WASHINGTON — Visa U.S.A. is planning to test on its standard magnetic stripe payment cards a security feature that functions like a one-time password.
The San Francisco card association said that dynamic card verification values, a unique authentication code created for every transaction, can make it more difficult for criminals to use stolen data to create functional cloned cards. Visa already uses this technique with contactless cards, but it is unclear whether the current generation of mag-stripe cards and readers have the ability to generate these codes, and adopting them could require major changes in the payments industry. Related Link
Visa also said it is pushing merchants to disclose data security breaches faster, and in more detail, than they do now, which would have benefits for both issuers and consumers. (See related story on this page.)
Contactless Visa cards have embedded microchips that generate a DCVV whenever the cards are used. The code is unique to each transaction, which means that criminals who manage to skim card data during a single transaction to create counterfeit cards would have only an old DCVV; using an old DCVV would enable Visa to recognize a fake card and block any transactions using that code.
The technology is not unique — MasterCard Inc. has a version called card verification code 3, or CVC3 — but has been used primarily with contactless cards and smart cards (which also have a chip to generate the code).
Standard cards feature a static card verification value written into the magnetic stripe. This number is not known to the user and is designed to verify that the card is present during a transaction. However, because it never changes, criminals can use stolen data from the mag stripe to produce cloned cards that would work until the issuer reissued the card.
Brian Triplett, Visa's senior vice president of emerging product development, said the association hopes to test several ways to bring a DCVV-like system to magnetic stripe cards. Though he would not elaborate on how this might be done, he said it could require some modifications to existing card designs. He also said that such a security system might require merchants to install new terminals, though this could be limited to merchants that handle high-risk transactions, such as jewelry stores.
"We're looking at ways that we can help strengthen the mag-stripe environment or introduce new technologies in specific areas," Mr. Triplett said.
"Part of what we were trying to prove with contactless was the ability to create dynamic data," he said, but "it doesn't have to come just off of the card. The idea is, What are the other ways that you can create dynamic data at the point of payment and then send that data through the network?"
MasterCard uses CVC3 in both its contactless cards and in its smart cards that adhere to the Europay, MasterCard, Visa security format that is widely used abroad but not in the United States.
Simon Pugh, the senior vice president for MasterCard's advanced payments solutions customer group, said in an e-mail that the Purchase, N.Y., company does not plan to use CVC3 with mag-stripe cards for point of sale purchases.
In fact, MasterCard has said that mag-stripe technology may some day be replaced altogether. Christopher Thom, its chief risk officer, said in a speech at last year's Identity Theft and Fraud Symposium in San Francisco, which was hosted by SourceMedia Inc., the publisher of American Banker, that "magnetic stripe served us well for many decades, but the truth is, it's nearing the end of its life cycle. … Magnetic stripe is no longer a realistic way forward."
Avivah Litan, a vice president and research director at the market research company Gartner Inc. in Stamford, Conn., said "the magnetic stripe infrastructure needs some kind of overhaul." Since criminals have repeatedly proven that they can gain access to magnetic stripe information, "the new thinking is you have to render the data useless even if they try to steal it."
