SecureKey Technologies Inc. has developed a way to turn any computer into a contactless payment terminal, bringing the improved security of contactless payments to e-commerce — without requiring online merchants to do anything to their systems.
"Now you can turn every e-commerce merchant into a contactless-accepting merchant," Chris Gardner, the Toronto startup's vice president of partner engagement, said in an interview at the Finovate conference in New York this week, where SecureKey presented its technology.
"The business model [for contactless] for the bank is greatly enhanced" when contactless cards can be used for any online purchase, he said.
Some large banks in the United States and Canada are preparing to test SecureKey's technology, Gardner said, though he would not name them. Though SecureKey's technology is easiest to use with banks that already distribute contactless cards, Gardner said "we've been approached by a lot of banks that aren't issuing contactless today" and want to strengthen their case for the technology.
Contactless cards have been around for years, but the technology still struggles for attention against magnetic stripe cards. Contactless technology has had some success in transit, and is considered by many to be a foundation of mobile phone payments, but it has long been limited by the classic chicken-or-egg problem: consumers can't make contactless payments if merchants refuse to put in the technology necessary to accept them.
SecureKey's contactless acceptance device has the size and appearance of a typical USB memory stick. When plugged into a computer, it creates a secure channel to an issuer and allows consumers to make payments by tapping their contactless cards against the device.
For consumers, part of the benefit is convenience, since the device also fills in the payment data on the checkout pages of merchants' websites. The device also uses the dynamic data security capabilities of contactless cards.
Every contactless payment made uses a one-time-use code at the point of sale that is specific to that transaction — if it is copied, that code cannot be reused. Each code, called a dynamic card verification value (dCVV) by Visa Inc. and card verification code three (CVC3)
by MasterCard Inc., is generated in sequence, so that if a fraudster steals a block of transaction codes by scanning a consumer's card, those earlier codes would be invalidated by the next one generated by the consumer at the point of sale.
Online merchants are not set up to accept dCVV/CVC3 codes, so SecureKey sends this information straight to the issuer at the start of the transaction. The issuer then generates a one-time-use code that would be automatically filled in at the merchant's site in place of other payment data to link the e-commerce transaction to the dynamic data sent earlier.
Consumers who are sensitive to the inconvenience of filling in payment data online are largely turning to alternative payment systems, Gardner said, and SecureKey provides a way for banks to win back those consumers.
Though it is not necessary, merchants can work with SecureKey to improve their fraud detection by taking into account the presence of a valid contactless card.
Banks can also use SecureKey to improve their online banking security by requiring consumers to tap their cards as they log in.
The SecureKey device can be made with the issuer's brand for about $5 apiece, which observers say is inexpensive for this type of technology. SecureKey expects the price to drop as they are manufactured in larger quantities.
Edward R. Woods, the principal at Mindful Insights LLC, a research firm in Portland, Ore., said that SecureKey's "technology is interesting, and the authentication is stronger, and you have the leverage of the reuse of the already strong mechanism in [the] chip."
One challenge for SecureKey is to get consumers to use its system. "The consumer needs it, but will they be aware that they need it to the extent that they're going to change their behavior?" he said.
Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., said that SecureKey's technology greatly improves the business case for contactless payments.
"Up until now, … [contactless] was like a partial solution," she said. "One of the barriers is it doesn't work on e-commerce channels — and now it does."
Though consumers typically do not like to use new hardware, SecureKey's resemblance to the familiar USB stick works to its advantage.
Overall, SecureKey's approach "is not rocket science — it's pretty simple, but a lot of the best solutions are simple," Litan said.