In the early days of e-commerce, banks tried a variety of approaches to protect consumers’ payment card numbers in cyberspace, including card readers that plugged into computers.
Most of these offerings failed because of the inconvenience of storing and managing a plug-in tool for the sake of protecting against keyloggers and little else. Other efforts included one-time password tokens and virtual account numbers, which similarly introduced friction to the online shopping process.
Bank of America still supports its ShopSafe service, launched about a decade ago, enabling customers to create a temporary credit card number for e-commerce, but it requires several steps and periodic renewal; Citibank also continues to support a similar service for using virtual account numbers. Neither service receives much attention these days, as banks and merchants push to streamline the consumer’s online checkout experience by handling fraud management behind the scenes.
But with the rise of online card fraud and the availability of new EMV and encryption technology, a San Mateo, Calif.-based startup sees an opportunity to combine these new tools with a card reader called Chip Shield.
The palm-size device works with any EMV credit or debit card and connects to a desktop computer via a USB port. It can also connect to a mobile phone's audio jack to provide extra security for consumers while shopping or banking online, said David Marsyla, Chip Shield’s founder and CEO.
Chip Shield leverages the encryption technology in EMV cards to create a private key signature to use with e-commerce sites and bank accounts when a chip card is inserted into the reader. The device automatically injects payment information into a website’s checkout page, bypassing the need to manually enter that data.
One of the problems Card Shield attacks is the risk of keylogging viruses, which can lift users’ passwords. “The weakness of any software approach is that they require a single master password to unlock your data, and if that password is compromised by a virus, hackers can see all your data,” Marsyla said.
The encryption key Chip Shield creates from the user’s chip card serves as the user’s password, he explained.
Users must first enroll through their bank, and Marsyla hopes to interest banks in offering the $20 Chip Shield reader to customers as an added value. He also says Chip Shield could revive consumer interest in banks’ existing virtual account number services.
“We’re trying to make it easier for consumers to use ShopSafe and other virtual account numbers, by integrating support directly into their product with our card reader,” Marsyla said.
Banks that have integrated with the payment card networks’ tokenization systems to work with Apple Pay, Android Pay and Samsung Pay also could use Chip Shield to streamline the setup process for those mobile wallets, Marsyla said.
“Banks’ card-tokenization processes are very similar to the virtual account number approach already used by BofA and Citi, but there is really no way to access them from the desktop,” he said. “And even if you could access them to request a new account number, they usually require extended authentication, like what’s required to add a card through Apple Pay (calling bank or confirming via text).”
Chip Shield also could be used to replace the use of RSA SecurID hardware tokens for bank customers who use those devices for sensitive operations such as wire transfers, Marsyla said.
A number of banks at Finovate in New York this month expressed interest in various use cases for Chip Shield, said Marsyla, a seasoned startup veteran who co-founded DeviceAnywhere, a mobile device-testing service acquired by Keynote Systems for $60 million in 2011.
But one analyst who watches online fraud closely sees dim prospects for any external device designed for the consumer checkout process.
“I’m skeptical of anything that requires cardholders to change their behavior in the name of security,” said Julie Conroy, research director at Aite Group. “While most consumers will give lip service to caring about security, we rarely see that translate into willingness to take action, since consumers don’t have any skin in the game thanks to the zero-liability policies of the card networks.”
Many European banks required external devices to enter payment card credentials when card not present fraud spiked a decade ago following Europe’s EMV migration, Conroy noted. But the add-on devices had a chilling effect on e-commerce, according to reports.
Marsyla counters that banks in Europe required the devices for consumers primarily to protect merchants from losses; Chip Shield protects consumers from merchants--or thieves--mishandling their data.
In surveys, U.S. banks expressed no interest in introducing an additional device to the online checkout process, Conroy said. “Banks said there was not a chance they’d add a USB device for online transactions, because it represents too much friction."
There may be a group of highly security-conscious consumers interested in Chip Shield, Conroy said, but she expects its appeal will be limited. “I don’t see mass-market consumers willing to make that behavioral shift,” she said.