This is the feature that Apple Pay implements? It's a version of Visa's implementation?
Payment security vastly improved when you DON'T ENTER your BANK DETAILS
Developments around "tokenisation" should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston. The June 2014 report from the US Federal Reserve's Mobile Payments Industry Workgroup (MPIW), which was …
-
Tuesday 30th September 2014 09:54 GMT Dr. Mouse
We are currently implementing this on our new website. It's a great way to handle card payments: Sensitive info never touches our servers, it all goes straight to the card processor who gives us a token to use.
Personally, I could see this being moved even further away, right to the customer. Rather than them providing their card details, they generate a one-time code. This is then given to the online merchant, and they can process that one payment (and/or store it for future use, depending on the data used to generate the code). Unfortunately, this would require a standardisation on the tech involved in multifactor authentication, which banks seem unable or unwilling to do.
-
Tuesday 30th September 2014 10:34 GMT John Sager
This is essentially how I do online banking with Barclays. The card & card reader together generate a 8-digit token to use at login. It can also validate payment transactions made from the account. However not all the digits are 'random' - at least the first two are a counter on the card. That wouldn't be good enough for this application though - the token needs to be much longer, and it would need some kind of way of tying that particular token to the transaction.
-
-
Tuesday 30th September 2014 12:36 GMT heyrick
Re: sure I've seen this before
" when you used it in online transactions, you could generate a unique number, start and end date. "
I have exactly this with my bank. A MasterCard (so fewer compatibility problems) which is a virtual number and limited to a predefined transaction amount. Use it when I need to buy stuff online, and the only problem I've encountered is PayPal (for eBay) gets a little shirty if you buy five different things with five different credit cards. But, hey, not getting with the times is their problem. They still want me to provide my real banking information to verify myself (aww, bless...).
-
Tuesday 30th September 2014 12:55 GMT Anonymous Coward
Re: sure I've seen this before
"They [PayPal] still want me to provide my real banking information to verify myself (aww, bless...)."
No, they want your real primary card number because unlike tokens, it is an open wallet, in which they can dig "by mistake", mistake you'll have the burden on you to have fixed.
Full story here: http://www.theregister.co.uk/2014/07/23/paypal_postcheckout_rort_a_feature_not_a_bug/
PS: remove your primary card, now.
-
Tuesday 30th September 2014 20:30 GMT heyrick
Re: sure I've seen this before
"in which they can dig "by mistake", mistake you'll have the burden on you to have fixed." - don't panic. I was being a bit sarcastic there, hence the "oh bless" remark. :-)
Those I don't trust aren't going to get my real banking information. Period.
There have been a number of reports along the way about PayPal's seemingly arbitrary habit of freezing accounts for their internal investigations, with nothing happening and no communication until the mainstream media get involved. Behaviour of that nature doesn't inspire trust.
Yup. I remember the story linked to. I expect to pay what is shown to me and not a penny more.[*] If a seller tries to load in extra charges, the transaction would fail and I'll leave it up to PayPal to explain why an authorisation for XX suddenly turned into something else.
"PS: remove your primary card, now." - thanks for the suggestion, but that's a virtual card too, and one which has reached its allowed amount.
* - actually, I add a euro or two as eBay's translation into my currency always seems to conveniently forget PayPal's conversion fee. Funny, that...
-
-
-
-
-
Tuesday 30th September 2014 12:20 GMT IT Hack
Re: We do it on our website
@ Frankee
"Means we don't have to comply with PCI DSS! That's a few million very year saved."
Actually yes you do need to undergo a compliancy check and get the certification. However it also means, as you correctly state, that you won't need to secure your infrastructure to meet PCI compliance for non token based environments.
-
-
Tuesday 30th September 2014 12:18 GMT IT Hack
Dr Mouse
Why? Surelyit is easier to have your website open a window direct to your payment processor? Means it completely by passes your site and you don't to worry about tokens etc..
Of course you need to get the PCI compliance certificate but I had no issue getting past the SAQ...all the cert company did was open the link on the website and cehcked the URL...of course the payment processor needs to be also compliant and that is verifiable via the payment processor at a cost of I beleive £50.
-
Tuesday 30th September 2014 13:12 GMT Dr. Mouse
Why? Surelyit is easier to have your website open a window direct to your payment processor?
It also looks rather horrible.
This is not for a garden shed business, but a reasonably large beauty products distributor. We need to look professional.
A payment tokenisation system looks, to the average punter, as if they are sending all details straight to us. Instead, the form sends the details up to the payment processor and retrieves a token for us to charge.
Granted it is more complicated, but it looks a hell of a lot better than "OK, we have your order, now someone needs to take your money on our behalf because we can't be trusted with it".
WRT PCI DSS, tokenisation doesn't exclude you from it, it just reduces your scope, as you aren't storing any card data.
-
Tuesday 30th September 2014 15:21 GMT IT Hack
@ Dr. Mouse
It also looks rather horrible.
That's debatable to be honest...but is a very valid point and I propably would tend to debate in favour of your point. Guess it depends if you have the readies and tech to ensure you're on the right side of the compliance matrix though.We don't, so need to be cost effective and do the right thing. Not easy but do-able.
We use both - on one website we use a seperate pop up for the payment processor and on another system we use tokens.
We are of course compliant in both and certified.
-
-
-
-
Tuesday 30th September 2014 10:11 GMT Anonymous Coward
Great idea, but I won't be holding my breath. If it only concerns the actual security of customers money and requires any kind of effort, I doubt we'll see British banks leading the charge for adoption, since their usual speciality is deniability where their liability is concerned. The security token Natwest issued me with such fanfare has gathered dust in a drawer for 5 years, having been called for exactly once, which I think was to confirm I'd recieved it.
-
Tuesday 30th September 2014 14:54 GMT FredBloggy
Actually I think British Banks, shops etc will adopt Tokenisation pretty quickly when it is available in Europe as it greatly eases their PCI requirements, and prevents great embarrassment should the leak card information (See Target and Home Dept in the US).
At the moment Visa and Mastercard only support Tokenisation in America; expected over here in 2015 (this is also why ApplePay is US only at the moment).
When it arrives, it will allow shops - or mobile wallets - to ask Visa or Mastercard for a token for a given credit/debit card. The token will provided if the credit/debit card issuer signs up with Visa/Mastercard, and the credit/debit card issuer authenticates the request as originating with the card holder.
Once the shop has the token, the shop can drop the original card number and store the token for disputes or new payments, with Visa/Mastercard swapping the token for the original card number prior to sending the payment to the card issuer.
The token provided will be tied to that particular shop (or device in the case of the mobile wallet). This means that if the shop is breached, or the device lost, the token is not of value elsewhere. This is of value to the shop, the card issuer and the card holder. And is actually pretty invisible to card holders, which should greatly help the implementation!
-
-
Tuesday 30th September 2014 10:34 GMT TakeTheSkyRoad
My token of choice is bitcoin thanks.
Today is pay day so I bought 1.0 BTC with a bank transfer in 10 minutes and these will be used to pay for my ASDA shopping, Steam purchases, Amazon purchases etc etc. Mainly via a site which allows you to buy vouchers for bitcoin rather than directly but it's coming,
Paying directly like this means that less and less companies will be holding copies of my card details. It is likely that when I next get issued a new card I won't update steam & the playstation store, I'll just top up the balance with vouchers instead. This is a bit slower I'll grant but means less steps and means I'm less exposed to fraud.
The tokenisation idea is great but I don't see it taking off since many banks have invested in their own electronic payments plans (Paym, Pingit, ApplePay, etc) which they hope to replace cards with and make money on. Thus there is little incentive for them to extend this to another new initiative.
It's just a little late to the party really.
-
-
Tuesday 30th September 2014 11:00 GMT TakeTheSkyRoad
Re: My token of choice is bitcoin thanks.
Well that didn't take long for someone to bring up :D
The discussion point I wanted to raise was the payment method not the stabilisation of the currency.
However given that bitcoin is still in it's infancy I don't expect much more than a 10% change in the next couple of days (which I'm accepting as an early adopter cost) by which point I will start spending them.
What is your security concern vs providing a company with your card details ?
-
Tuesday 30th September 2014 12:16 GMT EssEll
Re: My token of choice is bitcoin thanks.
Why is one form of online currency transaction any better than another? Answer: the banks spend millions on security and are always looking for ways to improve. They have to - security is their number one concern.
How much does bitcoin spend on security? Answer: given all the very well publicised hacks, probably WAY more than it used to. But I'll bet it's still a fraction of what a bank spends.
-
Tuesday 30th September 2014 12:53 GMT TakeTheSkyRoad
Re: My token of choice is bitcoin thanks.
Ok, you speak of bitcoin it terms of a company which it is not. It is a de-centralised network within which numbers can be moved securely between unique addresses. These numbers can range from 21 million down to 0.00000001 and can be exchanged for stuff (pizza) or currency (£/$) giving them value.
Now the well publicised hacks you mention are down to individual companies being rather lax in their security which does happen. If you move your balance to an address controlled by another company this puts you at risk and this has happened with Mt Gox to pick a well known example.
If you keep the balance in an address control by yourself then the security risk/responsibility is yours. I keep my shopping budget on my phone for example with a backup of the address keys saved to email and a lock code on my phone. The phone is a blackberry (who have quite a good security rep) and I am wary of installing junk apps so I think this is a low risk solution and I am unlikely to be hacked. If I loose the phone I can have the keys restored and any balance moved to a new wallet address within a hour of reaching a internet connection.
My original point is that a bitcoin payment is a one way payment, this is secure and for myself at least has started to replace card transactions. As a result less and less companies get to save my card details to their servers.
Each of those companies is a risk and they have better ALL have spend millions on bank level security each for my card details to be kept safe. With so many hacks exposing card details that's clearly not happening.
-
-
-
-
Tuesday 30th September 2014 17:51 GMT Old Handle
Re: My token of choice is bitcoin thanks.
I don't think Bitcoin is necessarily the answer, but it does offer something no other popular payment system has. It requires each transaction, including the amount and the payee to be digitally signed by the payer. It seems to me something similar is the ultimate goal we should be working towards for secure payment. There also needs to be a way to make sure a transaction signature can't be used twice. Bitcoins handles that with the blockchain, but it could also be done with either a random number that must be unique, or even a sequential number like checks (cheques) have. A time stamp or expiration date (again, like checks have) would also be a good idea. All of that should be cryptographically signed by the payer.
-
-
Tuesday 30th September 2014 11:30 GMT P. Lee
I've seen banks going the other way
Using things like Protegrity's "vaultless" tokenisation.
Vaultless = encryption/obfuscation where an on-box agent uses an algorithm to reverse the token to the real value when required. It's very fast, you don't need a database... and it ain't tokenisation.
Every host with the agent then becomes a weak-point and every token is reversible forever.
-
This post has been deleted by its author
Biting the hand that feeds IT
