January 3, 2015
Companies around the world lose US $3.5 trillion to fraud each year, according to a report by the Association of Certified Fraud Examiners. The average loss of revenue per organization is 5% annually. Stakeholders in the payments domain are trying their level best to innovate the way transactions can be secured. We are now witnessing how the traditional payments methods and tools are now evolving to more secured forms. Some notable companies are contributing in the transition to new highly secure payment technologies.
Here are some advancements in the payments domain that cannot go unnoticed:
From Simple Plastic Cards to Interactive Cards
Traditional debit and credit cards primarily display your card number on the front and the CVV number on the back. But how about cards which show some form of dynamicity making them more interactive and more secure from user’s standpoint.
MasterCard had collaborated with Dynamics Inc, an interactive payment cards maker. The interactive payment cards are built with features such as buttons, displays and LEDs. The cards come with multiple applications stored on the card itself, meanwhile assuring its compatibility across existing POS terminals. For security aspects, these interactive payment cards include a display and keypad to meet the purpose. When a consumer enters the correct unlocking code into the buttons of the card, the payment card number is provided on a display (for online use) and is written to the stripe (for in-store use).
Oberthur, a digital security firm, had acquired Nagra ID which produces multicomponent and other forms of complex cards for the security and identification industry. Looking at the portfolio of card products developed by Nagra ID, the cards being offered come with interactive buttons in form of a keypad. The cards also come equipped with digital displays on the front and back. The display on the front can be used to show an OTP generated runtime while the back display can be used to show a dynamically generated CVV.
From MagStripe to EMV
An earlier practice of using payment cards at point-of-sale has been swiping the magnetic strip on the card against the compatible reader. But such cards face risks such as card cloning and theft of card information by simple means of extraction from the magnetic stripe. But now cards have been evolved and come embedded with an actual integrated circuit chip as a boost for card security.
The EMV Chip cards have been developed based on a global standard, developed by Europay, MasterCard and Visa, as a major security update to traditional magstripe cards. 2.37 billion chip cards have already been issued worldwide, according to EMVCo’s EMV Chip Deployment Statistics. Also called as integrated circuit cards, the chip cards come integrated with an actual computer chip for enhanced security.
47% of all card frauds occur in US, as per a Nilson report. 2015 will bring a new way to pay in-store for many U.S. consumers, with 600 million new EMV chip cards expected to reach their wallets and increasing acceptance of the cards at retail stores. An EMV mandate has been issued in US which requires merchants to support chip cards at the point-of-sale by October this year in order to avoid fraud liability. Developers of POS systems such as Square are taking advantage of this mandate to come up with EMV based products.
From providing Card Data to using a ‘Token’
Why provide payment card information when you can transmit the details in the form of tokens. Tokenization is an alternative security technology that converts the traditional card data, including the Primary Account Number (PAN), into a token. The token is just a number, whose only function is to point to the original card data, which is stored in a secure host called the Token Vault. Once the transaction is complete, the token is then cancelled.
Mobile payment systems usually require a Trusted Service Manager. This new token scheme turns Visa, Mastercard and Amex into TSMs and enables payments in the OS. The company Zooz provides a solution where an online merchant or app publisher is executing the script to initiate the payment process for a customer. The code gets a token back which is passed back to the client. This is where the actual payment screen appears for the user. The system is made very secure by tokenization.
The concept of Tokenization has been further popularized in recent months since its adoption by Apple Pay.
From hardware SE (secure element) to HCE
With the release of Android 4.4, Google introduced a new platform support for secure NFC-based transactions through Host Card Emulation (HCE), for payments, loyalty programs, card access, transit passes, and other custom services. With HCE, any app on an Android 4.4 device can emulate an NFC smart card, letting users tap to initiate transactions with an app of their choice. Apps can also use a new Reader Mode so as to act as readers for HCE cards and other NFC-based transactions.
There are a number of ways in which additional security layers can be added to HCE-based mobile payments such as white box cryptography, obfuscation of programming code (security through obscurity), use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels. Instead of storing the card data in the hardware based SE, ‘tokens’ are downloaded to the device and used to complete the transaction at the point of sale (POS).
PCI-certified Point-to-Point Encryption (P2PE) Payment Technology
With P2PE, transactions are entirely encrypted before they even enter the merchant’s location, essentially removing cardholder data from the merchant’s POS and network. Decryption of this data is not possible until the data has reached a hardware security module (HSM) outside of the merchant or enterprise’s environment.
Any solution provider can claim to offer point-to-point encryption, but not all P2PE solutions are the same. Only solutions that have been audited and validated to conform to the rigorous scrutiny of the PCI standards can offer merchants the peace of mind and transparency that customer data is truly secured. Maintaining compliance with the PCI Data Security Standard (PCI DSS) is a requirement for all merchants who accept credit cards, and failure may result in an array of non-compliance penalties.
Some prominent companies working in this area include Bluefin, Handpoint, FreedomPay, etc.
Location based Authentication
BillGuard, which comes as a dedicated app for Android and iOS, brought an interesting feature to its app which uses the phone’s location to alert users of suspicious payment card usage. When users opt-in for this service, BillGuard will start keeping track of locations where the user’s card is being used on a regular basis. It can use this data to match with the location of future transactions and alert users when required. Suppose a transaction is detected from a location you have not been to, BillGuard will make sure you get the alert. Sometimes criminals use stolen card information to make transactions in the same areas as the cardholder to avoid banks triggering those as suspicious transactions. BillGuard’s new feature will even help fight against such scenarios.
Some companies who are contributing to the advancements in payments security through their own innovation:
The company has been making waves by leveraging its Allynis Trusted Service Manager and its UpTeq NFC UICC embedding for SIM in order to secure contactless payments. The company is the prominent player when it comes to securing NFC based mobile payments. This has led to a number of companies partnering with Gemalto in order to secure contactless payments:
HP is looking forward to improving the safety and security of transactions made using mobile devices. The company has upgraded Atalla security software to support NFC payment methods. The software already helps merchants process financial data through HP’s Network Security Processor (NSP). With the current upgradation, it can now support payment methods like Apple Pay and other methods like Visa cloud based payments.
The new upgrade will help of the mobile devices which do not have in-built security elements but are able to make mobile payments. With the new upgradations, HP is extending support for EMV payments. To support EMV payments, HP has partnered with Cryptomathic. Cryptomathic is a security solutions provider and will use both HP Atalla and NSP as hardware security module to protect EMV card data.
The upgraded software would basically provide secure cloud-based payments for mobile devices without the need for a built-in secure element.
Intel has collaborated with NCR Corporation to develop an end-to-end encryption system for consumer and financial data. Now a combination of Intel Data Protection Technology for Transactions and NCR DataGuard will act as a hardware-software tool to provide a secure encrypted pipeline for personal data on open platforms in retail and financial services. The software part of the solution will run on secure silicon that comes embedded in Intel’s second and third-generation core processors. The end-to-end solution will protect data right from the moment when information is generated until the point where the encrypted information is processed in secure data centers.
GoNow Technologies, an innovator in developing reprogrammable companion cards for mobile eWallet technology, has been granted a patent for the secure storage and two way communication from reprogrammable card-based EMV chip and a smartphone-based eWallet. The GoNow Card provides a trusted environment within the card’s Secure Element in which the card issuer(s) can securely encode and store the cardholder’s security credentials as well as the cryptographic keys. The secure information is loaded and stored by the card issuer(s) onto the EMV card at the time the card is personalized.
When paired with any eWallet application on a smartphone, a single reprogrammable GoNow Card can store more than 50 credit, debit, ATM, loyalty or gift cards. The user simply selects the payment or other card on the phone eWallet and the magstripe on the card is instantly programmed with the key data for the card selected. The GoNow Card can then be used at any traditional magstripe, EMV, Dip, ATM or other reader, with no changes necessary to current retailer terminals or back office systems.