“Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “Experience shows that despite incredible investments by merchants and acquirers to secure cardholder information, we have not put an end to data breaches and fraud. Criminals just find other ways to steal cardholder data in order to clone magnetic stripe-based cards and make fraudulent transactions. Before the stakeholders take another giant step down a new path of more complicated data security requirements, we thought it would be valuable for the Smart Card Alliance to take a close look at what problems it would solve, and what it would not.” The paper proposes an alternative to end-to-end encryption, protecting cardholder data by using chip card technology, but in a different way than has been considered in the past. “In our paper we discuss a different approach optimized for the U.S. payment market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online. This stands in sharp contrast to previous considerations of implementing ‘chip and PIN’ based on the full EMV standard. Instead, this proposal builds on what is already happening in the U.S.–the issuance and merchant acceptance of contactless cards–while keeping in step with globally interoperable EMV standards,” said Vanderhoof. The existing U.S. payments infrastructure can process such transactions today in the same way that current contactless payment transactions are accepted. Many issuers already are providing contactless payment cards with dynamic cryptograms. Until now, the primary motivation has been to provide consumers with a fast, convenient way to pay. But contactless transactions can also improve payment security. The dynamic cryptograms protect cardholder data in all payment transactions, because they make each payment transaction unique. The chip card must be present to generate a valid cryptogram, which is verified online when the transaction is authorized. Expanding use of contactless cards throughout the U.S. payment system would lower fraud because stolen payment card information could not be used to make fraudulent cards. The broad use of contactless chip cards with online authorization of a dynamic cryptogram with each transaction would have the following advantages when compared to end-to-end encryption: – Reduce the threats posed by cloning magnetic stripe-based cards and stealing cardholder data – Provide a high level of cardholder data protection by including a dynamic cryptogram with each transaction – Result in less impact on the payments acceptance infrastructure for merchants, acquirers and issuers – Enable merchants to implement a solution more quickly and without waiting for new standards The reason chip cards are a better solution is that end-to-end encryption does not end reliance on magnetic stripe cards. Since payment cards would still use static cardholder data for processing, they would remain vulnerable to the primary type of fraud that end-to-end encryption is trying to prevent, which is credit card cloning using stolen cardholder data. Criminals would just find other ways to steal the data. In contrast, contactless chip cards eliminate the root cause of the problem by eliminating use of the magnetic stripe over time. Fraud rates would decline as more payment transactions shift to using the contactless chip and dynamic cryptogram rather than the traditional magnetic stripe. The Smart Card Alliance is making another important recommendation as well. If the industry does indeed move forward with end-to-end encryption, the standard should be defined in a way that lays the messaging foundation for globally-interoperable secure payment transactions using chip card technology in the future. This would have no impact on end-to-end encryption cost or complexity, and yet would make the U.S. payments messaging standard compatible with the global payments infrastructure based on chip technology. “End-to-End Encryption and Chip Cards in the U.S. Payments Industry” is available at Position Paper
Ein neuer Digitaler Ausweis-Service ermöglicht die vollautomatisierte Identifikation und Legitimierung von Sparkassen-Kunden innerhalb kürzester Zeit. Entwickelt wurde der Service von der S-Markt & Mehrwert. Die Pilotierung und Einführung wird…