Skip to content

ACI Blog

When Everything Goes Dynamic: EMV, Tokens and CV2

The fix, as it is becoming clearer, is to take payment card information (account numbers, card verification values and the like) and devalue this data in an effort to make it less relevant to the hackers who seek to harvest and sell it. But the ways we are developing the fix are not very dissimilar, conceptually.

Is there more to this commonality and does this offer us a theme for what we should expect in the technologies that support payment processing through the front lines of the merchants POS systems?

I’m going to offer that this may be something we’re already quite familiar with, and that this technology is fairly easy to demystify… it’s just using surrogates for the numbers we use to authorize every transaction, and they are both the problem and the solution. We’ve been mostly using them “in the clear” or unencrypted (for decades!), and this is why we have massive merchant breaches and high rates of card fraud.

Clearly, our processing of these numbers wasn’t quite keeping up with the rest of technology as we entered the information age.

Tell me, when was the last time you entered a static password without it being hashed out for you? How often are we reminded that the static password is failing us? 

We are finding better solutions using technology that are still user-friendly and disrupt the fraud cycle. If we really consider it, any credit card number on a magnetic stripe, the 16-digit pan, is just a pseudo account number that was made a token for an account around 40 years ago, so it’s fairly long in the tooth.

For starters, the one technology topic on the tip of the tongue of most discussions is around EMV or Chip Cards.

So, what’s the big deal, we’ve got a new chip on our plastics; it looks like a SIM card and it works like one. Do we really know how it works? Some of the industry leaders frequently get it wrong, and I have an idea why… it’s actually pretty complicated behind the scenes.

There are some elements like cryptograms and other super-secret validations (both offline and online) that go on in the background that would frighten most technophiles in terms of their complexity. But rest assured, it works quite well and most of the rest of the world is already done with their deployments, so we can all exhale.

Alright, let’s bring this back to topic… the killer element (as I see it) is the iCVV, a dynamic (it can change with each transaction) electronic version of that 3-digit code, and it can only be used with a chip transaction, where the cardholder is present at the merchant’s point of sale. If a bad CVV is used, the issuer will typically decline the transaction. Voilà, we’ve (mostly) fixed card present fraud when the transaction processes on the chip!

Yet, the argument is that this isn’t a silver bullet because it doesn’t fix card not present fraud (or worse, it “shifts” the fraud there… and I can counter that).

So what might be the “chip” equivalent for card not present?

We’re still waiting for that standard to be released by the authors of the chip card, EMVCo, but there are some encouraging signs coming out of the industry… I keep seeing attempts to pioneer a dynamic CV2 out of the industry, an algorithm that changes the CV2 every few minutes or hour, pop up as a potential solution.

So imagine that there is a second chip embedded in the card, and this chip changes the CV2 on an LCD window (which has an internal battery that lasts as long as the card does). This is a potential solution emerging in Europe (which is where the card present EMV/chip standard was pioneered) where some banks are already piloting the technology.

Tokenization is now most famous with Apple Pay and is much the same; we have a token that’s placed on the device that is used as a surrogate for the card number (PAN).

In any event, it’s removed the PAN from the transaction and thus, divorced itself from the capacity to be harvested and reused outside of the device on which it resides. This is the equivalent of the hashing the password, but associating it with the device is the equivalent of making the token dynamic (as in there is only one static token per device).

Here comes the science: With this pseudo-dynamic PAN, we have an authenticated token unique to the encrypted device and it can’t be used elsewhere, so it’s fairly secure (once the token-device registration is securely authenticated).

When the final nail is in the coffin for the mag-stripe and the static CV2, we’re solidly in dynamic-ville and we will likely see a tightened security infrastructure in the card space.

However, at this point in the future, who is to say there is a card needed at all. Perhaps we’ll virtualize it, it’s tokenized on our device into that great mobile wallet in the cloud. Perhaps we’ve eradicated all payment data sent in the clear and encouraged merchants to distance themselves from other data that can be tied to a customer.

This overarching strategy, sometimes known as “data toxification,” is not just another buzzword, it’s happening… a concerted strategy suggested by the major networks. All these disconnected technologies do in fact have a common core, and are being pushed and pulled and executed on by those powers that can not just suggest it as a policy, but enforce it.

It makes sense to look back in your business, where you have stored or are moving data in the clear, and start thinking about where and how to tokenize, or devalue data stored and sent in the clear. This will inevitably be disruptive to the endless payment card fraud cycle we’ve been on for a decade now.

Although by then, there will likely be something else for us to focus our financial crime attention on. Our work never ends there.

Sr. Fraud Consultant, Americas

Seth Ruden is a Certified Fraud Examiner and Certified Anti-Money Laundering Specialist and has been working with banks in the detection and mitigation of financial crimes since 2004,in the compliance department of one of the largest global banks. Since then, he has worked with Law Enforcement, Regulators, Executives and Analysts in consulting positions beyond the United States, extending to financial services organizations in Asia, the Middle East and North and South America. Interests include Payments Security, Financial Crimes, Fraud, Money Laundering, Cyber Crime, Biometrics, Authentication, Data Breaches, Compromises, Risk Management, Hacking and Technology Innovation.