First Data Corp. has developed a debit card antifraud system that uses contactless chips to produce unique, one-time card numbers for use at the point of sale.
The Atlanta processor's Star debit network said its CertiFlash system, announced Wednesday, could serve as a U.S. response to the EMV Integrated Circuit Card Specifications, a security format that is used widely abroad but has garnered little support from financial companies or card networks in the United States.
With CertiFlash, the one-time numbers replace the actual card-account data that is used to make transactions. Star converts the one-time number to the actual card number at its switch before sending the transaction details to issuers for authorization.
"This doesn't bridge any gaps" to EMV, said Julie Saville, a Star vice president of product management. "This is the solution" to countering card fraud "as we see it going forward for Star."
CertiFlash "integrates with the way [contactless] payment technology works in the United States," Saville said. First Data is a unit of the New York private equity company Kohlberg Kravis Roberts & Co.
Any Star bank partners that decide to use CertiFlash would have to reissue debit cards with contactless chips. When cardholders initiate transactions at the point of sale, the chips and the terminals would communicate with one another and prompt Star to produce the one-time account number.
Using a one-time card number instead of a card's actual account number renders worthless any data obtained if someone hacks into a merchant's payments system; similarly, card skimming could be virtually eliminated for CertiFlash transactions because issuers would recognize and decline any stolen one-time card numbers if a hacker tried to use them.
Stolen cards also would become less of a problem because users would need to enter PINs for purchases exceeding $25 or cash back in excess of the sale.
The technology is not designed solely for debit cards, Saville said. It also can be used with payment fobs and stickers.
Star already has tested the technology in a mobile environment using microSD cards and near-field communication chip technology.
"We're way ahead of the curve in how it would work" for mobile payments, Saville said.
CertiFlash still would be in a good position if and when the EMV format comes to the United State, she said.
"Our technology was built to be flexible and can sit side by side with other technologies" on the contactless terminal if other payment companies decided to use EMV, Saville said.
Saville said Star plans to test CertiFlash in the next few months with a bank, which she would not name. A full rollout is expected in 2011.
Avivah Litan, a vice president and analyst at Gartner Inc., a market research company in Stamford, Conn., called CertiFlash a "good, practical technology" that can help combat card fraud.
However, not all merchants are ready to accept contactless payment cards, and that could reduce CertiFlash's effectiveness, Litan said.
Star is working with Vivotech Inc., a manufacturer of terminals for contactless payment, to make POS systems that are compatible with CertiFlash.
That helps, Litan said, but it's merchant adoption that will dictate whether any technology related to contactless payment takes off.
"The success of new payments [technology] is driven by merchants," she said.