Where Does Your Credit Card Data Go When You Press Pay?
The bedrock of online credit card payments is a mathematical trick
Online payment fraud is not only high, but on the rise. And yet, it doesn’t feel that way. We might have experienced it once or twice, but it’s not like buying airline tickets is going to get our credit card stolen. In most cases, paying online is as smooth as it is buying groceries at the supermarket.
What’s paradoxical is that most people assume that their conversations are not private, and that sufficiently motivated hackers can spy the content of their emails. But somehow, credit card information seems to be safe from all of it?
Payment Card Industry, aka Visa & Mastercard
The Internet is founded on a wild-west protocol that doesn’t guarantee end-to-end message integrity or authenticity between the client and application. This design decision was deliberate: layering multiple but simple protocols one on top of the other allows for the malleability that the Internet is known for. You can send emails as complete units or stream videos live, and all of that happens on top of the same architecture.
As a result, you should assume that information sent across the Internet is being spied on. Even now that sending information over the Internet is usually encrypted, one of the most frequent ways people commit fraud is by intercepting payment information while in transit, and using it.
Before the turn of the century, everyone agreed that this design made online payments impossible. But once PayPal figured out a way to pull it out, the biggest companies in the Payment Card Industry didn’t want to be left behind, and agreed on a set of standards to prevent fraud (called 3DS) and enforce a strict level of security when storing credit card credentials (called PCI DSS, or simply PCI).
These two standards are an extension of what card companies had created previously for the physical world, the main reason why there is so much convergence in the way we buy things offline versus online. In time, merchants have evolved to adopt the same processes to accept payments in both.
Effectively, the biggest payment brands act as the regulators of an increasingly complicated ecosystem, that relies not on governments but on the interest from everyone involved in keeping it safe and reliable.
It is a convenience only made possible by monopolistic practices: the credit card networks enforce these standards by forcing those who do not wish to follow them out of what is effectively the real economy.
Where does your credit card number go?
Internet being wild-west-y means that there is a limit to the effectiveness of hiding the data you send. Tokenization is a way to mitigate this risk by obfuscating your data. It works by turning your credit card data into a string of nonsense; a translation of sorts to a language known only to the parties involved.
It is similar to how checks were a more convenient way to move money, with an operating model similar to cloakrooms. In Abstracting Money Wisely, I wrote:
The check was the stepping stone of a formula that has been used ever since to improve the ease of use of money: abstraction. Not by widening the scope and acceptance with a competing version of paper, but by encapsulating the concept of gold into an effectively impossible-to-break, state-sponsored promise, checks render local paper money pointless.
Instead of carrying around your gold, you could store it securely on a national bank, and instead have a piece of paper that represented that gold, but only to the extent that the bank recognize that piece of paper as a valid representation.
Tokenization is structurally the same: rather than communicating your actual card credentials and running the risk of interception, you store them in a secure place, and you get a pointer, worthless on its own, which can be used to pay online to the extent that the institution that stores the actual credentials recognizes it as a valid pointer.
Tokenization as Math Magic
Under PCI, every company responsible for storing these credentials must make it impossible for anyone to reverse the tokenization process and infer the credit card information from the token.
The mathematical process to do so is called hashing. It’s an algorithm that converts one string of characters into another, in such a way that it produces vastly different outputs from two similar inputs. In doing so, hashing is simple to execute to produce a token, but it is impossible to infer the input from a token.
As a result, the only way to establish a relationship between the token and the credit card information is to store them together. This consolidates the efforts to prevent data breaches on a single goal: to prevent hackers from accessing data under the company’s control.
Scaling tokenization
Tokenization is often left to dedicated companies, called Token Service Providers, who comply with the grueling requirements set up by the credit card brands to prevent and mitigate the impact of data breaches.
However, as soon as merchants start scaling and dealing with multiple payment partners, having different token providers can be cumbersome.
There are three big trends that have come as a result of this problem.
Big Merchants are becoming PCI compliant: Because of the number of operations it handles, Amazon finds not only simpler, but also cost effectively, to store card information directly, making this problem their problem cheaper than relying on somebody else.
Credit card brands are becoming Token Service Providers: If they draft and enforce the secure storage of credit card credentials, why not doing it themselves? Merchants can thus bypass the set of small providers on which they depend to acquire payments, and go directly to a single, centralized source like Visa or Mastercard, expanding the scope of the tokens to their multiple partners.
Apple and Google Pay: Carrying around your phone is as habitual as carrying your wallet, so you might as well use your phone instead of your credit card for payments. Its adoption is still slow both for technical and cultural reasons, but the essence of Apple’s fintech strategy is becoming a competitor to Visa and Mastercard with the phone absorbing the credit card.
How do hackers still do it?
One way to look at this well-thought mechanism is “there must be a way in somehow?”. Another one is assuming that there isn’t, and go for the weakest link in the security chain, which is almost always a human.
Even though your data is secured under this standards, no company is safe from a rogue employee taking advantage of inconsistent permissions, or a phishing scam made to someone in Sales via email.
For that, when online, rely on virtual cards that could be deleted easily, rather than your physical card.