According to a report by the Association of Certified Fraud Examiners, companies around the world lose $3.5 trillion to fraud each year, the average loss of revenue per organization being 5% annually. Stakeholders in the payments domain are trying their best to innovate the way transactions can be secured. We’re now witnessing how the traditional payments methods and tools are now evolving to more secure forms. Some notable companies are contributing to the transition to new highly secure payment technologies.
Here are some advancements in the payments domain that cannot go unnoticed:
From simple plastic cards to interactive cards
Traditional debit and credit cards primarily display your card number on the front and the CVV number on the back. But how about cards that show some form of dynamicity, making them more interactive and more secure from the user's standpoint.
Mastercard had collaborated with Dynamics Inc, an interactive payment cards maker. The interactive payment cards are built with features such as buttons, displays, and LEDs. The cards come with multiple applications stored on the card, meanwhile assuring its compatibility across existing POS terminals. For security aspects, these interactive payment cards include a display and keypad to meet the purpose. When a consumer enters the correct unlocking code into the buttons of the card, the payment card number is provided on display (for online use) and is written to the stripe (for in-store use).
Oberthur, a digital security firm, had acquired Nagra ID, which produces multi-component and other forms of complex cards for the security and identification industry. Looking at the portfolio of card products developed by Nagra ID, the cards being offered come with interactive buttons in the form of a keypad. The cards also come equipped with digital displays on the front and back. The display on the front can be used to show an OTP-generated runtime, while the back display can be used to show a dynamically-generated CVV.
From magstripe to EMV
The earlier practice of using payment cards at point-of-sale has been swiping the magnetic stripe on the card against the compatible reader. But such cards face risks such as card cloning and theft of card information by simple means of extraction from the magnetic stripe. But now, cards have evolved and come embedded with an integrated circuit chip as a boost for card security.
The EMV chip cards have been developed based on a global standard, developed by Europay, Mastercard, and Visa, as a major security update to traditional magstripe cards. 2.37 billion chip cards have already been issued worldwide, according to EMVCo’s EMV Chip Deployment Statistics. Also called integrated circuit cards, the chip cards come integrated with a computer chip for enhanced security.
47% of all card frauds occur in the US, as per a Nilson report. 2015 will bring a new way to pay in-store for many US consumers, with 600 million new EMV chip cards expected to reach their wallets and increasing acceptance of the cards at retail stores. An EMV mandate has been issued in the US, which requires merchants to support chip cards at the point-of-sale by October this year in order to avoid fraud liability. Developers of POS systems such as Square are taking advantage of this mandate to come up with EMV based products.
From providing card data to using a ‘token’
Why provide payment card information when you can transmit the details in the form of tokens. Tokenization is an alternative security technology that converts the traditional card data, including the Primary Account Number (PAN), into a token. A token is just a number whose only function is to point to the original card data, which is stored in a secure host called the Token Vault. Once the transaction is complete, the token is then canceled.
Mobile payment systems usually require a Trusted Service Manager. This new token scheme turns Visa, Mastercard, and Amex into TSMs and enables payments in the OS. The company Zooz provides a solution where an online merchant or app publisher executes the script to initiate a customer's payment process. The code gets a token back which is passed back to the client. This is where the actual payment screen appears for the user. The system is made very secure by tokenization.
The concept of tokenization has been further popularized in recent months since its adoption by Apple Pay.
From hardware SE (secure element) to HCE
With the release of Android 4.4, Google introduced new platform support for secure NFC-based transactions through Host Card Emulation (HCE) for payments, loyalty programs, card access, transit passes, and other custom services. With HCE, any app on an Android 4.4 device can emulate an NFC smart card, letting users tap to initiate transactions with an app of their choice. Apps can also use a new Reader Mode so as to act as readers for HCE cards and other NFC-based transactions.
There are a number of ways in which additional security layers can be added to HCE-based mobile payments, such as white-box cryptography, obfuscation of programming code (security through obscurity), use of a TrustZone, and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels. Instead of storing the card data in the hardware-based SE, ‘tokens’ are downloaded to the device and used to complete the transaction at the point of sale (POS).
PCI-certified Point-to-Point Encryption (P2PE) payment technology
With P2PE, transactions are entirely encrypted before they even enter the merchant’s location, essentially removing cardholder data from the merchant’s POS and network. The decryption of this data is not possible until the data has reached a hardware security module (HSM) outside of the merchant or enterprise’s environment.
Any solution provider can claim to offer point-to-point encryption, but not all P2PE solutions are the same. Only solutions that have been audited and validated to conform to the rigorous scrutiny of the PCI standards can offer merchants the peace of mind and transparency that customer data is truly secured. Maintaining compliance with the PCI Data Security Standard (PCI DSS) is a requirement for all merchants who accept credit cards, and failure may result in an array of non-compliance penalties.
Some prominent companies working in this area include Bluefin, Handpoint, FreedomPay, etc.
Location-based authentication
BillGuard, which comes as a dedicated app for Android and iOS, brought an interesting feature to its app, which uses the phone’s location to alert users of suspicious payment card usage. When users opt-in for this service, BillGuard will start keeping track of locations where the user’s card is being used on a regular basis. It can use this data to match with the location of future transactions and alert users when required. Suppose a transaction is detected from a location you have not been to, BillGuard will make sure you get the alert. Sometimes criminals use stolen card information to make transactions in the same areas as the cardholder to avoid banks triggering those as suspicious transactions. BillGuard’s new feature will even help fight against such scenarios.
Some companies who are contributing to the advancements in payments security through their own innovation:
Gemalto: The company has been making waves by leveraging its Allynis Trusted Service Manager and its UpTeq NFC UICC embedding for SIM in order to secure contactless payments. The company is a prominent player when it comes to securing NFC-based mobile payments. This has led to a number of companies partnering with Gemalto in order to secure contactless payments:
- NTT Docomo had opted for Gemalto’s mobile NFC services for its 63 million+ subscribers
- Gemalto is securing NFC payment services for 27 banks in Taiwan as launched by Taiwan Mobile Payment Co. (TWMP)
- China Mobile had opted for Gemalto’s secured UICC SIM to launch NFC based transit payments in Beijing
- Gemalto’s trusted service hub helped launch Valyou, Norway's first mobile NFC payment service
HP: HP is looking forward to improving the safety and security of transactions made using mobile devices. The company has upgraded Atalla’s security software to support NFC payment methods. The software already helps merchants process financial data through HP’s Network Security Processor (NSP). With the current upgrade, it can now support payment methods like Apple Pay and other methods like Visa’s cloud-based payments.
The new upgrade will help with the mobile devices which do not have in-built security elements but are able to make mobile payments. With the new upgrades, HP is extending support for EMV payments. To support EMV payments, HP has partnered with Cryptomathic. Cryptomathic is a security solutions provider and will use both HP Atalla and NSP as hardware security modules to protect EMV card data.
The upgraded software would basically provide secure cloud-based payments for mobile devices without the need for a built-in secure element.
Intel: Intel has collaborated with NCR Corporation to develop an end-to-end encryption system for consumer and financial data. Now a combination of Intel Data
Protection Technology for Transactions and NCR DataGuard will act as a hardware-software tool to provide a secure encrypted pipeline for personal data on open platforms in retail and financial services. The software part of the solution will run on secure silicon that comes embedded in Intel’s second and third-generation core processors. The end-to-end solution will protect data right from the moment when information is generated until the point where the encrypted information is processed in secure data centers.
GoNow Technologies: GoNow Technologies, an innovator in developing reprogrammable companion cards for mobile eWallet technology, has been granted a patent for secure storage and two-way communication from a reprogrammable card-based EMV chip and a smartphone-based eWallet. The GoNow Card provides a trusted environment within the card’s Secure Element in which the card issuer(s) can securely encode and store the cardholder’s security credentials as well as the cryptographic keys. The secure information is loaded and stored by the card issuer(s) onto the EMV card when the card is personalized.
When paired with any eWallet application on a smartphone, a single reprogrammable GoNow Card can store more than 50 credit, debit, ATM, loyalty, or gift cards. The user simply selects the payment or other card on the phone eWallet, and the magstripe on the card is instantly programmed with the key data for the card selected. The GoNow Card can then be used at any traditional magstripe, EMV, Dip, ATM, or other readers, with no changes necessary to current retailer terminals or back-office systems.
To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.