Smart Card Alliance slams end-to-end encryption
14 September 2009 | 11528 views | 1
The US payments industry should use contactless chip cards along with dynamic cryptograms - rather than end-to-end data encryption - in the fight against fraudsters, according to an industry association.
In a new paper, the Smart Card Alliance says the flurry of interest in end-to-end encryption systems that has emerged in the wake of high-profile breaches, such as the Heartland case, is misguided.
"Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut," says Randy Vanderhoof, executive director, Smart Card Alliance.
The alliance says that many issuers are already providing contactless payment cards with dynamic cryptograms in order to provide consumers with a fast, convenient way to pay.
But contactless transactions can also improve security because dynamic cryptograms make each payment unique. The chip card must be present to generate a valid cryptogram, which is verified online when the transaction is authorised.
Therefore, expanding use of contactless cards throughout the US payment system would lower fraud because stolen payment information could not be used to make fraudulent cards, argues the group.
In contrast, end-to-end encryption is less secure because it does not end reliance on magnetic stripe cards. Since payment cards would still use static cardholder data for processing, they would remain vulnerable to the primary type of fraud that end-to-end encryption is trying to prevent, which is credit card cloning using stolen data.
Says Vanderhoof: "In our paper we discuss a different approach optimized for the U.S. payment market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online. This stands in sharp contrast to previous considerations of implementing 'chip and PIN' based on the full EMV standard. Instead, this proposal builds on what is already happening in the US - the issuance and merchant acceptance of contactless cards-while keeping in step with globally interoperable EMV standards."