WASHINGTON — Tiny iron particles may be the next item in the banking industry's antifraud toolkit.
Visa Inc. and Fifth Third Bancorp are testing a system that evaluates the physical properties of the iron in the magnetic stripes on payment cards. The companies say these characteristics are different for every card and can function as a financial "fingerprint" that could prevent stolen account data from being used to produce counterfeit cards.
"The right long-term goal is to make data unusable to criminals and therefore reduce the incentive to steal it," Ellen Richey, Visa's chief enterprise risk officer, said at Visa's Security Summit here last week.
Don Roeber, the vice president of merchant compliance at Fifth Third Processing Solutions, said his company has installed about 1,000 card readers that have the components needed to evaluate the iron particles in magnetic stripes. He described the technology as invisible to the merchant and said the readers are delivered during merchants' normal upgrade cycles.
Though criminals have devised many ways to steal the account data stored on cards, the physical properties of the original card's stripe would not be duplicated if a criminal tried to copy stolen data onto a new card, Visa said. During a transaction, the terminals verify that the stripe is affiliated with the account number being used and then generate a one-time code to authenticate the transaction. Because the technology generates a new code for each purchase, issuers know that if they see the same code twice the second transaction is probably fraudulent.
Because so much stolen card data is available, Roeber said it is important that banks "figure out a way to make that data of no value to the criminal."
The test is being done at several merchants, which Fifth Third would not specify. It began in February 2008 and is expected to run through June.
The technology was developed by MagTek Inc. in Seal Beach, Calif., and runs on terminals from VeriFone Holdings Inc. in San Jose.
Andy Deignan, MagTek's vice president of global marketing and strategy, said in an interview Friday that the technology can work with any mag-stripe card that has ever been issued.
"The stripe itself is made up of tiny particles of ferrous oxide — iron — and those particles are randomly sized and distributed throughout that" substratum, he said.
"Because each stripe is unique and because they are magnetic in nature, each stripe gives off a low-level noise that is unique to the card, it is repeatable within the card, and it is verifiable within the card," he said. "We use those properties to authenticate the card itself."
Once the reader authenticates the card, it generates a 54-byte string of data to authorize the transaction. This code changes every time the card is used, and each one can be correlated to the fingerprint associated with the card. The technology also considers the age and degradation of the stripe when comparing them to reference fingerprints that are generally kept by issuers.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the stripe fingerprinting system "sounds like a very robust method for card authentication, which is what the challenge is all about; it's all about making sure the criminals are not able to use stolen data."
She cautioned that no security method is perfect and, since the technology is not widely used, it is hard to properly gauge its effectiveness, but she said the theory behind it is compelling. "If it works as advertised, I think it's a great idea."
Financial companies are also considering other ways to make stolen data less useful to criminals. Heartland Payment Systems Inc., for example, in January, shortly after announcing that its systems had been compromised, called for encrypting card data as soon as a card is swiped during a transaction. It said that end-to-end encryption would have rendered useless the account data stolen during the security breach.
Roeber said that this kind of encryption strategy is impractical because it presents "tremendous key management issues" for merchants. "If you have a larger merchant that has a thousand stores," he said, "that can be a significant challenge for them to manage all those keys."
With the mag-stripe fingerprinting system, "there's no key management to work with here," Roeber said. "There's not a whole lot of implementation issues."
Visa also announced at the conference that as of last week 90% of the U.S. merchants it classifies as Level 1 and Level 2 — the largest — have validated their compliance with the Payment Card Industry Data Security Standard and 99% have stopped storing prohibited card data.
Gerry Sweeney, Visa's global head of e-commerce and authentication product innovation and development, said that, though more merchants are coming into compliance, "we must move from static data to dynamic data for authenticating consumers and cards."
Though dynamic data is used today in contactless and other chip cards, it can be used without any change to the card. "We're doing a lot more at the terminal level," he said.
