In the beginning there were magnetic stripe cards. But as EMV has been rolled out across Europe, many banks, especially in the UK, made the decision to issue static data authentication (SDA) smart cards. SDA cards are much harder for fraudsters to attack
and counterfeit than magnetic stripe cards. However, SDA cards have known security weaknesses which mean fraudsters may still be able to collect the necessary chip data at the point of sale to produce a counterfeit off-line transaction.
To address this, both Visa and MasterCard have issued a mandate for European banks that all offline capable cards issued after 2011 should use dynamic data authentication (DDA) which is more secure than SDA. This mandate is also in line with SEPA requirements.
DDA cards are more secure than SDA ones as DDA cards store an encryption key that generates unique data for each transaction that is only valid for one authentication. By contrast, the signature used for SDA cards is the same every time. As a result, unless
issuers send transactions from SDA cards over the processing network for online authentication, terminals might not be able to detect fraudulent cards.
So what could delay the evolution to DDA smart cards? One factor is that issuing DDA cards is not as straight-forward as issuing SDA ones. There are significant cryptography capacity challenges associated with DDA. For example, it can take up to eight times
longer to generate the cryptographic keys for a DDA card. Yes, up to eight times. However, with the SEPA deadline just around the corner, not to mention the Visa and MasterCard mandates, DDA must become a priority for issuers. If the implementation of DDA
cards by 2010 is to be a smooth one, issuers must urgently address all potential capacity bottlenecks, including cryptographic key generation.