Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,061
- Points
- 113
You can not argue with the fact that the obvious advantages associated with buying products and services on the Internet have determined their enormous popularity on a global scale. At the same time, the convenience of purchasing goods and services online from time to time faces the problem of identity theft at the stage of making transactions. The problem of PIN code theft when making purchases in offline stores is also very urgent. We will tell you about new promising technologies for protecting personal data of cardholders and the likelihood of their appearance on the domestic market in our article.
It is estimated that the volume of transactions directly or indirectly related to the theft of user's credit card data during transactions on the Internet is 65% of the total volume of fraudulent transactions with credit cards. Integration of Dynamic Code Verification (DCV) technology will help protect the merchant's confidential information much more effectively.
As you know, an online purchase using payment cards is preceded by entering three groups of data in sequence: the card number, the card validity period, and the verification code from the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction carried out online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the reverse side. Thus, the usual static visual cryptogram represented on the back of the card by the last three digits (CVV) is replaced with an updated numeric combination in cards using Dynamic Verification Code (DVC) technology. The DCV code is generated on the display of the EMV chip or on the smartphone screen with the number "linked" to the card holder. The dynamic code (DCV) is updated in real time with a frequency set by the issuing bank.
The display, which displays the numeric mobile code DCV, operates on the principle of electronic ink, which minimizes its power consumption due to good visibility of the displayed combination without power supply. Thus, the battery power is consumed only at the time of changing the numeric code. Thanks to such a circuitry solution, the life of the chip's built-in battery is comparable to the card's validity period, and is, on average, 3-5 years.
The company that accepts the card for payment (acquirer) treats the dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of the dynamic DCVx server at the processing stage. Calculating the current CVV codes for each issued card, the server reports them at the request of the bank's authorization server.
One of the options for Dynamic Verification Code technology — Motion Code™ was proposed by the French company Obertur Technologies in May 2015. As part of the pilot project, about 1,000 customers of the French banks Caisse d'Epargne and Banque Populaire were involved in real-world research on the effectiveness of Motion Code technology in September 2015.
The code combination on Obertur Technologies ' EMV chips is changed once in one hour, which reduces the amount of battery power consumption to a minimum.
With the latest version of Dynamic Code Verification technology, Gemalto – a long-standing partner of MasterCard, a company widely known for its developments in the field of secure mobile applications for the banking sector-entered the banking services market in early October 2015.
The "Dynamic Code Verification" technology offered by Gemalto provides banks with significantly greater opportunities to meet individual customer needs and allows them to improve the customer segmentation model, while ensuring maximum coverage. Gemalto's offer is unique primarily in that it provides banks with a comprehensive solution to prevent fraud when making transactions without the presence of a card, which is supported by many services.Hakan Nordfjell, Gemalto's senior vice president of e-commerce, is confident.
The time required to change the Dynamic Code Verification in Gemalto's offer has been reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the plastic card body and mobile devices after downloading a special application on the company's website. In the domestic market of banking services, the introduction of cards with a dynamically changing code is offered by the market leader in Russia and the CIS countries, NovaCard.
Special attention should be paid to the biometric technology recommended for making transactions in offline mode, where the holder will be required to use the card to physically read the code combination. For this purpose, this type of card provides a biometric sensor that reads information from the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions via a contactless interface. You don't need to enter your PIN code to make an instant purchase. The whole process is simplified as much as possible: to perform the operation, the cardholder just needs to press his thumb against the sensor window. Fingerprint identification is carried out inside the card chip itself, where the cardholder's fingerprint reference is stored, which is uploaded to the bank when the card is received. Thus, the fingerprint reference is not transmitted from the chip at any stage of refraction.
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, since it is powered by the card's NFC antenna. According to information from the product developers, fingerprint identification will also be possible in the very near future with contact payment using an EMV chip.
Payment cards with a biometric sensor also have their disadvantages. From the point of view of comfort, contactless biometric data entry significantly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution benefits only by eliminating the need to enter a PIN code. In case of loss of the card, with a certain level of training of carders, it will not be difficult to prepare a fake fingerprint and withdraw money from the card. A definite plus is that it will take fraudsters some time to make a fake fingerprint, during which the card can be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN code for a standard card is not difficult.
Like all new technologies, cards with a biometric sensor and dynamic verification code are expensive. Although there are some individual companies in the Russian market that can implement a project from a technical point of view, the conditions under which such projects are implemented in Europe or, for example, in South America, are still too difficult for the average Russian consumer of banking products. So at the pilot project stage, the cost of a card with a biometric sensor “... will be about ten times more expensive than a regular chip card. If, based on the results of the pilot project, the bank is ready to predict the actual volume of purchases of such cards, then financial conditions will be determined taking into account the bank's needs. An individual approach will allow you to optimize the cost to some extent."- says Mikhail Tatarenkov, representing the converged payments department of NovaCard.
The close cooperation of developers of such access systems with the MasterCard payment system simplifies the implementation of both technologies, as it allows for guaranteed smooth integration of the technology into the bank's existing business.
The scope of activities required for the introduction of new banking products will be determined during the implementation of specific projects. So, in the case of a card that uses the DSV code to perform operations, you will need to ensure that the number combination changes synchronously on the card and on the bank's host using the ADN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certification center.
Cards with dynamic DSV code do not have critical restrictions on the volume of operations performed. To withdraw funds, an attacker will need not only the data, but also the card itself. Once the card has a biometric fingerprint, the cardder can use it for payments in the normal mode (operations with rolling a magnetic stripe, entering card data in online mode, etc.). In addition, in some cases, the correct reading of the biometric code may be affected by weather factors — high humidity or, for example, extremely high or low temperatures air supply. In this regard, from the point of view of reliability and security, the DSV technology has a number of serious advantages. But both versions of the cards are not protected from skimming in any way.
From the point of view of the prospects of implementing the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of protection of funds in the segment where large amounts are stored on customers ' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of operations. Their application is also considered promising for niche projects with a small issue.
Supporters of 3D-Secure technology, which is widely used in e-commerce, are quite critical of the DSV dynamic code technology. At the same time, apologists of dynamic code technology reasonably object: there is no communication channel with the bank, as is the case in the case of transmitting the 3D-Secure identifier, in the case of DSV. This means that it will be much more difficult to intercept a dynamic code combination, as opposed to the number of available methods for intercepting SMS messages.
Any measure to improve the security of remote payment channels is welcome. At the same time, at this stage, the cost of a ready-made solution still limits the circle of interested parties to customers at an above-average level who regularly make multiple transactions using the card. And from the point of view of the issuing bank, the appearance of high-tech payment cards with increased security and comfort in the premium segment of the offered products will certainly create certain competitive advantages.
Summing up, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards that use new security and identification technologies in the foreseeable future is quite realistic, but it will not be possible to talk about the mass market of the product taking into account the existing realities for a long time.
It is estimated that the volume of transactions directly or indirectly related to the theft of user's credit card data during transactions on the Internet is 65% of the total volume of fraudulent transactions with credit cards. Integration of Dynamic Code Verification (DCV) technology will help protect the merchant's confidential information much more effectively.
How it works
As you know, an online purchase using payment cards is preceded by entering three groups of data in sequence: the card number, the card validity period, and the verification code from the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction carried out online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the reverse side. Thus, the usual static visual cryptogram represented on the back of the card by the last three digits (CVV) is replaced with an updated numeric combination in cards using Dynamic Verification Code (DVC) technology. The DCV code is generated on the display of the EMV chip or on the smartphone screen with the number "linked" to the card holder. The dynamic code (DCV) is updated in real time with a frequency set by the issuing bank.
The display, which displays the numeric mobile code DCV, operates on the principle of electronic ink, which minimizes its power consumption due to good visibility of the displayed combination without power supply. Thus, the battery power is consumed only at the time of changing the numeric code. Thanks to such a circuitry solution, the life of the chip's built-in battery is comparable to the card's validity period, and is, on average, 3-5 years.
The company that accepts the card for payment (acquirer) treats the dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of the dynamic DCVx server at the processing stage. Calculating the current CVV codes for each issued card, the server reports them at the request of the bank's authorization server.
Motion Code™ from Obertur Technologies
One of the options for Dynamic Verification Code technology — Motion Code™ was proposed by the French company Obertur Technologies in May 2015. As part of the pilot project, about 1,000 customers of the French banks Caisse d'Epargne and Banque Populaire were involved in real-world research on the effectiveness of Motion Code technology in September 2015.
The code combination on Obertur Technologies ' EMV chips is changed once in one hour, which reduces the amount of battery power consumption to a minimum.
Dynamic code verification from Gemalto
With the latest version of Dynamic Code Verification technology, Gemalto – a long-standing partner of MasterCard, a company widely known for its developments in the field of secure mobile applications for the banking sector-entered the banking services market in early October 2015.
The "Dynamic Code Verification" technology offered by Gemalto provides banks with significantly greater opportunities to meet individual customer needs and allows them to improve the customer segmentation model, while ensuring maximum coverage. Gemalto's offer is unique primarily in that it provides banks with a comprehensive solution to prevent fraud when making transactions without the presence of a card, which is supported by many services.Hakan Nordfjell, Gemalto's senior vice president of e-commerce, is confident.
The time required to change the Dynamic Code Verification in Gemalto's offer has been reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the plastic card body and mobile devices after downloading a special application on the company's website. In the domestic market of banking services, the introduction of cards with a dynamically changing code is offered by the market leader in Russia and the CIS countries, NovaCard.
Cards with a biometric sensor
Special attention should be paid to the biometric technology recommended for making transactions in offline mode, where the holder will be required to use the card to physically read the code combination. For this purpose, this type of card provides a biometric sensor that reads information from the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions via a contactless interface. You don't need to enter your PIN code to make an instant purchase. The whole process is simplified as much as possible: to perform the operation, the cardholder just needs to press his thumb against the sensor window. Fingerprint identification is carried out inside the card chip itself, where the cardholder's fingerprint reference is stored, which is uploaded to the bank when the card is received. Thus, the fingerprint reference is not transmitted from the chip at any stage of refraction.
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, since it is powered by the card's NFC antenna. According to information from the product developers, fingerprint identification will also be possible in the very near future with contact payment using an EMV chip.
Payment cards with a biometric sensor also have their disadvantages. From the point of view of comfort, contactless biometric data entry significantly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution benefits only by eliminating the need to enter a PIN code. In case of loss of the card, with a certain level of training of carders, it will not be difficult to prepare a fake fingerprint and withdraw money from the card. A definite plus is that it will take fraudsters some time to make a fake fingerprint, during which the card can be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN code for a standard card is not difficult.
Pros and Cons
Like all new technologies, cards with a biometric sensor and dynamic verification code are expensive. Although there are some individual companies in the Russian market that can implement a project from a technical point of view, the conditions under which such projects are implemented in Europe or, for example, in South America, are still too difficult for the average Russian consumer of banking products. So at the pilot project stage, the cost of a card with a biometric sensor “... will be about ten times more expensive than a regular chip card. If, based on the results of the pilot project, the bank is ready to predict the actual volume of purchases of such cards, then financial conditions will be determined taking into account the bank's needs. An individual approach will allow you to optimize the cost to some extent."- says Mikhail Tatarenkov, representing the converged payments department of NovaCard.
The close cooperation of developers of such access systems with the MasterCard payment system simplifies the implementation of both technologies, as it allows for guaranteed smooth integration of the technology into the bank's existing business.
The scope of activities required for the introduction of new banking products will be determined during the implementation of specific projects. So, in the case of a card that uses the DSV code to perform operations, you will need to ensure that the number combination changes synchronously on the card and on the bank's host using the ADN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certification center.
Cards with dynamic DSV code do not have critical restrictions on the volume of operations performed. To withdraw funds, an attacker will need not only the data, but also the card itself. Once the card has a biometric fingerprint, the cardder can use it for payments in the normal mode (operations with rolling a magnetic stripe, entering card data in online mode, etc.). In addition, in some cases, the correct reading of the biometric code may be affected by weather factors — high humidity or, for example, extremely high or low temperatures air supply. In this regard, from the point of view of reliability and security, the DSV technology has a number of serious advantages. But both versions of the cards are not protected from skimming in any way.
From the point of view of the prospects of implementing the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of protection of funds in the segment where large amounts are stored on customers ' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of operations. Their application is also considered promising for niche projects with a small issue.
Supporters of 3D-Secure technology, which is widely used in e-commerce, are quite critical of the DSV dynamic code technology. At the same time, apologists of dynamic code technology reasonably object: there is no communication channel with the bank, as is the case in the case of transmitting the 3D-Secure identifier, in the case of DSV. This means that it will be much more difficult to intercept a dynamic code combination, as opposed to the number of available methods for intercepting SMS messages.
Any measure to improve the security of remote payment channels is welcome. At the same time, at this stage, the cost of a ready-made solution still limits the circle of interested parties to customers at an above-average level who regularly make multiple transactions using the card. And from the point of view of the issuing bank, the appearance of high-tech payment cards with increased security and comfort in the premium segment of the offered products will certainly create certain competitive advantages.
Summing up, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards that use new security and identification technologies in the foreseeable future is quite realistic, but it will not be possible to talk about the mass market of the product taking into account the existing realities for a long time.
