I had an eerie thought when I read about the massive data theft of customer information at JP Morgan Chase. Much was made about the fact that the theft did not include customers’ account information or credit card information. It was “only” their names and addresses—primarily those of customers who use the bank’s several online banking services. So what else did the thieves get? Everyone’s email addresses, I’m betting.
Then, in researching Apple Pay, I learned that Chase worked extremely closely and in great secrecy with Apple to develop the Apple Pay implementation of the credit card issuers’ smart card interoperability specification (EMV). Once your credit cards are loaded into Apple Pay on your iPhone, the account information disappears. It is replaced with a meaningless token (that can’t be reverse engineered back into your credit card number) combined with a single-use, transaction-specific cryptogram that is generated dynamically from the iPhone’s “secure element” (chip). There is now no way that thieves can steal credit card information from those phones or from the merchants’ Point of Sale systems. All the merchant sees are the last four digits of each customer’s credit card number to be used for analysis and reporting: e.g., how much did each unique customer spend with us last month?
But what if the bad guys already had the names, addresses, and email addresses (and maybe the last 4 digits) of everyone who had credit cards? And they could still hack into retailers’ systems to access their transaction data? Couldn’t they reverse-append the two data sets? So they wouldn’t recover people’s credit card information, but they would have their identities and their transaction histories. That’s probably worth something. Just wondering why the world’s largest credit card issuer’s online customers’ data was stolen a month before the launch of Apple Pay.
If you were forwarded this message and would like to receive our weekly customers.com emails, click here.