A security start-up company says it has developed a way to block card skimming at the point of sale for payment cards that have embedded chips.
Miri Systems LLC says its technology goes further than other security measures for contactless cards, which typically create a one-time-use code that is used to authorize transactions along with cardholders' account numbers. Visa Inc. calls this system dynamic card verification value; MasterCard Inc refers to it as card verification code.
These codes make it difficult to reuse any skimmed card data, but Grant Neerings, the Charlotte company's chief operating officer, said the technology is insecure because merchants get access to consumers' account numbers.
"As long as you use a static number" to identify the card account, "you're subject to fraud," he said in an interview Friday.
(A MasterCard spokeswoman said Monday that the current format uses account numbers, but does not include cards' expiration dates or other information that would be necessary for fraudulent transactions.)
Mr. Neerings compared his system to that of Orbiscom Inc., which works with several card networks to provide one-time-use account numbers online.
Miri's version applies this idea the point of sale by letting chip cards create a one-time-use account number for merchants.
The issuer or the card association would decode the number; the merchant would never see the real account number, and if a merchant's systems were breached the one-time-use numbers would have little value to criminals.
Miri is talking with several top card issuers, Mr. Neerings said, but has no customers yet. When a bank signs on, it would take about six months to deploy. Miri plans to charge on a per-transaction basis for the technology's use.
The company is aiming at contactless payment cards in this country, and the idea could also be used abroad with chip cards that use the Europay, MasterCard, Visa security format. Mr. Neerings said that, eventually, it could also be installed in mobile phones that can handle payments.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that the concept could be a tough sell.
"It's not a bad idea," she said. "I can understand the value of it. It's just that ... it's ahead of its time and there are too many other competing initiatives."
Banks could improve security in the United States by using the EMV format, which has the advantage of being in use today in other countries, she said.
And since Miri's system does not work with standard, magnetic-stripe cards, its best chance for widespread adoption would come only if contactless cards become widely used, she said. But "most merchants are reluctant to take contactless unless they're going to make money off it," she said.
Businesses that accept contactless cards, such as fast-food restaurants and convenience stores, are seeking to replace cash transactions instead of improving card security, she said. If contactless payments become more widespread, or the card associations adapt dynamic CVV to work with other payment systems, criminals would have less reason to steal a card number in the first place, she said.
"The value of the card number's a lot lower if everybody's using a dynamic password with it," she said.