Card-not-present fraud incidents are growing, and this is an area of fraud that many companies are trying to address. While EMV smartcards are commonly deployed with unconnected readers to generate one time passwords, Lockstep's Stepwise is the first to fully exploit public key cryptography in chip devices. Thanks to its modifications to traditional the digital signature approach, and use of a connected card reader, it is inherently resistant to man-in-the-middle attacks.
Stepwise encapsulates customer reference numbers, identifiers, biometrics or any other personal ID, and seals them cryptographically into a chip. It can be a smartcard or a SIM, or it can be a dedicated USB key. Each identifier is isolated, stripped of all extraneous personal detail and linkages, and placed under the sole control of its owner. Stepwise ensures that when any identifier is presented online, the receiver knows that it’s legitimate, it came from a genuine security device, and that it was used with consent.
Stepwise involves a standard digital certificate, issued to a chip held by the user and signed by a business with whom the user has a trusted relationship, such as a bank, a health body, a licensing authority or a government agency. The Stepwise certificate declares that someone with a certain identifier is associated with a public key carried on a particular chip device, without revealing who that someone is. The individual remains anonymous to all third parties, unless and until they present their chip.
When a transaction is digitally signed using a Stepwise certificate, the transaction data is indelibly bound to the Stepwise encapsulated identifier but contains no other identifying information.
Lockstep currently has customers evaluating Stepwise as a standalone deployment for merchant shopping carts, whereby it displaces the collection of data such as full name, billing address and CVV2, produces a fast and easy user experience, and is technically simpler for merchants to integrate because it requires no authentication server. It is also being evaluated as an technology to integrate with MasterCard 3D Secure.
Finextra verdict: By finding a new application for digital certificates in an e-commerce and financial services context, Lockstep's approach will likely apppeal to retailers and processors alike, who are under constant pressure to maintain the security of the data they hold about customers. If they no longer have to retain such volumes of data, they will save significant effort and resources currently expended trying to keep it secure.