire banking industry, since we almost never hear about leaks stemming from their end. Your security processes mean the low-hanging fruit for criminals is somewhere else. That “somewhere else” is at the point of sale. Malware (read: software made to do mean things) was installed on POS systems, so every card swiped could potentially be saved for later use.

I have a few issues with this type of hack, which tends to be a more common approach. The primary being: It’s completely avoidable!

That’s right. There’s no reason for any card information to be stolen in this way, ever again. We have two advances to thank:

1. EMV chips. You know that gold square on your card? It houses a computer chip which creates a one-time use card number and does some other voodoo along the way to increase security. However, it’s not always used! That chip (and the security that comes with it) only runs when you insert your card in the bottom slot, not when it’s swiped. Personally, I’d never swipe with an EMV card if at all possible. When I was in Peru, we ate at a restaurant where the server came to our table with the card machine. He inserted our EMV cards into the slot, right there. No one walked away with the card. That was the norm. As EMV cards become ubiquitous, this should be demanded here, too.

2. Mobile or Tap to Pay. Systems like Apple Pay and Android Pay bypass the attack vector of this hack as well. Like EMV, they pass a one-time use number to the system, and hold your card number close to the vest. On iPhones and some Android phones, they also require a fingerprint, further ensuring the person paying is actually you. These mobile payment platforms protect your data from everyone, sometimes to the chagrin of the merchants (who want that data for marketing purposes). The tap-capable cards use the same tech (just without going through Apple or another company).

Bottom line: You’re going to see these hacks on a regular basis. Whether your information is part of the leaks is partially up to you. Are you using an EMV card, and doing so in the bottom slot, every time? Or did you add your cards to Apple Pay and “touch to pay” wherever you go?

No security is 100%, but by embracing the best tech we have (and mobile payment is awfully convenient, too), you can reduce the chances of needing to have your card replaced again and again.

© 2024 Credit Union Geek

Theme by Anders NorenUp ↑