No need to trust online retailers' security anymore

New service from Akamai lets the credit card industry expunge sensitive data from their systems, eliminating the incentive for hackers to break in

A steady stream of reports of unauthorized access to credit card information has emanated from the retail industry. Online thieves stole at least 224 million credit cards in the largest two breaches to date, according to the Open Security Foundation's DataLoss DB.

It's no wonder that retailers are prime targets of cyber crime. The high cost of complying with the Payment Card Industry (PCI) Data Security Standards, which requires that all sensitive data be encrypted and secured, left many companies skimping on security. In 2007, the National Retail Federation cried foul, calling for an end to the requirement that shops and online stores archive credit card data themselves.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place," NRF's chief information officer, David Hogan, stated in a letter to the PCI Council in 2007.

Now retailers may get their wish.

This week Akamai announced a service where online retailers can process credit cards through their own online store, yet not handle sensitive card information from the customers.

"The payment security 2.0 approach is don't spend all you time, money and effort encrypting and securing the data -- try not even to handle the data," says Mike Cucchi, senior product marketing manager for Akamai.

For retailers that use Akamai's content distribution network, the credit card information is sent to the card processor and a unique and non-reversible identifier, called a token, is returned to the retailer.

"Tokens by nature, to speed market adoption, have been formatted in a way that makes them look, feel and smell like a credit card," says Cucchi. "Typically, the merchant infrastructure has very little -- there is some -- but very little implementation costs to start adopting the use of a token, as opposed to a credit cards."

Tokenization also removes the retailer from the security pitcure. The store owner never sees the actual credit card data, which is instead stored in a database in the card processor's network. Because such a system will hold a great deal of valuable information, it will become the new target of cyber criminals. Yet, instead of thousands of store owners needing to secure their customers credit-card information, far fewer processors can tackle the security problem.

This article, "No need to trust online retailers' security anymore," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.