Can a new Visa specification break barriers to dynamic security codes?
The technology to provide a changing CVV code on the back of a plastic payment card for safer use online has been available for years, but the ability of a processor's server in the U.S. to authenticate it has sometimes been a hangup.
Idemia contends it has fixed this problem via Motion Code cards that are easier for banks to deploy because Visa's new dCVV2 specification code has the ability to authenticate the Motion Code algorithms. The Motion Code essentially replaces a static printed CVV2 code with a mini screen that automatically generates a refreshed code through an algorithm.
The development through the Visa standard eliminates the need for an issuing bank to integrate a dedicated server for an Idemia Motion Code card, thus putting a dynamic CVV2 payment card in the hands of customers sometimes in a matter of hours, rather than days or even months, said James Sufrin, senior vice president of sales for North America financial institutions at Idemia.
Idemia formerly operated as OT-Morpho and Oberthur Technologies, a company that specializes in card payment technology and manufacturing. It has distributed Motion Code cards in Europe and Asia and is looking to more quickly deploy the technology in the U.S. and other parts of the world, particularly through Visa issuers.
"There is no real technical hurdle here, but rather in how the technology is set up when establishing BIN tables and PAN tables between the issuer and Visa," Sufrin said. "From our perspective now, to personalize a Motion Code card, it's a done deal that will no longer take days to complete."
When operating as Oberthur, Idemia began talking about the Motion Code technology more than two years ago as a key safeguard for events like Cyber Monday.
Oberthur had acquired NagraID, a display card specialist, in late 2014, starting the wheels churning toward a product that could address the growing concern of card-not-present fraud. Ultimately, a dynamic card verification value technology was moving quickly to what Oberthur would brand as Motion Code.
It was a new push for dynamic CVV2 codes, after a company called Dynamics Inc. first introduced an option for card users to press a button on a card to change the codes. Dynamics had been testing dynamic CVV2 cards since 2010 that never made it out of pilot.
"So far it has been a bit of a challenge to get processors to have something on the server end to receive, validate and authorize the dynamic code," Sufrin said. "We have had interest and momentum on the issuer side, and Visa has met this challenge to find a solution on the processor server side."
The primary use case for a Motion Code card remains to thwart fraud when conducting card-not-present transactions, but Idemia has found it important for banks to understand the entire cost of fraud from all angles.
"From a bank perspective, even if they are not paying back all of the e-commerce fraud themselves, there is a host of other costs associated with reissuing a card," Sufrin said. "There are lost clients and lost reputation."
Even though the prospect of halting online fraud can save issuing banks a lot of money, it is not an inexpensive procedure to issue a Motion Code card, depending on volume. But generally, banks can expect a card with a dynamic CVV2 code to cost up to 10 times more than issuing a chip card, Sufrin said.
The premise of helping banks keep their customers and their own reputations safe has brought other competitors into the market, including Tender Armor and its CVV+ technology.
CEO Madeline Aufseeser launched her new company onto the e-commerce security landscape last year in hopes it would resonate with issuers seeking a less expensive way to deliver dynamic code technology.
"Our solution does not require the reissuance of a card, as the consumer can tie multiple cards through one CVV+ system, providing one code across multiple accounts," Aufseeser said. "And the consumer can choose how often the code rotates."
Last year, prepaid card issuer InComm revealed its intention to work with Tender Armor to incorporate its CVV+ code on InComm prepaid cards, looking to stymie what had been a slowdown in the adoption of reloadable prepaid cards and stand out with a new security model.
Overall, financial institutions are finally coming around to the notion that e-commerce fraud expense has to include what happens to the cardholder account and that customer's relationship with the bank, Aufseeser said. In that regard, any type of technology that prevents fraud, as opposed to simply detecting it, is resonating more with banks, she added.
Idemia is seeing the same sort of momentum shifting toward stronger security layers.
"We believe cardholders are interested in this, or they can be, but not everyone has the same view of fraud exposure and risk," Idemia's Sufrin said.