The fraud fix, as it is becoming clearer, is to take payment card information (account numbers, card verification values and the like) and devalue this data in an effort to make it less relevant to the hackers who seek to harvest and sell it.
But the ways we are developing the fix are not very dissimilar, conceptually. Is there more to this commonality and does this offer us a theme for what we should expect in the technologies that support payment processing through the front lines of the merchants POS systems?
Im going to offer that this may be something were already quite familiar with, and that this technology is fairly easy to demystify. Its just using surrogates for the numbers we use to authorize every transaction, and they are both the problem and the solution. Weve been mostly using them in the clear or unencrypted (for decades!), and this is why we have massive merchant breaches and high rates of card fraud.
Clearly, our processing of these numbers wasnt quite keeping up with the rest of technology as we entered the information age. Tell me, when was the last time you entered a static password without it being hashed out for you? How often are we reminded that the static password is failing us?
We are finding better solutions using technology that are still user-friendly and disrupt the fraud cycle. If we really consider it, any credit card number on a magnetic stripe, the 16-digit pan, is just a pseudo account number that was made a token for an account around 40 years ago, so its fairly long in the tooth.
For starters, the one technology topic on the tip of the tongue of most discussions is around EMV or Chip Cards. So, whats the big deal, weve got a new chip on our plastics; it looks like a SIM card and it works like one. Do we really know how it works?
Some of the industry leaders frequently get it wrong, and I have an idea why its actually pretty complicated behind the scenes.
There are some elements like cryptograms and other super-secret validations (both offline and online) that go on in the background that would frighten most technophiles in terms of their complexity. But rest assured, it works quite well and most of the rest of the world is already done with their deployments, so we can all exhale.
The killer element (as I see it) is the iCVV, a dynamic (it can change with each transaction) electronic version of that 3-digit code, and it can only be used with a chip transaction, where the cardholder is present at the merchants point of sale.
If a bad CVV is used, the issuer will typically decline the transaction. Voilà, weve (mostly) fixed card present fraud when the transaction processes on the chip! Yet, the argument is that this isnt a silver bullet because it doesnt fix card not present fraud. Or worse, it shifts the fraud there and I can counter that.
So what might be the chip equivalent for card not present? Were still waiting for that standard to be released by the authors of the chip card, EMVCo, but there are some encouraging signs coming out of the industry.
I keep seeing attempts to pioneer a dynamic CV2 out of the industry, an algorithm that changes the CV2 every few minutes or hour, pop up as a potential solution. So imagine that there is a second chip embedded in the card, and this chip changes the CV2 on an LCD window. This is a potential solution emerging in Europe where some banks are already piloting the technology.
Tokenization is now most famous with Apple Pay and is much the same; we have a token thats placed on the device that is used as a surrogate for the card number (PAN). In any event, its removed the PAN from the transaction and thus, divorced itself from the capacity to be harvested and reused outside of the device on which it resides. This is the equivalent of the hashing the password, but associating it with the device is the equivalent of making the token dynamic (as in there is only one static token per device). With this pseudo-dynamic PAN, we have an authenticated token unique to the encrypted device and it cant be used elsewhere, so its fairly secure, once the token-device registration is securely authenticated.
When the final nail is in the coffin for the mag-stripe and the static CV2, were solidly in dynamic-ville and we will likely see a tightened security infrastructure in the card space. However, at this point in the future, who is to say there is a card needed at all. Perhaps well virtualize it, its tokenized on our device into that great mobile wallet in the cloud. Perhaps weve eradicated all payment data sent in the clear and encouraged merchants to distance themselves from other data that can be tied to a customer.
This overarching strategy, sometimes known as data toxification, is not just another buzzword, its happening a concerted strategy suggested by the major networks. All these disconnected technologies do in fact have a common core, and are being pushed and pulled and executed on by those powers that cannot just suggest it as a policy, but enforce it.
Seth Ruden is a senior fraud consultant for ACI Worldwide