When Everything Goes Dynamic: EMV, Tokens and CV2
Have you noticed the discussions in the payment card space revolving around some very similar technology concepts? It appears a handful of cryptic technologies are driving the conversation, seeking to solve a problem that is both complex and simple. What they have in common, as this author has some capacity to speak on, is fraud.
The fix, as it is becoming clearer, is to take payment card information (account numbers, card verification values and the like) and devalue this data in an effort to make it less relevant to the hackers who seek to harvest and sell it. But the ways we are developing the fix are not very dissimilar, conceptually.
Is there more to this commonality and does this offer us a theme for what we should expect in the technologies that support payment processing through the front lines of the merchants POS systems?
I’m going to offer that this may be something we’re already quite familiar with, and that this technology is fairly easy to demystify… it’s just using surrogates for the numbers we use to authorize every transaction, and they are both the problem and the solution. We’ve been mostly using them “in the clear” or unencrypted (for decades!), and this is why we have massive merchant breaches and high rates of card fraud.
Clearly, our processing of these numbers wasn’t quite keeping up with the rest of technology as we entered the information age.
Tell me, when was the last time you entered a static password without it being hashed out for you? How often are we reminded that the static password is failing us?
We are finding better solutions using technology that are still user-friendly and disrupt the fraud cycle. If we really consider it, any credit card number on a magnetic stripe, the 16-digit pan, is just a pseudo account number that was made a token for an account around 40 years ago, so it’s fairly long in the tooth.
For starters, the one technology topic on the tip of the tongue of most discussions is around EMV or Chip Cards.
So, what’s the big deal, we’ve got a new chip on our plastics; it looks like a SIM card and it works like one. Do we really know how it works? Some of the industry leaders frequently get it wrong, and I have an idea why… it’s actually pretty complicated behind the scenes.
There are some elements like cryptograms and other super-secret validations (both offline and online) that go on in the background that would frighten most technophiles in terms of their complexity. But rest assured, it works quite well and most of the rest of the world is already done with their deployments, so we can all exhale.
Alright, let’s bring this back to topic… the killer element (as I see it) is the iCVV, a dynamic (it can change with each transaction) electronic version of that 3-digit code, and it can only be used with a chip transaction, where the cardholder is present at the merchant’s point of sale. If a bad CVV is used, the issuer will typically decline the transaction. Voilà, we’ve (mostly) fixed card present fraud when the transaction processes on the chip!
Yet, the argument is that this isn’t a silver bullet because it doesn’t fix card not present fraud (or worse, it “shifts” the fraud there… and I can counter that).
So what might be the “chip” equivalent for card not present?
We’re still waiting for that standard to be released by the authors of the chip card, EMVCo, but there are some encouraging signs coming out of the industry… I keep seeing attempts to pioneer a dynamic CV2 out of the industry, an algorithm that changes the CV2 every few minutes or hour, pop up as a potential solution.
So imagine that there is a second chip embedded in the card, and this chip changes the CV2 on an LCD window (which has an internal battery that lasts as long as the card does). This is a potential solution emerging in Europe (which is where the card present EMV/chip standard was pioneered) where some banks are already piloting the technology.
Tokenization is now most famous with Apple Pay and is much the same; we have a token that’s placed on the device that is used as a surrogate for the card number (PAN).
In any event, it’s removed the PAN from the transaction and thus, divorced itself from the capacity to be harvested and reused outside of the device on which it resides. This is the equivalent of the hashing the password, but associating it with the device is the equivalent of making the token dynamic (as in there is only one static token per device).
Here comes the science: With this pseudo-dynamic PAN, we have an authenticated token unique to the encrypted device and it can’t be used elsewhere, so it’s fairly secure (once the token-device registration is securely authenticated).
When the final nail is in the coffin for the mag-stripe and the static CV2, we’re solidly in dynamic-ville and we will likely see a tightened security infrastructure in the card space.
However, at this point in the future, who is to say there is a card needed at all. Perhaps we’ll virtualize it, it’s tokenized on our device into that great mobile wallet in the cloud. Perhaps we’ve eradicated all payment data sent in the clear and encouraged merchants to distance themselves from other data that can be tied to a customer.
This overarching strategy, sometimes known as “data toxification,” is not just another buzzword, it’s happening… a concerted strategy suggested by the major networks. All these disconnected technologies do in fact have a common core, and are being pushed and pulled and executed on by those powers that can not just suggest it as a policy, but enforce it.
It makes sense to look back in your business, where you have stored or are moving data in the clear, and start thinking about where and how to tokenize, or devalue data stored and sent in the clear. This will inevitably be disruptive to the endless payment card fraud cycle we’ve been on for a decade now.
Although by then, there will likely be something else for us to focus our financial crime attention on. Our work never ends there.
Related Blog Posts
Women in Payments: It’s Time to Get Out of Your Comfort Zone
As we gear up for Money 20/20 U.S next month, we are excited to shine a spotlight on Natalia Ruiz, manager, Payments Risk Solutions at ACI Worldwide, who was recently selected to be part of the 2019 Rise Up Academy. This global program created by Money 20/20 addresses the gender imbalance in leadership positions within the Financial Services and Fintech industry.
Universal Confirmations: Get Ready for 2020
With the arrival of universal confirmations, we sit down with some industry experts to find out more about what impact this will have on transforming cross-border payments. We’re welcomed by Fabien Depasse - Head of SWIFT gpi Customer Success at SWIFT and Craig Ramsey - Head of Real-Time Payments at ACI Worldwide.
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
How will SWIFT gpi Impact Latin America?
As the world continues to transition toward real-time, and technology continues to evolve, new challengers are disrupting the market with value propositions including real-time cross- border payments. The competition has inspired SWIFT to work with the industry and challengers to create the Global Payments Innovation (GPI) program, which radically changes the way banks interact with their correspondents and offers improved transparency and customer service to their customers.
The Middle Eastern payments revolution: Getting Real-Time Ready
The Middle East is developing quickly and considerably. The population has surpassed 410 million and a number of nations, such as Saudi Arabia and the United Arab Emirates (UAE), represent some of the world's most innovative economies. The region has become synonymous with the rise of large infrastructure developments and technological innovation, while tourism continues to grow - 1.4 billion people visited in 2018 alone.
Why India's Payments Players Need to Fight Fraud with Machine Learning
By 2023, experts are predicting 60 billion UPI (Unified Payments Interface) transactions annually, accounting for more than 50 percent of India’s total digital payments transactions. And it’s estimated that today nearly 50 percent of all real-time payment (RTP) transactions globally are processed in India. It’s an exciting market for payments innovation, with a wide range of digital overlay services available to consumers and merchants, thanks to the introduction of UPI.
The Untapped Opportunity of Machine Learning for Real-Time Payments Fraud Prevention
Artificial Intelligence (AI) is among the buzzwords of the moment, but when it comes to tangible innovations that have the potential to drive rapid ROI, machine learning should be part of every bank or processor’s strategy. No matter the size of the institution.
European Banks Have the Right Tools to Stay Ahead – But Will Big Tech Overtake?
Open banking and immediate payments have come a long way, according to the panelists who joined me during the ‘Open Banking in an Instant World’ session at EBAday in Stockholm recently. The building blocks are now falling into place through the introduction of national and regional schemes, open banking initiatives, regulations such as PSD2 and the acceptance and use of APIs.
How UPI is Driving India's Shift from Cash to Digital Payments
The Indian economy has traditionally been heavily dominated by cash, while experiencing low adoption of various online payment systems including National Electronic Funds Transfer (NEFT), Real Time Gross Settlement (RTGS) and inter-bank mobile payments. The dominance of cash is evidenced by the ratio of cash withdrawals at ATMs vs debit card usage at Point of Sale (POS)—ATM transaction volume is more than 2x greater than POS.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.