If you're a credit-card holder who's fed up with the regular weekly warnings to protect yourself if your information was on the database of the latest major retailer who got hacked, there might be good news on the horizon.
The Wall Street Journal reported yesterday that the “credit-card industry is accelerating efforts to keep sensitive customer information out of the hands of merchants, as a rash of data breaches at major U.S. retailers erodes confidence in electronic payment systems.”
Visa and MasterCard are both adopting a new technology called “tokenization” which, according to the Journal, “replaces cardholder information such as account numbers and expiration dates with a unique series of numbers that validates the customer's identity.”
With the current credit-card system, merchants store their customers' account numbers and related information on their own databases. With tokenization, however, a “merchant can conduct a normal transaction without seeing or storing the customer's account number, expiration date or other information contained on a card. The actual card data is stored by the card issuer or processor in a 'virtual vault.'”
Presumably, whoever runs those virtual vaults will still have to ensure nobody hacks into them and steals the valuable data therein. Still, from the perspective of (for example) the MasterCard company, making sure their one “virtual vault” is secure should be much easier than hoping every single merchant who accepts MasterCard keeps their customer information in a properly secured database.
Tokenization is not the only security improvement on the horizon. American credit card companies have already promised, at some future time, to switch from current magnetic-strip credit cards to cards with “EMV” chips.
EMV, which stands for "EuroPay, MasterCard and Visa," has been standard on European credit cards for over a decade already. The difference between magnetic-strip credit cards and EMV is that the latter stores information on an encrypted microchip, rather than on the non-encrypted (and relatively easy to counterfeit) magnetic strip found on most American credit cards.
EMV cards also require a personal identification number (PIN) at point of sale. The idea is that with EMV, a thief who knows your credit card account number can no longer make and use a fraudulent credit card with that alone.
On the other hand: while these new technologies might help protect credit-card shoppers in brick-and-mortar stores, security experts fear thieves will simply switch focus to online card purchases, as has already happened in countries where most credit cards have EMV chips. The arms race between merchants and thieves is unlikely to ever end.