Smart Card Alliance Says End-to-End Encryption is Not Enough, Recommends Chip and Dynamic Data to Halt Card Fraud
Princeton Junction, N.J., September 14, 2009 – Analysis of the attacks behind recent and highly publicized data breaches at merchants and processors has led to a flurry of interest in the implementation of end-to-end encryption solutions to protect cardholder data. Electronic payments industry stakeholders are also discussing the development of a new standard through the Accredited Standards Committee X9 (ASC X9). A new position paper, ”End-to-End Encryption and Chip Cards in the U.S. Payments Industry,” presents the Smart Card Alliance perspectives on these initiatives.
“Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “Experience shows that despite incredible investments by merchants and acquirers to secure cardholder information, we have not put an end to data breaches and fraud. Criminals just find other ways to steal cardholder data in order to clone magnetic stripe-based cards and make fraudulent transactions. Before the stakeholders take another giant step down a new path of more complicated data security requirements, we thought it would be valuable for the Smart Card Alliance to take a close look at what problems it would solve, and what it would not.”
The paper proposes an alternative to end-to-end encryption, protecting cardholder data by using chip card technology, but in a different way than has been considered in the past.
“In our paper we discuss a different approach optimized for the U.S. payment market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online. This stands in sharp contrast to previous considerations of implementing ‘chip and PIN’ based on the full EMV standard. Instead, this proposal builds on what is already happening in the U.S.–the issuance and merchant acceptance of contactless cards–while keeping in step with globally interoperable EMV standards,” said Vanderhoof.
The existing U.S. payments infrastructure can process such transactions today in the same way that current contactless payment transactions are accepted. Many issuers already are providing contactless payment cards with dynamic cryptograms. Until now, the primary motivation has been to provide consumers with a fast, convenient way to pay. But contactless transactions can also improve payment security. The dynamic cryptograms protect cardholder data in all payment transactions, because they make each payment transaction unique. The chip card must be present to generate a valid cryptogram, which is verified online when the transaction is authorized. Expanding use of contactless cards throughout the U.S. payment system would lower fraud because stolen payment card information could not be used to make fraudulent cards.
The broad use of contactless chip cards with online authorization of a dynamic cryptogram with each transaction would have the following advantages when compared to end-to-end encryption:
- Reduce the threats posed by cloning magnetic stripe-based cards and stealing cardholder data
- Provide a high level of cardholder data protection by including a dynamic cryptogram with each transaction
- Result in less impact on the payments acceptance infrastructure for merchants, acquirers and issuers
- Enable merchants to implement a solution more quickly and without waiting for new standards
The reason chip cards are a better solution is that end-to-end encryption does not end reliance on magnetic stripe cards. Since payment cards would still use static cardholder data for processing, they would remain vulnerable to the primary type of fraud that end-to-end encryption is trying to prevent, which is credit card cloning using stolen cardholder data. Criminals would just find other ways to steal the data.
In contrast, contactless chip cards eliminate the root cause of the problem by eliminating use of the magnetic stripe over time. Fraud rates would decline as more payment transactions shift to using the contactless chip and dynamic cryptogram rather than the traditional magnetic stripe.
The Smart Card Alliance is making another important recommendation as well. If the industry does indeed move forward with end-to-end encryption, the standard should be defined in a way that lays the messaging foundation for globally-interoperable secure payment transactions using chip card technology in the future. This would have no impact on end-to-end encryption cost or complexity, and yet would make the U.S. payments messaging standard compatible with the global payments infrastructure based on chip technology.
About the Smart Card Alliance Contactless and Mobile Payments Council
The Contactless and Mobile Payments Council is one of several Smart Card Alliance technology and industry councils. The Council was formed to focus on facilitating the adoption of contactless and mobile payments in the U.S. through education programs for consumers, merchants and issuers. The group is bringing together financial payments industry leaders, merchants and suppliers. The Council’s primary goal is to inform and educate the market about the value of contactless and mobile payment and work to address misconceptions about the capabilities and security of contactless technology. Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.securetechalliance.org.