First Data Corp. has agreed to license dynamic authentication software from the Newbury Park, Calif., vendor PrivaSys Inc.
The Denver processor, which announced the deal Wednesday, said the software would improve security on the contactless cards it produces for issuers.
Dynamic authentication allows contactless payment cards to create a unique authentication code for every transaction. Though the technology is not new, it is becoming more widely known within the card industry, and issuers and card companies are starting to tout it to foster the adoption of contactless cards.
"There's been much press attention about contactless transactions and the potential of skimming on contactless transactions," said Barry McCarthy, the president of product innovation for First Data's commercial services unit. The PrivaSys technology "nearly eliminates this as an ongoing concern."
Contactless cards use radio frequency identification technology to transmit data to readers. However, some have raised concerns that criminals could use a portable reader, for example, to skim data from people on a crowded subway.
Dynamic authentication is meant to make skimming less effective, because having a different authentication code for every transaction means any code captured by criminals could be used for only one transaction.
Mr. McCarthy said that using dynamic authentication will "provide consumers with confidence in using" contactless cards, and that the danger of skimming "is much overrated."
Dynamic authentication software generates the codes through a mathematical algorithm stored on the card.
Because a criminal can obtain a single valid code, the technology cannot eliminate the risk of fraud, Mr. McCarthy said. However, if a criminal tried to use the card data a second time, the transaction would be stopped, and the details of the attempt would be flagged to help identify the criminal, he said.
"It doesn't completely eliminate or prevent fraudulent transactions, but it prevents proliferation of fraudulent transactions," he said. "That's very, very important in the contactless space."
First Data has been using other methods to protect contactless cards, but those technologies were not "as robust and meaningful as what PrivaSys could deliver," Mr. McCarthy said.
He would not give a price for the licensing agreement.
First Data provides merchants and issuers with various card products, including private-label and stored-valued cards, and it has "a big interest in mobile payments arena," Mr. McCarthy said. "We would imagine using this technology to support contactless efforts across all of these areas of our business."
Jessica Iben, a spokeswoman for JPMorgan Chase & Co., said the New York company has been using dynamic authentication for its Blink-branded contactless cards since it began issuing them in 2005. JPMorgan Chase, one of the driving forces for contactless adoption in this country, said in September that it had issued more than 7 million of the cards.
Dynamic authentication is "like tumblers in the lock," she said. "The code changes for every transaction."
JPMorgan Chase wanted to use the security method from the start, because contactless cards were "a new way to pay, and we wanted to make it as safe and secure as possible," Ms. Iben said.
The company also uses other security measures as well on its cards, she said.
Elvira Swanson, a spokesman for Visa U.S.A. Inc., said that it introduced dynamic authentication technology on its first contactless cards in 2005, "as an added layer of security to contactless cards."
The contactless payments business "is an evolution, and as we launch new products, we open up new markets and new ways of paying," Ms. Swanson said. "We add new layers of security so that we can fully protect those transitions and ensure the integrity of the payment system."
Even though a fraudster could use a portable reader to capture a card's account number and the current dynamic authentication code, the reader would not pick up either the cardholder's name or the key used to generate the dynamic codes, she said.
Visa said at a conference in Washington this month that it is interested in using dynamic authentication with its standard magnetic-stripe cards, though it did not provide details of how the technology could be implemented.
Contactless cards have a microchip that handles data transmission and processes the mathematical instructions needed to create the dynamic authentication codes. Magnetic-stripe cards have no chip, and the San Francisco card association conceded that it might have to make some modifications to standard card designs to accommodate dynamic authentication technology.
A.C. McGraw, a spokeswoman for BB&T Corp., said the Winston-Salem, N.C., banking company has included dynamic authentication in a contactless card test that got under way in January in Georgia, Florida, Maryland, Virginia and the District of Columbia.
The technology is considered "a key component to the authentication" and a way to "ensure that every transaction is safe," Ms. McGraw said.
