The Los Altos, Calif., card security vendor QSecure Inc. says it has developed a payment card that can generate new coded data for its magnetic stripe every time it is used, to determine whether a card is real or cloned.
A chip embedded in the card generates the new security code but works without special readers. The technique resembles the one used in smart cards and contactless cards.
Visa U.S.A. Inc. said in March that it was interested in using a similar security method, Dynamic Card Verification Value, for standard magnetic stripe cards; the method is already used in its contactless cards. Visa has not provided many details about how it plans to do so; though it is considering a modified card design, it is also looking at a method that would require new point of sale terminals — a potential barrier to widespread use. (See
QSecure says its technology works without special readers. "Our approach is to try to achieve many of the benefits of the next-generation card technologies, but do it in a way that doesn't require change to the infrastructure," said David Watkins, the company's president and chief executive.
Several issuers, including many in the United States, are preparing pilot tests of QSecure's card for early next year, he said. If the tests go well, the issuers could begin offering the cards to their customers by the second half of that year.
The rollout could be done without requiring merchants to use new card readers, he said. Since the chip has "magnetic-media properties, to a terminal, it just looks like a standard magnetic stripe."
Most of the stripe on QSecure's card is no different from a traditional magnetic stripe; only a small square of the stripe is rewritten with a new, dynamic security code.
The terminal transmits the dynamic information along with the rest of the information in the card's stripe for approval, and the issuer evaluates the dynamic information as part of its risk assessment. If the same code is used twice, the issuer knows the second attempt is probably fraud. The real card would be able to generate new codes with each transaction, while a cloned card would recycle the stolen information used to create it.
When produced in large quantities, QSecure's card should cost less than $5, rivaling the cost of smart cards and contactless cards, Mr. Watkins said. Banks need not choose one over another, he said, because there is enough room inside the card for both QSecure's technology and a contactless chip, though his company has no plans to make a card with both.
A Visa executive declined to be interviewed for this article. A Visa spokesman said that there was nothing new to say about its tests for using dynamic information in magnetic stripe transactions.
MasterCard International has said it has no plans to use dynamic security codes, which it calls Card Verification Code Three, for standard magnetic stripe cards.
Avivah Litan, a vice president and research director at the market research company Gartner Inc., said QSecure's method shows promise. "It sounds like a low-cost, frictionless way to strengthen cardholder security," she said.
She has heard of other methods that require some change by the acquirer or merchant, but "this is the only structural change that I've heard of to magnetic stripe cards that only requires a change at the issuer," she said. "Assuming they get it to work … the only thing standing in the way of adoption is the business model."
The major benefit of QSecure's technology is that stolen data could not be reused, Ms. Litan said.
After the breach that TJX Cos. Inc. disclosed this year, many banks bore the cost of reissuing cards. But large breaches are still rare, so many banks are still reluctant to spend money to address the problem, she said. "If there's another breach that is the magnitude of TJX, then there is the business case to render data useless if stolen."
