Securing customers’ credit card data for online and mobile purchases has long been a concern for financial institutions and merchants alike. And this concern has only grown as a number of high-profile data breaches over the past few years – at Target, Home Depot and JPMorgan Chase among others – have drawn the public’s eye to the seriousness of the issue.
So one might wonder how merchants can securely store payment data. Our advice is: don’t do it! We have already pointed out how card-on-file solutions pose an inherent threat. In fact, PCI DSS – the security standard created by the world’s leading credit card companies – states that merchants should not store card data unless absolutely necessary.
Tokenization-based solutions such as those by Apple, Google and Cellum have an onboarding process that establish multiple layers of security. Each company takes a slightly different approach, but essentially there is a possession-based element and a knowledge-based element (i.e. both the device and the user’s identity must be verified).
In order to explain why each of these steps is essential in creating security in an inherently insecure environment, we offer an inside look at how our “Split Secret” card vault technology makes mobile payments both convenient and super-safe, via a step-by-step walkthrough of how accounts are created and cards registered, and why each step is important.
Accept Terms and Conditions: This quickly establishes the necessary legal framework between the user and the bank for the mobile payment service.
Enter phone number: The phone number serves as the “user name,” and the “possession” part of our possession and knowledge-based security.
Enter activation code: Entering the SMS/text code sent to the user following the previous step creates a secure, encrypted communication channel between the device and the server.
Enter mPIN: The mPIN (or mobile PIN) created by the user serves as a digital signature and is used to authorize individual transactions, making sure that no payments are made without the authorized user’s approval. The mPIN serves the same security function as the fingerprint reader in some mobile payment solutions (e.g. Apple Pay) but does not require any special hardware.
Register bank card: Any number of payment cards or payment “instruments” can be registered, depending on the bank or other institution offering the payment app. When the user taps “Register” the entire dataset is encrypted and split into pieces, some of which is sent to the cloud, while the remainder is stored on the phone. When making a transaction, the pieces are brought together and the mPIN is used to decrypt them. Crucially, the full card details are never left in the possession of the merchant being paid, which is where most card fraud problems take place.
Card activation: To ensure that only the authorized cardholder can use the card, a small transaction is made with the card which includes an activation code visible to the card’s owner using any of the normal ways they access their account (most commonly text/SMS alerts, e-banking or phone banking). Once the user enters the activation key, the card is activated and ready for use. Some other mobile payment systems (Apple Pay) authorize cards by alerting the banks and having them contact the user, which can add time to the process.
Altogether, the process of setting up an account and registering a primary payment instrument takes the average user about five minutes. While this may seem like a lot of time to some especially attention-span-challenged members of the new digital generation, it is a blink of an eye compared to how long it takes to open a traditional bank account – or how much time can be saved in the long run using mobile payments instead of traditional plastic cards. Not to mention how much time it takes to clean up after the data of a plastic card is stolen when being swiped at a poorly-secured point-of-sale terminal.