The Green Sheet Online Edition
September 28, 2009 • Issue 09:09:02
SCA proposes alternative to end-to-end encryption
A new report from the nonprofit Smart Card Alliance proposes an alternative system to end-to-end encryption (touted by some as the closest thing to a cure-all) for shoring up the payments industry's embattled security networks.
The SCA's research paper, End-to-end Encryption and Chip Cards in the U.S. Payments Industry, makes the cryptography used in contactless payment acceptance technology the cornerstone of its envisioned makeover.
"We're seeing more and more discussion in the media around, and calling for, end-to-end encryption as a way to address this problem," said Randy Vanderhoof, Executive Director of the alliance.
"We wanted to put the thought out there that end-to-end encryption should be looked at, but along with all types of technological approaches. The fundamental problem in the United States is the reliance on the magnetic stripe.
"Encryption's not going to stop the stealing of cardholder data. We feel it doesn't fully address the problem; it only adds another layer of security in an already insecure network."
Using dynamic data
While end-to-end encryption focuses on safeguarding sensitive card data while it travels through the payment chain, the SCA's proposal would change the way data is managed before it enters a POS network.
The position paper calls for replacing the magnetic stripes on payment cards with chips that generate "dynamic data" - in this case, a card verification value (CVV) code (typically, the three or four digit number on the back of a credit card) that changes after every transaction. Thus, when payment data enters a network it is rendered valueless for any subsequent transaction, theoretically keeping it safe even if it is stolen.
"When a transaction goes out ... for authorization and for clearing, it's got this dynamic cryptogram attached to it," Vanderhoof said. "The system is intelligent enough that if it sees that same value a second time, it knows the only way that value could have been created is if there was a clone of the original transaction. So it's a self-policing system. ... If someone tries to harvest a transaction and replay it, it's going to be rejected."
Among the paper's most prominent considerations is cost, Vanderhoof said, adding that the proposal is designed to minimize the expensive overhauling of existing payment networks. The proposed system is loosely modeled on the chip-card-based chip and PIN payment systems used throughout Europe and Latin America, except that it would not require the PIN and use the dynamic CVV in its place.
In the United States, "most discussions have been focused on implementing the full EMV [Europay, MasterCard and Visa] chip and PIN," he said. "The main obstacle is the tremendous cost to replace all the terminals and cards. Our position is we don't need to implement the full chip and PIN to gain protection."
Vanderhoof also said Europe's chip and PIN system has a design flaw that a system of contactless payments with a dynamic CVV would remedy. Under the EMV system, cards contain both a chip and the magnetic stripe (for ATM transactions and use in non-EMV countries).
According to Vanderhoof, chip cards are next to impossible to replicate; however, criminals can skim information from the magnetic stripe which - though it doesn't work for chip card transactions - can be used to create counterfeit magnetic stripe cards for use on conventional payment terminals.
While such terminals are rare or defunct in many European countries, criminals in those regions simply ship stolen data to countries where it's easier to use.
"No one's figured out a way to create a fraudulent chip card," Vanderhoof said. "What they are doing is capturing that data and then creating fraudulent mag stripe versions of the card, which are accepted in places that still accept mag stripe cards.
"In the U.K., fraud in terms of merchant transactions has gone down considerably, but overall fraud hasn't gone down because they're still skimming that account card data and exporting that to places like the U.S., where
they can create fraudulent U.K. bankcards that run off the mag stripe."
Depends on contactless technology
The alliance proposal does depend on the widespread - ideally, universal - implementation of contactless card payment acceptance devices. Unlike most conventional swipe modules, contactless terminals already have the cryptographic technology required by the dynamic CVV feature; using only contactless technology avoids the need for a magnetic stripe like those found on EMV cards, and with which card information is more easily compromised.
Vanderhoof said the hope is that contactless technology - aided, perhaps, by the long-awaited deployment of near field communication-enabled cell phones - will continue to proliferate and eventually dominate the POS market.
With contactless payment acceptance technology in place, implementing the chip card system will require only that the cards themselves be substituted for the existing magnetic stripe cards.
Because virtually all payment processing in the United States is done online, "issuers can use a lower-cost chip to implement contactless transactions," as opposed to a place like Europe, where "they have to utilize a larger and more expensive chip because they have to manage the offline transactions as well," Vanderhoof said.
Tim Cranny, Chief Executive Officer of Panoptic Security Inc., a consulting firm that specializes in guarding payment systems, said data security will continue to be an evolving struggle no matter what is proposed, but thinking beyond end-to-end encryption is important.
"I absolutely agree that end-to-end encryption is not a silver bullet that solves these problems completely," he said. "And I do agree that what [the SCA is] proposing complements encryption in a number of ways.
"I do think people need to be cautious not to think that this becomes the silver bullet and removes the need for encryption and so on. Encryption is used as part of this solution; they're not two unrelated worlds."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.