With EMV cards fighting counterfeit fraud at the point of sale, Gemalto Inc. says the timing is perfect to launch a payment card with a dynamic verification code to provide a similar improvement to e-commerce security.
Gemalto's dynamic code displays on the back of a plastic card and changes every 20 minutes, giving card-not-present security a boost at a time when e-commerce merchants are expected to absorb the fraud that EMV deflects from the point of sale in the U.S.
Even though others have tried dynamic codes on plastic cards in the past with limited success, the French digital security provider is banking on its scale and ability to promote technology to its bank customers.
While tokenization is a valuable technology for improving e-commerce security, dynamic code verification, or DCV, is another important step, said Philippe Benitez, vice president of business development for Gemalto, Inc.
Tokenization protects the account number by replacing it with a dummy number, whereas "DCV is aimed at securing card-not-present transactions in a way that doesn't change how transactions are routed or accepted at the merchant site," Benitez said. "The only change required is for banks to be able to verify this changing DCV on the back of the card through a hardware module that Gemalto supplies."
The DCV on the back of the payment card is shown in an electronic ink display, updating the three-digit code every 20 minutes "by the logic and processors in the card," Benitez added.
In addition to the DCV window on the back of a physical card, Gemalto is also launching the technology through mobile banking apps. A consumer shopping online through a mobile device can go to the DCV function of the bank's app to get the current card code for a transaction.
The development of a payment card that could operate more securely in the card-not-present environment is not a new concept, but banks have been reluctant to invest in the technology due to the cost it adds to printing cards. The cost may be even more of a barrier for banks that just paid to reissue their entire portfolios with EMV chips.
Oberthur Technologies launched a similar dynamic code for payment cards with fraud prevention technology from NagraID, a company Oberthur acquired a month before the product's release in October 2014.
Any technology that relies on a dynamic authenticator "is a big step up over static technologies," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
But Gemalto will face the same challenges others have faced in reaching for ubiquity with a new technology, Conroy said.
"I've talked to issuers in the past about this, and the big incremental cost was a business-case killer," Conroy said. "Issuers have tested for some niche business cases such as commercial cards or high net worth, but for mass use, the cost is often prohibitive."
Issuers aren't currently bearing the liability in the majority of card-not-present transactions, unless 3-D Secure is being used, making the business case even harder for adding dynamic verification methods, Conroy added.
3-D Secure, which was launched by Visa and adopted by other major brands, provides online security through extra password codes; the standard is evolving to include dynamic data as well.
But Benitez says rolling DCV cards into a portfolio is "not a huge expense for the bank to invest in on the card side or the mobile."
It is common, however, for banks introducing DCV to do so first with a certain segment of cardholders or those who are most active with online shopping or mobile banking, Benitez added. "There is an expense because it is a service and new technology that they would have to put into place."
The biggest hurdle for adoption to any card-not-present technology is "the inertia banks have in adding features to their own banking app or changing a card program and getting it into their IT pipelines," Benitez said. Some banks move quickly, others do not, he added.
DCV is compatible with contactless cards, chip cards and through mobile wallets, which will give consumers "an additional layer of confidence when going online," Benitez said.