18 January 2017
visit http://www.wolterskluwerfs.com

Smart Card Alliance slams end-to-end encryption

14 September 2009  |  11513 views  |  1 Security/Risk

The US payments industry should use contactless chip cards along with dynamic cryptograms - rather than end-to-end data encryption - in the fight against fraudsters, according to an industry association.

In a new paper, the Smart Card Alliance says the flurry of interest in end-to-end encryption systems that has emerged in the wake of high-profile breaches, such as the Heartland case, is misguided.

"Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut," says Randy Vanderhoof, executive director, Smart Card Alliance.

The alliance says that many issuers are already providing contactless payment cards with dynamic cryptograms in order to provide consumers with a fast, convenient way to pay.

But contactless transactions can also improve security because dynamic cryptograms make each payment unique. The chip card must be present to generate a valid cryptogram, which is verified online when the transaction is authorised.

Therefore, expanding use of contactless cards throughout the US payment system would lower fraud because stolen payment information could not be used to make fraudulent cards, argues the group.

In contrast, end-to-end encryption is less secure because it does not end reliance on magnetic stripe cards. Since payment cards would still use static cardholder data for processing, they would remain vulnerable to the primary type of fraud that end-to-end encryption is trying to prevent, which is credit card cloning using stolen data.

Says Vanderhoof: "In our paper we discuss a different approach optimized for the U.S. payment market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online. This stands in sharp contrast to previous considerations of implementing 'chip and PIN' based on the full EMV standard. Instead, this proposal builds on what is already happening in the US - the issuance and merchant acceptance of contactless cards-while keeping in step with globally interoperable EMV standards."
KeywordsCARD FRAUD

Comments: (1)

Mark Bower
Mark Bower - Voltage Security - Cupertino | 14 September, 2009, 19:16

End to End Encryption is not in conflict with smartcard models - in fact, they are achieving the same end-game which is to protect data from attackers along the payments stream from the moment of capture.

However, whilst chip cards certainly have a role to play they bottom line is that many systems around the world have clear credit card data - from POS systems to in house merchant databases, loyalty schemes, e-commerce systems where its not easy to use a smartcard, recurring payments and so on - least of which the US payment systems have not yet upgraded to chip based systems. Chip and PIN has also focused on cardholder verification - whilst the threats today are acutely targeted at bulk card data repositories and processing environments.

The pure costs of migrating entire POS processing systems and the cardholder wallet of plastic mag stripe cards cannot be ignored in contrast to much easier to implement end to end encryption technology.

For example, upgrading an entire system to chip and PIN requires substantial hardware and software updates to multiple independent systems which can take many years. In contrast, we have successfully deployed End to End technology in less than 60 days with merchants and payment processors.

So, I see a future where both end to end encryption and chip and PIN can embrace and mitigate the risk of data threats - but end to end can solve major risk problems on an immediate basis as has been proven in production noted in the article.

Regards,
Mark Bower
Vice President, Product Management
Voltage Security

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Card data exposed as Radisson Hotels becomes latest breach victim

Card data exposed as Radisson Hotels becomes latest breach victim

19 August 2009  |  8796 views  |  1 comments
TJX agrees $9.75m settlement with US states

TJX agrees $9.75m settlement with US states

25 June 2009  |  4589 views  |  0 comments
Hackers steal 285m electronic records in 2008 - Verizon

Hackers steal 285m electronic records in 2008 - Verizon

15 April 2009  |  12463 views  |  0 comments
Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

17 March 2009  |  16267 views  |  5 comments
Financial fraud hit 7.5% of Americans in 2008 - Gartner

Financial fraud hit 7.5% of Americans in 2008 - Gartner

04 March 2009  |  11707 views  |  0 comments
Breached Heartland looks to end-to-end data encryption

Breached Heartland looks to end-to-end data encryption

27 January 2009  |  9942 views  |  1 comments
CheckFree warns five million customers of hack attack

CheckFree warns five million customers of hack attack

07 January 2009  |  9365 views  |  0 comments
Contactless cards win over users, but struggle to reach the mainstream

Contactless cards win over users, but struggle to reach the mainstream

17 September 2008  |  9634 views  |  0 comments
Speed and convenience top benefits of contactless payments

Speed and convenience top benefits of contactless payments

21 April 2004  |  5180 views  |  0 comments
US smart cards to top 21m

US smart cards to top 21m

01 November 2002  |  3970 views  |  0 comments

Related company news

 
Visit contisgroup.comhttp://www.financialcrimerisk.fiserv.com/aml?r=finextra

Top topics

Most viewed Most shared
Five fintech surprises for 2017Five fintech surprises for 2017
15636 views comments | 51 tweets | 49 linkedin
Blockchain impact timeline speeds up, massive cost savings forecastBlockchain impact timeline speeds up, mass...
12850 views comments | 39 tweets | 31 linkedin
Banks face big profit loss to digitisation - McKinseyBanks face big profit loss to digitisation...
12714 views comments | 81 tweets | 97 linkedin
Seven banks plan blockchain platform for SMEsSeven banks plan blockchain platform for S...
10205 views comments | 44 tweets | 37 linkedin
Swift goes deeper into the blockchainSwift goes deeper into the blockchain
9233 views comments | 30 tweets | 42 linkedin

Featured job

to Six-Figure Base, Bonus, Benefits
London, UK

Find your next job