Payment cards with dynamic CVV code - realities and perspectives
Welcome to the pages of the blog iCover . You can not argue with the fact that the obvious advantages associated with the purchase of products and services on the Internet have determined their enormous popularity throughout the world. However, the convenience of purchasing goods and services online from time to time is faced with the problem of identity theft at the stage of the transaction. The problem of theft of PIN codes while shopping in offline stores also looks very urgent. We will tell you in our article about new promising technologies for protecting personal data of cardholders and the likelihood of their appearance in the domestic market.
It is estimated that the volume of transactions directly or indirectly related to the theft of user credit card data in transactions on the Internet is 65% of the total amount of credit card fraudulent transactions. Integration of Dynamic Code Verification (DCV) technology will allow to protect confidential information of a merchant much more effectively.
As you know, the online purchase using payment cards is preceded by the sequential input of three groups of data: card number, card expiration date and verification code from the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction conducted online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the reverse side. Thus, the usual static visual cryptogram presented on the back of the card with the last three digits (CVV) in the cards using Dynamic Verification Code (DVC) technology is replaced with an updated digital combination. The DCV code is formed on the display of an EMV chip or on a smartphone screen with a number “tied” to the card holder. Dynamic code (DCV) is updated in real time with a frequency set by the issuing bank.
')
The display, which displays the numeric mobile code DCV, works on the principle of electronic ink, which minimizes its power consumption due to the good visibility of the displayed combination without power supply. Thus, the battery energy is spent only at the moment of changing the numeric code. Thanks to such a circuit solution, the life of the integrated battery of the chip is comparable with the card's validity period, and is, on average, 3-5 years.
The company accepting the card for payment (the acquirer) perceives dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of the dynamic DCVx server at the processing stage. Taking into account the current CVV-codes for each of the cards issued, the server reports them at the request of the bank's authorization server.
One of the variants of the Dynamic Verification Code technology - Motion Code ™ was proposed by the French company Obertur Technologies in May 2015. Within the framework of the pilot project, in September 2015, about 1000 clients of the French banks Caisse d'Epargne and Banque Populaire were attracted to research into the effectiveness of the Motion Code ™ technology in actual conditions.
The change of code combination on Obertur Technologies' EMV-chips occurs once in one hour, which allows to reduce the amount of battery power consumption to a minimum.
With the latest version of the Dynamic Code Verification technology, Gemalto , a longtime partner of MasterCard, a company well-known for its development in the field of secure mobile applications for the banking sector, entered the banking services market in early October 2015.
“The technology of Dynamic Code Verification offered by Gemalto provides banks with significantly greater opportunities to meet individual customer needs and improves the customer segmentation model, while ensuring maximum coverage. Gemalto's offer is unique primarily because it gives banks a comprehensive solution to prevent fraud in transactions without a card, which is supported by many services. ”, Said Håkan Nordfjell, senior vice president of e-commerce for Gemalto.
Latest development from Gemalto (10/09/2015)
The time for changing the Dynamic Code Verification in the proposal from Gemalto is reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the plastic card body and mobile devices after downloading a special application on the company's website. In the domestic market of banking services, the introduction of cards with dynamically changing code is offered by the market leader in Russia and the CIS countries NovaCard.
Special attention is given to the biometric technology recommended for conducting transactions in offline mode, where the holder will be required to use the card to physically read the code combination. For this purpose, a biometric sensor is provided in the cards of this type, which reads information on the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions over a contactless interface. To make an instant purchase, a PIN is not required. The whole process is as simple as possible: to perform an operation, it is enough for the cardholder to press his thumb against the sensor window. The fingerprint identification is carried out inside the card chip itself, where the fingerprint of the cardholder is stored, loaded into the bank upon receipt of the card. Thus, the fingerprint standard is not transmitted from the chip at any of the stages of the transaction.
Plastic card with a biometric sensor from the company Zwipe (Norway)
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, because it is powered by an NFC antenna of the card. According to information from product developers, in the very near future, fingerprint identification will also be possible with contact payment using an EMV chip.
Payment cards with a biometric sensor have their disadvantages. From the point of view of comfort, non-contact biometric data entry greatly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution benefits only due to the lack of the need to enter a PIN code. In case of loss of a card at a certain level of preparation of carders, it will not be difficult to prepare a fake print and withdraw money from the card. A definite plus is that fraudsters will take some time to make a fake print, during which the card may be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN for a standard card is not difficult.
Like all new technologies, cards with a biometric sensor and a dynamic verification code are expensive. And although today there are single companies on the Russian market that are able to implement the project from a technical point of view, the conditions under which such projects are being implemented in Europe or, for example, in South America, remain unaffordable for the average Russian consumer of banking products. So at the pilot project stage, the cost of a card with a biometric sensor “... will be about ten times more expensive than a regular chip card. If according to the results of the pilot project, the bank is ready to predict the real volumes of purchases of such cards, then the financial conditions will be determined taking into account the needs of the bank. An individual approach will allow us to optimize the cost to some extent. ”- considers Mikhail Tatarenkov, representing the NovaCard convergent payments department.
Simplifies the introduction of both technologies, close cooperation of the developers of such access systems with the MasterCard payment system, since it allows to ensure guaranteed seamless integration of technology into the existing business of the bank.
The scope of measures required for the introduction of new banking products will be determined during the implementation of specific projects. So in the case of a card that uses a DV code to perform operations, it will be necessary to ensure synchronization of the change of a numerical combination on the card and on the bank’s host using the OATN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certification center.
Cards with dynamic code DV have no critical restrictions on the volume of operations performed. To remove funds, the attacker will need not only the data, but the card itself. Taking possession of a card with a biometric fingerprint, a card can use it for payments in the normal mode (operations with rolling magnetic stripe, entering card data in online mode, etc.). In addition, the weather factor may affect the correct reading of the biometric code in some cases - high humidity or, for example, extremely high or low air temperature. In this regard, in terms of reliability and security, DCV technology has several significant advantages. But both versions of the cards are not protected from skimming in any way.
From the point of view of the prospects for the implementation of the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of protection of funds in the segment where large amounts are stored in customers' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of operations. Promising is their use for niche projects with low emissions.
Proponents of the 3D-Secure technology that is widely used in e-commerce are quite critically perceived by the dynamic code DV technology. At the same time, apologists of the dynamic code technology reasonably object: a communication channel with the bank, as is the case with the transfer of the 3D-Secure identifier, is not available in the case of DCV. So, it will be much more difficult to intercept a dynamic code combination, unlike the number of available methods for intercepting SMS messages.
Any measure that allows to increase the security of remote payment channels is welcome. However, at this stage, the cost of a turnkey solution so far limits the circle of stakeholders to customers at a level above the average, who regularly perform multiple transactions using a card. And from the point of view of the issuing bank, the appearance of high-tech payment cards of enhanced security and comfort in the offered premium product segment will certainly create certain competitive advantages.
Summing up, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards using new protection and identification technologies in the foreseeable future is quite possible, but it’s not too soon to talk about the mass character of the product, taking into account the existing realities.
Dear readers, we are always happy to meet and wait for you on the pages of the blog iCover! We are ready to continue to delight you with our publications and we will try to do everything possible so that the time spent with us will give you pleasure. And, of course, do not forget to subscribe to our headings and we promise you won't be bored!
Our other articles
It is estimated that the volume of transactions directly or indirectly related to the theft of user credit card data in transactions on the Internet is 65% of the total amount of credit card fraudulent transactions. Integration of Dynamic Code Verification (DCV) technology will allow to protect confidential information of a merchant much more effectively.
How it works
As you know, the online purchase using payment cards is preceded by the sequential input of three groups of data: card number, card expiration date and verification code from the last three digits on the back (CVV, Card Verification Value). It was proposed to identify each payment transaction conducted online by means of a dynamic code displayed on a miniature electronic display embedded in the plastic of the card on the reverse side. Thus, the usual static visual cryptogram presented on the back of the card with the last three digits (CVV) in the cards using Dynamic Verification Code (DVC) technology is replaced with an updated digital combination. The DCV code is formed on the display of an EMV chip or on a smartphone screen with a number “tied” to the card holder. Dynamic code (DCV) is updated in real time with a frequency set by the issuing bank.
')
The display, which displays the numeric mobile code DCV, works on the principle of electronic ink, which minimizes its power consumption due to the good visibility of the displayed combination without power supply. Thus, the battery energy is spent only at the moment of changing the numeric code. Thanks to such a circuit solution, the life of the integrated battery of the chip is comparable with the card's validity period, and is, on average, 3-5 years.
The company accepting the card for payment (the acquirer) perceives dynamic DCV as the most common CVV-2 code. During payment processing, the dynamic code is checked on the side of the issuing bank, which uses the capabilities of the dynamic DCVx server at the processing stage. Taking into account the current CVV-codes for each of the cards issued, the server reports them at the request of the bank's authorization server.
Obertur Technologies Motion Code ™
One of the variants of the Dynamic Verification Code technology - Motion Code ™ was proposed by the French company Obertur Technologies in May 2015. Within the framework of the pilot project, in September 2015, about 1000 clients of the French banks Caisse d'Epargne and Banque Populaire were attracted to research into the effectiveness of the Motion Code ™ technology in actual conditions.
The change of code combination on Obertur Technologies' EMV-chips occurs once in one hour, which allows to reduce the amount of battery power consumption to a minimum.
Dynamic code verification from Gemalto
With the latest version of the Dynamic Code Verification technology, Gemalto , a longtime partner of MasterCard, a company well-known for its development in the field of secure mobile applications for the banking sector, entered the banking services market in early October 2015.
“The technology of Dynamic Code Verification offered by Gemalto provides banks with significantly greater opportunities to meet individual customer needs and improves the customer segmentation model, while ensuring maximum coverage. Gemalto's offer is unique primarily because it gives banks a comprehensive solution to prevent fraud in transactions without a card, which is supported by many services. ”, Said Håkan Nordfjell, senior vice president of e-commerce for Gemalto.
Latest development from Gemalto (10/09/2015)
The time for changing the Dynamic Code Verification in the proposal from Gemalto is reduced to 20 minutes.
The technology is supported by both mini-displays integrated into the plastic card body and mobile devices after downloading a special application on the company's website. In the domestic market of banking services, the introduction of cards with dynamically changing code is offered by the market leader in Russia and the CIS countries NovaCard.
Cards with a biometric sensor
Special attention is given to the biometric technology recommended for conducting transactions in offline mode, where the holder will be required to use the card to physically read the code combination. For this purpose, a biometric sensor is provided in the cards of this type, which reads information on the thumbprint.
The main advantage of cards with a biometric sensor is the ability to conduct transactions over a contactless interface. To make an instant purchase, a PIN is not required. The whole process is as simple as possible: to perform an operation, it is enough for the cardholder to press his thumb against the sensor window. The fingerprint identification is carried out inside the card chip itself, where the fingerprint of the cardholder is stored, loaded into the bank upon receipt of the card. Thus, the fingerprint standard is not transmitted from the chip at any of the stages of the transaction.
Plastic card with a biometric sensor from the company Zwipe (Norway)
Note that the built-in fingerprint sensor in Zwipe cards does not need to use batteries, because it is powered by an NFC antenna of the card. According to information from product developers, in the very near future, fingerprint identification will also be possible with contact payment using an EMV chip.
Payment cards with a biometric sensor have their disadvantages. From the point of view of comfort, non-contact biometric data entry greatly simplifies and speeds up the procedure, but from the point of view of security, the proposed solution benefits only due to the lack of the need to enter a PIN code. In case of loss of a card at a certain level of preparation of carders, it will not be difficult to prepare a fake print and withdraw money from the card. A definite plus is that fraudsters will take some time to make a fake print, during which the card may be blocked by the owner.
Another bottleneck of cards with biometric access is the problem of changing the fingerprint at the request of the holder, while changing the PIN for a standard card is not difficult.
Pros and cons
Like all new technologies, cards with a biometric sensor and a dynamic verification code are expensive. And although today there are single companies on the Russian market that are able to implement the project from a technical point of view, the conditions under which such projects are being implemented in Europe or, for example, in South America, remain unaffordable for the average Russian consumer of banking products. So at the pilot project stage, the cost of a card with a biometric sensor “... will be about ten times more expensive than a regular chip card. If according to the results of the pilot project, the bank is ready to predict the real volumes of purchases of such cards, then the financial conditions will be determined taking into account the needs of the bank. An individual approach will allow us to optimize the cost to some extent. ”- considers Mikhail Tatarenkov, representing the NovaCard convergent payments department.
Simplifies the introduction of both technologies, close cooperation of the developers of such access systems with the MasterCard payment system, since it allows to ensure guaranteed seamless integration of technology into the existing business of the bank.
The scope of measures required for the introduction of new banking products will be determined during the implementation of specific projects. So in the case of a card that uses a DV code to perform operations, it will be necessary to ensure synchronization of the change of a numerical combination on the card and on the bank’s host using the OATN algorithm. In the case of biometric cards, no global changes will be required, since the card itself is the certification center.
Cards with dynamic code DV have no critical restrictions on the volume of operations performed. To remove funds, the attacker will need not only the data, but the card itself. Taking possession of a card with a biometric fingerprint, a card can use it for payments in the normal mode (operations with rolling magnetic stripe, entering card data in online mode, etc.). In addition, the weather factor may affect the correct reading of the biometric code in some cases - high humidity or, for example, extremely high or low air temperature. In this regard, in terms of reliability and security, DCV technology has several significant advantages. But both versions of the cards are not protected from skimming in any way.
From the point of view of the prospects for the implementation of the technologies described by us, the opinions of experts differ significantly. Such cards will be able to provide a higher level of protection of funds in the segment where large amounts are stored in customers' card accounts, which implies, on the one hand, comfortable access to large purchases, and on the other, high security of operations. Promising is their use for niche projects with low emissions.
Proponents of the 3D-Secure technology that is widely used in e-commerce are quite critically perceived by the dynamic code DV technology. At the same time, apologists of the dynamic code technology reasonably object: a communication channel with the bank, as is the case with the transfer of the 3D-Secure identifier, is not available in the case of DCV. So, it will be much more difficult to intercept a dynamic code combination, unlike the number of available methods for intercepting SMS messages.
Any measure that allows to increase the security of remote payment channels is welcome. However, at this stage, the cost of a turnkey solution so far limits the circle of stakeholders to customers at a level above the average, who regularly perform multiple transactions using a card. And from the point of view of the issuing bank, the appearance of high-tech payment cards of enhanced security and comfort in the offered premium product segment will certainly create certain competitive advantages.
Summing up, we come to not too optimistic conclusions: the appearance on the domestic market of elite cards using new protection and identification technologies in the foreseeable future is quite possible, but it’s not too soon to talk about the mass character of the product, taking into account the existing realities.
Dear readers, we are always happy to meet and wait for you on the pages of the blog iCover! We are ready to continue to delight you with our publications and we will try to do everything possible so that the time spent with us will give you pleasure. And, of course, do not forget to subscribe to our headings and we promise you won't be bored!
Our other articles
Source: https://habr.com/ru/post/366733/
All Articles