Payment cards with dynamic CVV code - realities and prospects
Welcome to the iCover Blog Pages . There is no arguing that the obvious benefits associated with purchasing products and services on the Internet have made them tremendously popular around the world. At the same time, the convenience of purchasing goods and services online from time to time is faced with the problem of identity theft at the transaction stage. The problem of theft of PIN codes when making purchases in offline stores also looks very urgent. We will discuss new promising technologies for protecting personal data of cardholders and the likelihood of their occurrence in the domestic market in our article.
It is estimated that the volume of transactions directly or indirectly related to the theft of the user's credit card data during transactions on the Internet is 65% of the total volume of fraudulent credit card transactions. Integration of Dynamic Code Verification (DCV) technology will protect merchant's confidential information much more effectively.
As you know, an online purchase using payment cards is preceded by a sequential input of three groups of data: card number, card expiration date and the verification code of the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction conducted online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the back. Thus, the usual static visual cryptogram presented on the back of the card with the last three digits (CVV) in the cards using the Dynamic Verification Code (DVC) technology is replaced with an updated digital combination. The DCV code is generated on the display of the EMV chip or on the screen of a smartphone with a number “tied” to the card holder.
The display, which displays the DCV numerical mobile code, works on the principle of electronic ink, which minimizes its energy consumption due to the good visibility of the displayed combination without power supply. Thus, the battery energy is expended only at the moment of changing the numerical code. Thanks to such a circuitry solution, the lifespan of the built-in battery of the chip is commensurate with the life of the card, and is, on average, 3-5 years.
The company accepting the card for payment (acquirer) perceives dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of a dynamic DCVx server at the processing stage. Calculating the current CVV codes for each of the issued cards, the server reports them at the request of the bank's authorization server.
One of the variants of the Dynamic verification code technology - Motion Code ™ was proposed by the French company Obertur Technologies in May 2015. As part of a pilot project, in September 2015, about 1,000 customers of the French banks Caisse d'Epargne and Banque Populaire were involved in studies of the effectiveness of Motion Code ™ technology in real conditions.
Changing the code combination on EMV-chips from Obertur Technologies occurs once in one hour, which helps to minimize battery power consumption.
With the latest version of Dynamic Code Verification technology, Gemalto , a long-standing partner of MasterCard, a company widely known for its development in the field of secure mobile applications for the banking sector , entered the banking services market in early October 2015 .
“Gemalto’s Dynamic Code Verification technology provides banks with significantly greater capabilities to meet individual customer needs and can improve their customer segmentation model while providing maximum coverage. Gemalto’s offer is unique primarily because it provides banks with a comprehensive solution to prevent fraud in transactions without the presence of a card, which is supported by many services, ”says Hokan Nordfjell, Gemalto’s Senior Vice President of Electronic Commerce.
The latest development from Gemalto (09.10.2015) The
time for changing the Dynamic Code Verification in the offer from Gemalto has been reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the body of a plastic card and mobile devices after downloading a special application on the company's website. In the domestic banking services market, the introduction of cards with dynamically changing codes is offered by the market leader in Russia and the CIS, NovaCard.
The biometric technology recommended for making transactions offline deserves special attention, where the holder will be required to use a card for physically reading the code combination. For this purpose, cards of this type have a biometric sensor that reads information from the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions via a contactless interface. An PIN is not required to complete an instant purchase. The whole process is maximally simplified: to perform the operation, the card holder just press the thumb on the sensor window. The fingerprint identification is carried out inside the card chip itself, where the standard of the cardholder’s fingerprint is stored, downloaded at the bank upon receipt of the card. Thus, the fingerprint reference is not transmitted from the chip at any of the stages of the transaction.
A plastic card with a biometric sensor from Zwipe (Norway)
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, since it is powered by an NFC antenna of the card. According to information from the product developers, in the very near future, fingerprint identification will also be possible with contact payment using an EMV chip.
Payment cards with a biometric sensor also have their disadvantages. From the point of view of comfort, non-contact biometric data entry significantly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution wins only due to the lack of the need to enter a PIN code. In the case of loss of a card at a certain level of training carders to prepare a fake fingerprint and withdraw money from the card is not difficult. An undoubted plus is that fraudsters will need some time to make a fake fingerprint, during which the card may be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN code for a standard card is not difficult.
Like all new technologies, cards with a biometric sensor and with a dynamic verification code are expensive. And although today there are few companies on the Russian market that can implement the project from a technical point of view, the conditions under which such projects are being implemented in Europe or, for example, in South America, for the average Russian consumer of banking products remain unbearable. So at the stage of the pilot project, the cost of a card with a biometric sensor “... will be about ten times more expensive than a conventional chip. If, according to the results of the pilot project, the bank is ready to predict the real volumes of purchases of such cards, then the financial conditions will be determined taking into account the needs of the bank. To optimize the cost to some extent will allow an individual approach. ” - believes Mikhail Tatarenkov,
The close cooperation between the developers of such access systems with the MasterCard payment system simplifies the implementation of both technologies, since it ensures guaranteed unhindered integration of the technology into the existing business of the bank.
The scope of measures required for the introduction of new banking products will be determined during the implementation of specific projects. So in the case of a card that uses the DCV code for transactions, it will be necessary to ensure the synchronization of the change in the numerical combination on the card and on the bank host using the OATN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certifying center.
Cards with dynamic DCV code do not have critical limits on the volume of operations performed. To withdraw funds, an attacker will need not only data, but also the card itself. Having acquired a card with a biometric fingerprint, the carder will be able to use it for payments in the normal mode (operations with rolling the magnetic strip, entering card data online, etc.). In addition, in some cases, the weather factor can influence the correct reading of the biometric code - high humidity or, for example, extremely high or low air temperature. In this regard, in terms of reliability and security, DCV technology has several serious advantages. But both card options are not protected from skimming in any way.
From the point of view of the prospects of introducing the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of funds protection in a segment where large amounts are stored on customers' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of transactions. Promising is their application for niche projects with small emissions.
Supporters of 3D-Secure technology, widely used in electronic commerce, take the DCC dynamic code technology quite critically. At the same time, apologists for the dynamic code technology reasonably object: the communication channel with the bank, as is the case with the transfer of the 3D-Secure identifier, is absent in the case of DCV. So, intercepting a dynamic code combination, in contrast to the number of available methods for intercepting SMS messages, will be much more difficult.
Any measure to increase the security of remote payment channels is welcome. At the same time, at this stage, the cost of a ready-made solution so far limits the circle of interested parties to clients at a level above the average, who regularly make multiple transactions using a card. And from the point of view of the issuing bank, the appearance of high-tech payment cards with increased security and comfort as part of the premium products offered will certainly create certain competitive advantages.
Summarizing, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards that use new security and identification technologies in the foreseeable future is quite realistic, but it will not be possible to talk about the mass product in the light of existing realities soon.
Dear readers, we are always happy to meet and wait for you on the iCover blog pages! We are ready to continue to please you with our publications and will try to do everything possible to ensure that the time spent with us is pleasing to you. And, of course, do not forget to subscribe to our sections and we promise - you won’t be bored!
Our other articles
It is estimated that the volume of transactions directly or indirectly related to the theft of the user's credit card data during transactions on the Internet is 65% of the total volume of fraudulent credit card transactions. Integration of Dynamic Code Verification (DCV) technology will protect merchant's confidential information much more effectively.
How it works
As you know, an online purchase using payment cards is preceded by a sequential input of three groups of data: card number, card expiration date and the verification code of the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction conducted online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the back. Thus, the usual static visual cryptogram presented on the back of the card with the last three digits (CVV) in the cards using the Dynamic Verification Code (DVC) technology is replaced with an updated digital combination. The DCV code is generated on the display of the EMV chip or on the screen of a smartphone with a number “tied” to the card holder.
The display, which displays the DCV numerical mobile code, works on the principle of electronic ink, which minimizes its energy consumption due to the good visibility of the displayed combination without power supply. Thus, the battery energy is expended only at the moment of changing the numerical code. Thanks to such a circuitry solution, the lifespan of the built-in battery of the chip is commensurate with the life of the card, and is, on average, 3-5 years.
The company accepting the card for payment (acquirer) perceives dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of a dynamic DCVx server at the processing stage. Calculating the current CVV codes for each of the issued cards, the server reports them at the request of the bank's authorization server.
Motion Code ™ by Obertur Technologies
One of the variants of the Dynamic verification code technology - Motion Code ™ was proposed by the French company Obertur Technologies in May 2015. As part of a pilot project, in September 2015, about 1,000 customers of the French banks Caisse d'Epargne and Banque Populaire were involved in studies of the effectiveness of Motion Code ™ technology in real conditions.
Changing the code combination on EMV-chips from Obertur Technologies occurs once in one hour, which helps to minimize battery power consumption.
Gemalto Dynamic Code Verification
With the latest version of Dynamic Code Verification technology, Gemalto , a long-standing partner of MasterCard, a company widely known for its development in the field of secure mobile applications for the banking sector , entered the banking services market in early October 2015 .
“Gemalto’s Dynamic Code Verification technology provides banks with significantly greater capabilities to meet individual customer needs and can improve their customer segmentation model while providing maximum coverage. Gemalto’s offer is unique primarily because it provides banks with a comprehensive solution to prevent fraud in transactions without the presence of a card, which is supported by many services, ”says Hokan Nordfjell, Gemalto’s Senior Vice President of Electronic Commerce.
The latest development from Gemalto (09.10.2015) The
time for changing the Dynamic Code Verification in the offer from Gemalto has been reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the body of a plastic card and mobile devices after downloading a special application on the company's website. In the domestic banking services market, the introduction of cards with dynamically changing codes is offered by the market leader in Russia and the CIS, NovaCard.
Cards with a biometric sensor
The biometric technology recommended for making transactions offline deserves special attention, where the holder will be required to use a card for physically reading the code combination. For this purpose, cards of this type have a biometric sensor that reads information from the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions via a contactless interface. An PIN is not required to complete an instant purchase. The whole process is maximally simplified: to perform the operation, the card holder just press the thumb on the sensor window. The fingerprint identification is carried out inside the card chip itself, where the standard of the cardholder’s fingerprint is stored, downloaded at the bank upon receipt of the card. Thus, the fingerprint reference is not transmitted from the chip at any of the stages of the transaction.
A plastic card with a biometric sensor from Zwipe (Norway)
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, since it is powered by an NFC antenna of the card. According to information from the product developers, in the very near future, fingerprint identification will also be possible with contact payment using an EMV chip.
Payment cards with a biometric sensor also have their disadvantages. From the point of view of comfort, non-contact biometric data entry significantly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution wins only due to the lack of the need to enter a PIN code. In the case of loss of a card at a certain level of training carders to prepare a fake fingerprint and withdraw money from the card is not difficult. An undoubted plus is that fraudsters will need some time to make a fake fingerprint, during which the card may be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN code for a standard card is not difficult.
Pros and cons
Like all new technologies, cards with a biometric sensor and with a dynamic verification code are expensive. And although today there are few companies on the Russian market that can implement the project from a technical point of view, the conditions under which such projects are being implemented in Europe or, for example, in South America, for the average Russian consumer of banking products remain unbearable. So at the stage of the pilot project, the cost of a card with a biometric sensor “... will be about ten times more expensive than a conventional chip. If, according to the results of the pilot project, the bank is ready to predict the real volumes of purchases of such cards, then the financial conditions will be determined taking into account the needs of the bank. To optimize the cost to some extent will allow an individual approach. ” - believes Mikhail Tatarenkov,
The close cooperation between the developers of such access systems with the MasterCard payment system simplifies the implementation of both technologies, since it ensures guaranteed unhindered integration of the technology into the existing business of the bank.
The scope of measures required for the introduction of new banking products will be determined during the implementation of specific projects. So in the case of a card that uses the DCV code for transactions, it will be necessary to ensure the synchronization of the change in the numerical combination on the card and on the bank host using the OATN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certifying center.
Cards with dynamic DCV code do not have critical limits on the volume of operations performed. To withdraw funds, an attacker will need not only data, but also the card itself. Having acquired a card with a biometric fingerprint, the carder will be able to use it for payments in the normal mode (operations with rolling the magnetic strip, entering card data online, etc.). In addition, in some cases, the weather factor can influence the correct reading of the biometric code - high humidity or, for example, extremely high or low air temperature. In this regard, in terms of reliability and security, DCV technology has several serious advantages. But both card options are not protected from skimming in any way.
From the point of view of the prospects of introducing the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of funds protection in a segment where large amounts are stored on customers' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of transactions. Promising is their application for niche projects with small emissions.
Supporters of 3D-Secure technology, widely used in electronic commerce, take the DCC dynamic code technology quite critically. At the same time, apologists for the dynamic code technology reasonably object: the communication channel with the bank, as is the case with the transfer of the 3D-Secure identifier, is absent in the case of DCV. So, intercepting a dynamic code combination, in contrast to the number of available methods for intercepting SMS messages, will be much more difficult.
Any measure to increase the security of remote payment channels is welcome. At the same time, at this stage, the cost of a ready-made solution so far limits the circle of interested parties to clients at a level above the average, who regularly make multiple transactions using a card. And from the point of view of the issuing bank, the appearance of high-tech payment cards with increased security and comfort as part of the premium products offered will certainly create certain competitive advantages.
Summarizing, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards that use new security and identification technologies in the foreseeable future is quite realistic, but it will not be possible to talk about the mass product in the light of existing realities soon.
Dear readers, we are always happy to meet and wait for you on the iCover blog pages! We are ready to continue to please you with our publications and will try to do everything possible to ensure that the time spent with us is pleasing to you. And, of course, do not forget to subscribe to our sections and we promise - you won’t be bored!
Our other articles