Digital Transactions Authoritative, insightful and timely information for payments professionals
With the coming of EMV chip card payments to the U.S. point of sale on Oct. 1, merchants, merchant acquirers and credit and debit card issuers are bracing for an expected boom in card-not-present (CNP) fraud. Countless processors, payment gateways and tech companies have announced products and services meant to repulse, or at least slow down, the CNP fraudster attack.
Into this fray comes the big smart card maker and digital security technology provider Gemalto NV, which this week introduced its Dynamic Code Verification (DCV) product, a special EMV card with a mobile-payments equivalent. The card’s fraud-reduction promise, however, could be offset by its high cost, and it doesn’t address the lax security procedures of many online retailers fearful of abandoned sales.
The card’s distinguishing feature is its three-digit security code, powered by a built-in battery, that is automatically generated every 20 minutes in an electronic display on the back of the card. The DCV replaces the static, three-digit codes commonly known as the Card Verification Value (CVV2) on Visa cards and the Card Validation Code (CVC2) on MasterCard cards. The mobile version of the card also generates a dynamic code on a smart phone.
A fraudster with someone else’s primary account number (PAN), the cardholder name and expiration date, and the correct CVV2/CVC2 will be able to carry out a fraudulent CNP transaction. But it would be pretty hard to commit fraud with stolen DCV credentials, unless the fraudster could put the data to use in the one-third of an hour since the last code was created. “The code changes every 20 minutes, dramatically enhancing the security level of online transactions,” says a Gemalto release.
The card also does not require either consumers or merchants to change existing card-usage procedures, according to Håkan Nordfjell, senior vice president of eBanking and eCommerce at Netherlands-based Gemalto’s office in Belcamp, Md., near Baltimore. “It’s a normal EMV card,” Nordfjell tells Digital Transactions News. “This is [a] good thing to escape the card-not-present fraud that is booming.”
The battery, Nordfjell adds, is off most of the time and lasts up to three years—the typical time span before the issuer replaces the card. “It’s very little power consumption,” he says.
The DCV card, however, doesn’t come cheap. It costs “a few times more compared to an ordinary EMV card,” according to Nordfjell. He wouldn’t give numbers, but card-production executives say a contact EMV card costs about $1, while a so-called dual-interface card that supports contact and contactless transactions can cost about $2. Actual prices vary based on order volume, features and other factors.
Despite the high price, a number of banks are testing DCV cards and one in Mexico, which Gemalto would not identify, is rolling it out. “We have quite a few in the pipe, they are testing it,” says Nordfjell.
Security analyst Julie Conroy, research director at Boston-based Aite Group LLC, says by email that “the technology is interesting though it’s not really new.” In 2014, Gemalto rival Oberthur Technologies bought a company called NagraID Security SA that had similar technology, she notes.
Besides price, other big obstacles to dynamic security codes, she says, are merchant practices and liability. Dynamic codes can’t solve one of the biggest problems in e-commerce: the failure of online merchants to ask the purchaser to enter the CVV2/CVC2. Without being able to provide that number if asked, a criminal may not be able to complete a fraudulent purchase. But many merchants dread asking for it because the extra step does lead to some abandoned sales.
“A lot of merchants aren’t even asking for the static CVV2 today, out of concern about friction,” Conroy says.
Says Nordfjell: “It’s a question we would also like to answer, too. You don’t have a silver bullet.”
Liability issues also come into play, according to Conroy. Currently, merchants bear liability for most fraudulent CNP transactions, “so this makes the business case [for issuers] even harder,” she says. Issuers bear responsibility only if 3D Secure is used, and that underutilized technology is being improved to add dynamic features, she says. “So why would issuers want to make this investment?”
According to Nordfjell, some issuers, after examining their card portfolios and risk profiles, will conclude that they will get a positive return on their investment, especially as CNP fraud rises. “They can see a positive flow on it,” he says.
