9. Legacy issues
• Merchants still use imprinters in 2014
• Magnetic stripe will stay forever
• People will use credit card numbers for online transactions
10. Credit card data protection
Hard and scary
data security standard
up to $100,000
to implement at one site
11. Scale of the problem
• 100+ businesses processing credit
cards in 27 countries
• Few security engineers in Japan
• $100,000 per site
12. Approach
Tokenization — replace credit card number with some random string that
only makes sense to your service
Keep real credit card numbers in one secure, dark and dry place
If stolen, nobody can use these tokens
14. Using an existing solution
It is tempting to map one credit number to a unique token:
• Fraud analysts want it
• Marketing wants it
• Much easier to see things in the database
18. Problems with one-to-one mapping
• Only 8 digits to bruteforce per one issuer
• Attackers can easily build a dictionary of all tokens to card numbers
• Attack is easy, reissuing all tokens every time is hard
19. Unique token every time
• No unique identifiers for cards in Rakuten
• Same credit card produces different tokens every time it is inputed
• But how to do analytics?
20. Allowed to store and display
• Masked PAN: 4297 69xx xxxx 6789
• Cardholder name: Taro Rakuten
• Expiration date: 02/2020
21. Allowed to store and display
• Masked PAN: 4297 69xx xxxx 6789
• Cardholder name: Taro Rakuten
• Expiration date: 02/2020
Duplicates?
22. Big data to help!
We ran a query to see how many duplicates we have among our users
Among total Rakuten users (~100M by now) around 250 duplicates were
found
It is a bit hard to tell precise number, because we only can see masked
PANs
0.00025% of users may have similar looking cards
23. Ok, how about issuers then?
— Hmm… Issuers don’t have much power over their
customers’ security
— Let’s give them that!
26. 3d-secure on mobile apps
• You can’t use native components. Only WebView, only hardcore!
(and you don’t see the URL in most of the cases)
• Responsive UI for mobile 3D-Secure pages? No, never heard.
• Frustration of the customer? That’s the shop’s fail.
27.
28. The future of payments
Credit card will remain the main interface to your bank account
Companies will make secure and convenient interfaces to your credit cards:
• NFC, PayPal Beacon or Passbook in physical world
• Secure payment gateways in the Internet
• Facebook + WhatsApp + payments, Gmail + Google Checkout, more
to come
• 3D-Secure will die
29. Future: drop “credit card” from the equation
If everybody uses new technologies, why do we need credit cards?
• Banks are bad at creating unified Internet services
• Americans can’t get rid of plastic