Moving Beyond Social Security Numbers Part 3: Tokenizing identities or the Credit Card 2.0 model for identity
This is the third post in a five part series. I recommend you start with Part 1: Claiming Your Unique, Digital Identity and Part 2: Identity proofing, data matching, and why the SSN is still important before reading this post.
Credit and debit cards form an interesting, basic model for identity. Banks have regulatory requirements to verify the identities of their customers and must, by law, gather three of four data elements: Name, Date of Birth, Social Security Number, and Address. To complete payments through cards, banks realized they needed to represent their customers’ identities with something other than their actual personal information and social security number — enter the credit card with a long string of meaningless numbers, expiration date, and CVV code.
Representing an individual’s sensitive information with a random number is a process known as “tokenization.” Credit cards are probably the most widely adopted form of tokenization so the model is worth examining. First, let’s take a look at how credit card tokenization works and then how the model might be improved.
When a payment is made, the bank understands the relationship between the random number on the credit card and the actual identity of the cardholder. As a result, the merchant is able to trust the transaction because they trust the bank; the bank is able to trust that the cardholder is their customer; and regulators are able to work with the banks to ensure that money isn’t being used to finance terrorism or other forms of crime. Importantly, credit and debit cards work globally — you can get on an airplane today, fly to Italy, buy a cup of coffee with a credit card, and the bank will know to charge your account and to transfer money to the Italian coffee shop.
The problem with credit cards is that the information on the card is printed — so once the card is mailed the information can’t change with each use. Because the card information is printed and shared with many different people and organizations, the token is easily compromised. That is to say that once someone else discovers the credit card number, expiration date, and CVV code on your card then they are able to compromise your payment identity and commit credit card fraud. Think about it: every time you go out to eat you give a complete stranger — your server — the card that represents your payment identity and they take it out of your sight for five or ten minutes. When you reflect on that for a moment, it almost seems crazy. It only takes one bad actor to decide to copy your information and then tomorrow they can complete a purchase online as you. No wonder credit card fraud is a problem.
Fortunately, digital credentials make a credit card 2.0 model for identity possible: a model we call “dynamic tokenization.” In the same way that a bank issues you a random card number or token for payments, a digital identity provider can issue each organization that accesses your data a random identifier to represent you to that organization. For many transactions, like payments, the counterparty to the transaction doesn’t need your social security number. Your bank needs your social security number to check your credit and to make sure you’re not a terrorist. But the merchant just needs your money, not your social security number.
Another benefit of tokenization is that if an organization has a data breach, then the thieves will compromise the random number or token that the identity provider provided the organization to represents you — but that token only represents you with that organization. In other words, the thieves will not be able to use the token to claim your identity with any other organization. Because the compromised data cannot harm you broadly in the market, this model is much more secure than today’s model where social security numbers and fixed credit card numbers are re-used widely across organizations to identify the same person.
ID.me has already implemented a “dynamic tokenization” model for identity. Once an identity is verified and matched, then ID.me issues new random, unique identifiers for each person to each new organization that they authorize to access a sub-set of their data. To protect consumer data, however, then all organizations need to integrate with ID.me’s network or a network similar to it otherwise the static, vulnerable model of identity will continue to expose consumers to harm.
As ID.me and other organizations that follow a credit card 2.0 model for identity are more broadly adopted, we all benefit.
Read Part 1: Claiming Your Unique, Digital Identity
Read Part 4: Data minimization and consent by design
ID.me is the next-generation digital identity platform that provides for trusted and convenient interactions between individuals and organizations. Government agencies and commercial partners use ID.me for online identity proofing and authentication to ensure their platforms and users are protected from fraud and identity theft. All media inquiries can reach Laura Cruz at firstname.lastname@example.org