The Latest Mobile Payments Security Tool: Disposable Credit Card Numbers
Mobile payments has long had a problem with security. Security was what kept a lot of users out of the pool, and still keeps more than a few from getting in at all. There’s a new security measure afoot that may address this problem potentially for good. Being advanced by several recent startups, it’s being called the “virtual card”, and it’s delivering a whole new level of security by being usable only one time.
The notion resembles the concept of tokenization; these virtual cards effectively provide shoppers with a one-time-only credit card number that links to an actual payment account, but only for one store’s transaction. Thus, should a hacker manage to land a bundle of credit card numbers, these would be effectively useless as they would have expired after the transaction was completed.
In some cases, the numbers don’t expire immediately, but are only usable at that one store; a hacker trying to take a number obtained by skimming the Home Depot scanner would find it blocked if it was used at Amazon. Others can even be set to expire after a certain amount has been reached.
Several firms are involved in this hunt, including Pay With Privacy, Token Payments, and Final, a startup from Oakland that even offers its own credit card with a rewards program. All three allow users to generate the virtual cards that connect back to the actual account, but come with several points of customization as noted previously.
Basic principles of security come down to two points: perimeter defense and internal defense. Perimeter defense is what’s most often heard about, things like antivirus tools and firewalls and even password measures. They’re designed to keep unauthorized users out of the system. The internal defense concept is much less heard about, and represents things like data encryption. It seeks to make what hackers could take useless; just as encrypted data is a block of numbers without the decryption key, virtual cards work to render what’s stolen unusable.
Seeing companies so fervently pursue internal defense is a welcome sight; hacking is no longer a matter of if, but rather when. Working the other side of the defensive perimeter should result in better mobile payments security for all involved.