Tokenization, where credit card numbers and other sensitive data is replaced by random characters, can be a secure alternative to encryption in many cases -- but would not have helped in the majority of retail breaches over the past two years.
The Payment Card Industry released guidance last week about how technology vendors and retailers can use tokenization to reduce the amount of card data they store in their systems.
“Tokenization is one way organizations can limit the locations of cardholder data," said PCI SSC Chief Technology Officer Troy Leach. in a statement. "A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts."
But, according to a new report from CBI, if each of the 22 major breached retailers had had a tokenization system in place, 59 percent of the breaches would not have been prevented -- and 97 percent of the stolen records would still have been stolen. That adds up to 154 million records.
The reason? Most of the breaches took place at the point of sale terminal, before the data would have been tokenized.
"The tokenization takes effect after the credit card has been swiped, and the data is protected at that point forward," said J Wolfgang Goerlich, cybersecurity strategist at Ferndale, MI-based CBI. "But it is still not protected in the memory of the machine."
Only 41 percent of breaches involved attacks on databases or servers, where tokenization would have protected it.
"This exactly the type of trend that we often see when a control begins to be widely deployed," said Goerlich. "The attackers will shift their focus away from we strengthened the system, to the point where it is weakest."
The malware used to steal data from point of sale devices such as credit card readers is called a RAM scraper.
According to Trend Micro, more new variants of RAM scraper malware were discovered in the first nine months of 2014 than in all of preceding three years. And, last month, analysts discovered two more new RAM scraper families.
In addition to hitting high-profile targets like Target and Home Depot, the attackers also broadened their reach last year, said Trend Micro senior threat researcher Numaan Huq in a report earlier this year.
"Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots," he wrote.
ApplePay, which also uses tokenization, but is not vulnerable at the point of sale because no actual credit card numbers are involved.
The tokenization process happens when the card is first loaded onto the iPhone -- and that is, in fact, where criminals have been targeting their efforts, by talking bank call centers into approving stolen credit cards.
"The earlier on in the process data is tokenized, the less of the payment process is exposed," said Goerlich. "By tokenizing earlier and moving the end, Apple Pay avoids the way credit cards are commonly stolen."