08 December 2016
Visit aciworldwide.com

Smart Card Alliance slams end-to-end encryption

14 September 2009  |  11488 views  |  1 Security/Risk

The US payments industry should use contactless chip cards along with dynamic cryptograms - rather than end-to-end data encryption - in the fight against fraudsters, according to an industry association.

In a new paper, the Smart Card Alliance says the flurry of interest in end-to-end encryption systems that has emerged in the wake of high-profile breaches, such as the Heartland case, is misguided.

"Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut," says Randy Vanderhoof, executive director, Smart Card Alliance.

The alliance says that many issuers are already providing contactless payment cards with dynamic cryptograms in order to provide consumers with a fast, convenient way to pay.

But contactless transactions can also improve security because dynamic cryptograms make each payment unique. The chip card must be present to generate a valid cryptogram, which is verified online when the transaction is authorised.

Therefore, expanding use of contactless cards throughout the US payment system would lower fraud because stolen payment information could not be used to make fraudulent cards, argues the group.

In contrast, end-to-end encryption is less secure because it does not end reliance on magnetic stripe cards. Since payment cards would still use static cardholder data for processing, they would remain vulnerable to the primary type of fraud that end-to-end encryption is trying to prevent, which is credit card cloning using stolen data.

Says Vanderhoof: "In our paper we discuss a different approach optimized for the U.S. payment market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online. This stands in sharp contrast to previous considerations of implementing 'chip and PIN' based on the full EMV standard. Instead, this proposal builds on what is already happening in the US - the issuance and merchant acceptance of contactless cards-while keeping in step with globally interoperable EMV standards."
KeywordsCARD FRAUD

Comments: (1)

Mark Bower
Mark Bower - Voltage Security - Cupertino | 14 September, 2009, 19:16

End to End Encryption is not in conflict with smartcard models - in fact, they are achieving the same end-game which is to protect data from attackers along the payments stream from the moment of capture.

However, whilst chip cards certainly have a role to play they bottom line is that many systems around the world have clear credit card data - from POS systems to in house merchant databases, loyalty schemes, e-commerce systems where its not easy to use a smartcard, recurring payments and so on - least of which the US payment systems have not yet upgraded to chip based systems. Chip and PIN has also focused on cardholder verification - whilst the threats today are acutely targeted at bulk card data repositories and processing environments.

The pure costs of migrating entire POS processing systems and the cardholder wallet of plastic mag stripe cards cannot be ignored in contrast to much easier to implement end to end encryption technology.

For example, upgrading an entire system to chip and PIN requires substantial hardware and software updates to multiple independent systems which can take many years. In contrast, we have successfully deployed End to End technology in less than 60 days with merchants and payment processors.

So, I see a future where both end to end encryption and chip and PIN can embrace and mitigate the risk of data threats - but end to end can solve major risk problems on an immediate basis as has been proven in production noted in the article.

Regards,
Mark Bower
Vice President, Product Management
Voltage Security

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Card data exposed as Radisson Hotels becomes latest breach victim

Card data exposed as Radisson Hotels becomes latest breach victim

19 August 2009  |  8765 views  |  1 comments
TJX agrees $9.75m settlement with US states

TJX agrees $9.75m settlement with US states

25 June 2009  |  4562 views  |  0 comments
Hackers steal 285m electronic records in 2008 - Verizon

Hackers steal 285m electronic records in 2008 - Verizon

15 April 2009  |  12422 views  |  0 comments
Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

17 March 2009  |  16229 views  |  5 comments
Financial fraud hit 7.5% of Americans in 2008 - Gartner

Financial fraud hit 7.5% of Americans in 2008 - Gartner

04 March 2009  |  11679 views  |  0 comments
Breached Heartland looks to end-to-end data encryption

Breached Heartland looks to end-to-end data encryption

27 January 2009  |  9916 views  |  1 comments
CheckFree warns five million customers of hack attack

CheckFree warns five million customers of hack attack

07 January 2009  |  9338 views  |  0 comments
Contactless cards win over users, but struggle to reach the mainstream

Contactless cards win over users, but struggle to reach the mainstream

17 September 2008  |  9605 views  |  0 comments
Speed and convenience top benefits of contactless payments

Speed and convenience top benefits of contactless payments

21 April 2004  |  5133 views  |  0 comments
US smart cards to top 21m

US smart cards to top 21m

01 November 2002  |  3950 views  |  0 comments

Related company news

 
Find out moreVisit contisgroup.comVisit VocaLink.com

Top topics

Most viewed Most shared
Guesswork alone can crack Visa card security - Newcastle UniversityGuesswork alone can crack Visa card securi...
7589 views 12 comments | 15 tweets | 27 linkedin
OCC to offer fintech firms bank charter statusOCC to offer fintech firms bank charter st...
7278 views comments | 25 tweets | 15 linkedin
China tops world fintech rankingsChina tops world fintech rankings
7200 views comments | 36 tweets | 30 linkedin
Fed Governor sounds warning on alternative credit scoring dataFed Governor sounds warning on alternative...
6398 views comments | 19 tweets | 20 linkedin
EBA bends under weight of PSD2 mandatesEBA bends under weight of PSD2 mandates
5775 views comments | 32 tweets | 40 linkedin

Featured job

to Six-Figure Base, Bonus, Benefits
London, UK

Find your next job