The data breaches, major and minor, that we’ve seen over the past few years aren’t going anywhere. Payment system and database hacks are, for now, basically inevitable. And that’s why Visa and MasterCard have both announced plans to expand their security features for online shopping.
The Wall Street Journal reports that the two largest credit card companies have this week both announced new initiatives launching this spring to protect shoppers (and merchants) from fraud and theft.
MasterCard frames their two-pronged approach as increasing “peace of mind.” One element is a program called MasterCard Safety Net. The company claims vaguely that Safety Net “provides an independent layer of security on top of the tools and policies of financial institutions, by monitoring and blocking specific transactions based on selected criteria.”
If that sounds like it might be inconvenient and/or creepy, MasterCard has apparently guessed that you feel that way. The company promises, “Safety Net is designed to intervene only in extreme cases to block fraudulent activity.”
The other half of MasterCard’s strategy is biometrics. The company is pairing with First Tech Federal Credit Union to work on a pilot program that will allow customers to use unique identifiers — including face, fingerprint, and voice matching — to authenticate and verify transactions. If it goes well, other card-issuing banks are likely to follow in the future.
And what of more pedestrian security concerns, like getting Americans onto the chip-enabled cardseveryone else uses? MasterCard reports that the transition is “well underway”, with half of all cards and just under half (47%) of all point-of-sale terminals projected to be chip-enabled by the end of 2015.
Visa, meanwhile, is taking a different approach. Where MasterCard is focusing on making the customer prove a charge is authorized, Visa is working on scrambling information that might be stolen, so that it’s useless when it is.
Their initiative is called the Visa Token Service, and it launched last year. It works in basically the same way Apple Pay does (in fact, it’s part of Apple Pay): instead of transmitting your 16-digit card number, expiration date, and security code, Visa instead shares a unique number — your token — with the merchant getting paid.
If someone intercepts the transmission or the system and manages to yank that token, all they have is a string of numbers. It’s not a thing that can be cloned onto a new payment card or used in any meaningful way.
What’s new about it is that Visa is trying to expand the Token Service out of just mobile payments, and into traditional online retailers as well. When your credit card is stored on the site of a merchant you regularly shop with, that’s a weakness: anyone who breaches that database has to everything they need to commit fraud on your card. But if the merchant stores a random token in your account information, instead of your credit card number, that data once again becomes meaningless to thieves even while it remains convenient to consumers.
It will continue to take time for both companies, as well as the thousands of companies people shop with, to get all of their systems upgraded. But given that tens or hundreds of millions of payment card data breaches happen every year, every step helps.