Security: The Dynamic Duo

Linda Punch

Proponents say EMV chip cards with dynamic authentication could take a real bite out of card fraud. But what does this new technology mean for PINs?

As the card industry rolls out so-called EMV contact and contactless chip cards in the U.S., the technology known as dynamic data authentication (DDA) is likely to play a key role. Dynamic authentication will not only result in more secure transactions at the point of sale, it also will pave the way for accelerated innovation of mobile and other types of payments, its backers say.

Dynamic authentication, the use of changing variables unique to each individual card transaction, eventually could protect a large share of point-of-sale transactions in the U.S. done with chip-embedded cards based on the Europay-MasterCard-Visa specifications. EMV, a proprietary standard developed by MasterCard Inc. (which absorbed the Europay network in 2002) and Visa Inc., is designed to prevent the counterfeiting so prevalent with magnetic-stripe cards.

When conventional mag-stripe credit and debit cards are swiped at a POS terminal, data stored within the mag-stripe, such as the primary account number (PAN) and expiration date, are transmitted to the issuer. The data—known as static data—remain the same for each transaction. Criminals over the years have found ways to skim this confidential account data off of the mag stripe for use in creating fraudulent cards.

Skimming typically occurs when a consumer swipes a card through a POS terminal or inserts it in a card reader or ATM to which a criminal has attached a small electronic device that captures the cardholder’s account data from the card’s magnetic stripe.

Dynamic authentication is a means to make the chip nearly impossible to counterfeit. In EMV transactions using dynamic authentication, the chip is a mini computer that generates a unique cryptogram using transaction data each time the card is inserted into a chip terminal. The cryptogram is then sent to the card issuer, which uses its keys and codes to calculate a cryptogram based on the same transaction data.

“So long as those two cryptograms match, the issuer knows the data is from a valid card,” says Stephanie Ericksen, head of authentication product integration at Visa.

‘Momma and Child’

Dynamic authentication is one of the most recent improvements in the authentication methods for EMV since the standard was introduced. EMV’s original specification was developed in 1994, according to processor First Data Corp. EMV has been in use in various locations around the world for some time, including parts of Europe and Asia, and more recently in Canada and Mexico.

“Dynamic authentication is the best possible authentication in the EMV world from the ‘momma,’ the card issuer, to the ‘child,’ the card itself,” says Patty Walters, senior vice president of merchant products and security for Vantiv Inc., a Cincinnati-based merchant acquirer and processor that owns the Jeanie EFT network. “It’s the ability to pass dynamic data so that authentication is real time and it offers the best chance for thwarting counterfeit fraud.”

Adds David Kaminsky, senior analyst of emerging technologies at Maynard, Mass.-based Mercator Advisory Group Inc.: “Effectively, you have a different number being sent each time.”

In many countries, EMV cards also are authenticated by PINs. The PIN’s place in the coming U.S. EMV environment however, is the subject of intense debate. Static data such as PINs are less secure and primarily used in environments where offline authorization and authentication are necessary, for example, regions where there is no online—online in this context meaning real-time—authorization available, experts say. That’s often the case in countries with under-developed or unreliable telephone land-lines.

“There’s always going to be static elements in a dynamic data transaction,” Ericksen says. “Your account number, expiration data—those are always going to be the same. But what is different with chip is that with every transaction, in addition to those static elements that are the same for every transaction, there also is a dynamic cryptogram changing with every transaction. Dynamic data authentication is impervious to cloning.”

Because the U.S. has extensive and reliable telecommunications infrastructure in place for processing online transactions, dynamic authentication has the potential to become the norm.

“It’s a faster transaction if you’re just sending the details online to the issuer to do that authentication rather than having it be conducted offline between the card and the terminal first,” Ericksen says.

While chip cards can cost more than mag-stripe cards to produce, “we believe it’s worth the cost and incrementally it does provide some significant benefits to thwart counterfeit fraud,” Walters says. “The benefit is worth the investment.”

Indeed, the introduction of EMV in Canada has helped reduce fraud losses on Interac debit cards tied to skimming to their lowest level in a decade, the Toronto-based Interac Association reported last month. Skimming-related losses decreased to C$38.5 million in 2012 from a high of C$142 million in 2009, down 73%. That represents 0.012% of domestic Interac debit card volume and the lowest volume of fraud losses since data were recorded in 2003.

Interac began to roll out EMV in 2008, with fraud volume peaking in 2009 “when fraudsters knew the window was going to close, and we’ve seen that steady decline since,” an Interac spokesperson says.

Is the PIN Needed?

In the U.S., the expected increased protection against counterfeiting offered by EMV and dynamic authentication has prompted the card networks to offer merchants using chip-card-accepting terminals relief from selected portions of the Payment Card Industry data-security standard (PCI). Visa is eliminating the requirement that merchants annually validate their compliance with the PCI standard provided that 75% of their Visa transactions originate at chip-enabled terminals. To qualify, POS terminals must be enabled to accept contact and contactless chip cards as well as NFC (near-field communication) contactless payments from mobile devices.

MasterCard and Discover are offering similar incentives to merchants. All the networks will still expect merchants to comply with PCI’s rules.

In addition, effective Oct. 15, 2015, Visa will shift liability for a fraudulent transaction from the issuer to the acquirer if the customer presents a contact chip card to a merchant that at a minimum has not installed contact chip card terminals. Acquirers will pass the cost to their merchants. MasterCard has a similar liability shift to encourage merchants to invest in EMV chip-accepting terminals.

EMV can support chip-and-signature transactions and chip and PIN, with both backed by dynamic authentication. The card networks are giving U.S. issuers the options to issue both types of cards. Many merchant groups and executives from individual retailers and EFT networks strongly favor chip and PIN, noting that PIN-debit cards have much lower fraud rates than signature-based cards.

But Visa is pushing chip and signature, saying EMV with dynamic authentication is an adequate anti-counterfeiting measure. Some merchants and EFT executives claim Visa is anti-PIN, although Visa says that while it favors chip and signature with DDA support, its EMV proposals also include support for the PIN.

PINs are commonly used with European chip cards because real-time authorizations are either unavailable or expensive. That’s not the case in the U.S., which has a telecommunications system that nearly always enables real-time authorizations.

Chip and signature is the only option available in some parts of the world, notes Vantiv’s Walters.

“EMV is a global interoperable standard and in many parts of the world the terminals cannot support online PIN,” she says.

In the U.S., many unattended points of purchase, like kiosks and vending machines, also may not have online capability that would allow the real-time authentication of the PIN, according to Walters.

What’s more, encouraging the use of the PIN for EMV credit transactions gives fraudsters more opportunity to compromise the PIN, Visa’s Ericksen says. That could lead to more ATM fraud.

At the same time EMV and dynamic authentication offer merchants increased security and relief from some PCI requirements, it also opens the way for further innovations in payments, such as mobile and NFC payments, some experts say. The standard set of chip fields within the authorization message for dynamic authentication also can support mobile, contactless and contact chip transactions.

“That same message sent to support the dynamic data cryptogram validation is also being leveraged for things like mobile wallets, store credentials and other authentication as we start to move to more cloud-based applications and payments,” Ericksen says. “Once merchants invest in being able to pass additional data to support dynamic data authentication, that [technology] cannot only work for cards—contact and contactless—but it can work for mobile and mobile wallet.”

Visa’s digital wallet will support dynamic authentication across multiple channels, including e-commerce, she says.

EMV chip technology already is being used in other countries for contact, contactless and mobile payments and has been leveraged for emerging complementary services such as public transit, Internet and mobile banking.

Paradoxically, while EMV and dynamic authentication can aid the move into new payment methods, introduction of the anti-fraud technology also may prompt fraudsters to focus their attention on e-commerce, mobile and other card-not-present transactions, says Shirley Inscoe, a senior analyst at Boston-based Aite Group LLC. The EMV chip itself provides no special protection against Internet and telephone-based card fraud.

“What they’ve seen in other countries is a trend where they roll out EMV and point-of-sale fraud decreases dramatically,” she says. “However, what they’ve been seeing is that card-not-present fraud increases.”

‘Path of Least Resistance’

The card networks are preparing for the expected shift in fraud from POS transactions to card-not-present purchases.

“Certainly there’s no silver bullet,” Ericksen says. “Implementing chip helps with counterfeit fraud for the point of sale, but then fraudsters are going to go after the other locations. Fraud goes to the path of least resistance. That’s why Visa is continuing to invest in dynamic data authentication for e-commerce, mobile and other channels.”

In fact, technology to blunt the impact of the fraud shift is in use in some European countries, Inscoe says. For example, in Sweden and the United Kingdom, banks issue a small device that plugs into a laptop computer for consumers buying goods and services online.

“When they get ready to pay, they insert their card into this small device and it generates a one-time pass code,” she says. “It’s really enabling your laptop to almost be a point-of-sale terminal so that the chip-and-PIN technology can work even in an online environment.”

As with the introduction of other anti-fraud measures, such as the PCI standard, EMV and dynamic authentication will succeed only if merchants adopt the new technology. And some observers see an uphill battle.

Larger merchants “have a clearer understanding of the EMV challenge ahead, if not an actual plan to implement it,” Walters says. “But medium and smaller merchants may not even know how to spell EMV let alone how important it will be to them. If we have the majority of our merchant community installed and running new, EMV-capable technology by October of 2015, I will be very surprised.”