Resources
See latest resources ยป
Lockstep applies PKI to EMV smartcards to tackle card-not-present fraud

Lockstep applies PKI to EMV smartcards to tackle card-not-present fraud

Source:

Card-not-present fraud incidents are growing, and this is an area of fraud that many companies are trying to address. While EMV smartcards are commonly deployed with unconnected readers to generate one time passwords, Lockstep's Stepwise is the first to fully exploit public key cryptography in chip devices. Thanks to its modifications to traditional the digital signature approach, and use of a connected card reader, it is inherently resistant to man-in-the-middle attacks.

Stepwise encapsulates customer reference numbers, identifiers, biometrics or any other personal ID, and seals them cryptographically into a chip. It can be a smartcard or a SIM, or it can be a dedicated USB key. Each identifier is isolated, stripped of all extraneous personal detail and linkages, and placed under the sole control of its owner. Stepwise ensures that when any identifier is presented online, the receiver knows that it’s legitimate, it came from a genuine security device, and that it was used with consent.

Stepwise involves a standard digital certificate, issued to a chip held by the user and signed by a business with whom the user has a trusted relationship, such as a bank, a health body, a licensing authority or a government agency. The Stepwise certificate declares that someone with a certain identifier is associated with a public key carried on a particular chip device, without revealing who that someone is. The individual remains anonymous to all third parties, unless and until they present their chip.

When a transaction is digitally signed using a Stepwise certificate, the transaction data is indelibly bound to the Stepwise encapsulated identifier but contains no other identifying information.

Lockstep currently has customers evaluating Stepwise as a standalone deployment for merchant shopping carts, whereby it displaces the collection of data such as full name, billing address and CVV2, produces a fast and easy user experience, and is technically simpler for merchants to integrate because it requires no authentication server. It is also being evaluated as an technology to integrate with MasterCard 3D Secure.

Finextra verdict: By finding a new application for digital certificates in an e-commerce and financial services context, Lockstep's approach will likely apppeal to retailers and processors alike, who are under constant pressure to maintain the security of the data they hold about customers. If they no longer have to retain such volumes of data, they will save significant effort and resources currently expended trying to keep it secure.

Comments: (2)

Nick Collin
Nick Collin - Collin Consulting Ltd - London 18 June, 2009, 10:57Be the first to give this comment the thumbs up 0 likes

While I applaud the principles of Lockstep's approach, I don't understand the need to introduce another PKI when there is already one embedded within EMV chip, and used by Remote Chip Authentication with handheld readers.  Surely this is a much more practical approach, or am I missing something?

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 03 August, 2009, 00:01Be the first to give this comment the thumbs up 0 likes

Nick, The advantages of Stepwise over CAP include (1) it's faster to process at the merchant server, with no need for a third party authentication server, (2) it's far easier to use because there's less data entry and no re-keying from the CAP reader to the browser, and (3) it's more powerful and flexible because we create real signatures over the transactions.  The incremental cost of the 'extra PKI' is very small; if the Stepwise certificates chain via the issuing bank to a recognised Root CA, then the PKI is actually already in place; all we need to do is personalise the EMV DDA cards with an extra Stepwise key and certificate.  CAP is a clever stop-gap solution, and it was strategically important because it showed how EMV cards could be used online, but the best long term solution is genuine transaction signing using integrated card readers, so e-shopping becomes as natural and secure as regular POS.

Embracing Open Banking with Secure and Interconnected APIs
Innovation Showcase resources
See all Innovation Showcase resources »
Innovation Showcase
/innovation showcase

Innovation Showcase

Finextra highlights the most innovative technologies, products and projects in financial services over the last 12 months.

NAB, Telstra and Visa merge credit card with mobile phone
/innovation showcase

NAB, Telstra and Visa merge credit card with mobile phone

In pilot from August 2008 the NFC Contactless mobile payments service is the first Australian mobile application of near-field communication (NFC) payment technology, loading a NAB Visa credit card securely onto a Telstra SIM card within a mobile phone handset.

Quartet innovates in risk and the trade lifecycle
/innovation showcase

Quartet innovates in risk and the trade lifecycle

ActiveStream helps banks replace the cancel-re-book methodology for trade modification, reducing fraud and cost of manual processes; while ActivePivot allows real-time OLAP manipulation of fast moving risk data.