24 September 2017
visit www.avoka.com

Lockstep applies PKI to EMV smartcards to tackle card-not-present fraud

09 February 2009  |  6177 views  |  2 card chip

Card-not-present fraud incidents are growing, and this is an area of fraud that many companies are trying to address. While EMV smartcards are commonly deployed with unconnected readers to generate one time passwords, Lockstep's Stepwise is the first to fully exploit public key cryptography in chip devices. Thanks to its modifications to traditional the digital signature approach, and use of a connected card reader, it is inherently resistant to man-in-the-middle attacks.

Stepwise encapsulates customer reference numbers, identifiers, biometrics or any other personal ID, and seals them cryptographically into a chip. It can be a smartcard or a SIM, or it can be a dedicated USB key. Each identifier is isolated, stripped of all extraneous personal detail and linkages, and placed under the sole control of its owner. Stepwise ensures that when any identifier is presented online, the receiver knows that it’s legitimate, it came from a genuine security device, and that it was used with consent.

Stepwise involves a standard digital certificate, issued to a chip held by the user and signed by a business with whom the user has a trusted relationship, such as a bank, a health body, a licensing authority or a government agency. The Stepwise certificate declares that someone with a certain identifier is associated with a public key carried on a particular chip device, without revealing who that someone is. The individual remains anonymous to all third parties, unless and until they present their chip.

When a transaction is digitally signed using a Stepwise certificate, the transaction data is indelibly bound to the Stepwise encapsulated identifier but contains no other identifying information.

Lockstep currently has customers evaluating Stepwise as a standalone deployment for merchant shopping carts, whereby it displaces the collection of data such as full name, billing address and CVV2, produces a fast and easy user experience, and is technically simpler for merchants to integrate because it requires no authentication server. It is also being evaluated as an technology to integrate with MasterCard 3D Secure.

Finextra verdict: By finding a new application for digital certificates in an e-commerce and financial services context, Lockstep's approach will likely apppeal to retailers and processors alike, who are under constant pressure to maintain the security of the data they hold about customers. If they no longer have to retain such volumes of data, they will save significant effort and resources currently expended trying to keep it secure.

Comments: (2)

Nick Collin
Nick Collin - Collin Consulting Ltd - London | 18 June, 2009, 10:57

While I applaud the principles of Lockstep's approach, I don't understand the need to introduce another PKI when there is already one embedded within EMV chip, and used by Remote Chip Authentication with handheld readers.  Surely this is a much more practical approach, or am I missing something?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 03 August, 2009, 00:01

Nick, The advantages of Stepwise over CAP include (1) it's faster to process at the merchant server, with no need for a third party authentication server, (2) it's far easier to use because there's less data entry and no re-keying from the CAP reader to the browser, and (3) it's more powerful and flexible because we create real signatures over the transactions.  The incremental cost of the 'extra PKI' is very small; if the Stepwise certificates chain via the issuing bank to a recognised Root CA, then the PKI is actually already in place; all we need to do is personalise the EMV DDA cards with an extra Stepwise key and certificate.  CAP is a clever stop-gap solution, and it was strategically important because it showed how EMV cards could be used online, but the best long term solution is genuine transaction signing using integrated card readers, so e-shopping becomes as natural and secure as regular POS.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Related blogs

Create a blog about this story (membership required)

Solution source

Search by company or single key word