As European banks continue to move their payment cards to smart cards to secure their cash dispensers and the point of sale, a small but growing number of them are pressing the cards into double duty to safeguard Internet transactions.
The banks are issuing their customers low-cost, handheld readers that combine with the chip cards to offer a second factor of authentication for online banking. And a few of those banks have begun to secure Web shopping with the same readers and cards.
Eventually, proponents say, more issuers will do the same. The base of customers remains small, however.
“You need to transport that chip-and-PIN (card) notion from the physical world to chip-and-PIN at home; you need to explain to [customers] it’s very similar,†Toni Merschen, head of MasterCard Worldwide’s chip programs, tells Cards&Payments.
MasterCard’s Chip Authentication Protocol, or CAP, application runs on cards that anchor several of the online security projects. The application resides on standard EMV cards, also known as chip-and-PIN cards. Visa Inc. and some domestic card organizations have adopted the standard.
Banks have rolled out 10 million to 15 million of the sub-10 euro (US$14.70) handheld readers, estimates MasterCard. Among the big banks running with the technology are Royal Bank of Scotland and Barclays in the United Kingdom, ABN Amro and Rabobank in the Netherlands, and Sweden-based Nordea Bank.
To conduct Internet-banking transactions, such as paying bills or transferring funds, customers insert their cards into the readers, which generally are not connected to their computers. They then tap information on the reader keypads, such as the card personal identification number, the transaction amount and account number to which they want to send funds. A key on the card produces a one-time passcode–usually eight digits–displayed on the reader that customers then type onto the Web site.
The vast majority of Internet-banking customers in Europe still authenticate themselves using decidedly low-tech means, such as usernames and passwords or, if their banks insist on a second factor of authentication, lists of printed one-time passcodes banks send to customers. The banks ask the customers to scratch off each number as they use it for online-banking sessions. Some banks have issued their customers handheld dynamic-passcode generators that do not use cards.
With handheld card readers, customers can prove they are the owner of the banking cards their banks issue by entering the same PIN as they do when making purchases in stores. The battery-powered readers also are interoperable among banks, since the keys on the cards do the number crunching to come up with the passcodes, which are then displayed by the readers.
Growing Base Of Cards
Europe’s banks have moved 50% of their payment cards thus far to the more-secure EMV smart card technology. With most banks committed to converting the other half of their cards by the end of 2010, there will be a ready base of smart cards to be used with the readers, say backers of the concept.
Some of the banks that have rolled out the readers require customers to use them to conduct all transactions online. Others, such as UK-based Royal Bank of Scotland, are using the devices mainly for setting up payments to third parties for the first time. (see diagram on this page.) These types of transactions carry the highest risks for fraud.
In either case, fraudsters, who would be unable to punch in the proper code displayed by the reader and generated by the chip-and-PIN card, would see their attempted transactions rejected, says a spokesperson for Royal Bank, one of Britain’s largest banks. The bank began issuing readers at no charge last May and had distributed more than 1.4 million of them as of last month.
“That (reader) identifies you as the person sitting in front of the computer,†the spokesperson says. “If a fraudster is sitting in another country, and they had hacked into your account somehow, without the debit card and PIN, it would not work.â€
Banks in the Netherlands generally were the first to distribute the handheld readers, with Rabobank one of the pioneers.
The bank started putting the readers into the hands of customers around 2000, using encryption keys connected with the Netherlands’ chip-based electronic purse Chipknip. The little-used purse has run magnetic stripe debit cards in the Netherlands for more than 10 years. As Dutch banks convert the debit cards to EMV, the e-banking security program will run as a related feature to this debit application.
Rabobank, in fact, found that, besides offering more protection against phishers and other fraudsters, the readers helped pay for themselves by reducing help-desk calls the bank had received on more-conventional authentication methods. Five years after launching the card-and-reader scheme, Rabobank received just one help-desk call for every 2,000 Internet transactions, according to the bank. That is about half of what it was previously. The savings paid about 50% of the cost for the handheld readers.
Securing Shopping
The Dutch banks also are the first to use the chip cards and handheld readers on a national scale to secure online shopping, under the “iDEAL†service, which they launched in September 2006. More than 6,500 online shops in the Netherlands accept iDEAL, and it accounted for 1.7 million transactions in December 2007, up from 720,000 in December 2006, shortly after the service launched.
Eric Tak, manager of cards and the iDEAL project for Currence, a Dutch bank-owned cards and payments organization, says iDEAL accounts for 25% of conventional Internet-shopping transactions among Dutch consumers, about twice the market share for online payment by cards. More than 72% of Dutch online shops accept the bank-payment service.
To use it, consumers click an iDEAL icon, located next to the card-payment brands on the checkout page. They then choose their bank from a short drop-down menu, which directs them to their bank’s Internet site. They use their chip cards and handheld readers or other security procedures just as they would for online banking.
Five major Dutch banks, including ABN Amro, Fortis and Postbank, along with Rabobank, support the service, and another is expected to join in the summer. All but Postbank use handheld readers to secure the transactions. Postbank uses one-time passwords that can be sent via mobile text messaging.
In focus groups, consumers have not complained of checkout hassles, says Tak. Some even have said they like the fact the purchase comes directly out of their banking accounts. This prevents them from overspending, which they might do if they use credit or deferred debit cards for the purchases.
“For the merchant, the business case is even more obvious than for the consumer,†Tak says. “They have an absolutely guaranteed payment, they get real-time notification they have a payment, they’re no charge-backs or reversals, and they can ship those (products) out without any fear there is a credit risk.â€
Just as importantly, merchant fees for taking cards, which range from just less than 3% of the transaction value at conventional online shops to more than 6% for shops selling adult goods or content, are much lower for iDEAL. Banks charge merchants between 25 euro cents and 1 euro (US37 cents to US $1.47) per transaction. On the average 60-euro iDEAL transaction, online merchants pay half or less than they would on a similar card purchase.
Lower merchant fees are not necessarily good news for the banks, which could see a significant drop in card revenue. But card schemes likely will have to cut interchange substantially because of intervention by European Union regulators, so banks would not be losing as much, notes Tak.
Still, the iDEAL transaction numbers remain relatively small, in part because only Dutch merchants and a few in neighboring Belgium support it.
Shopping Across Borders
Currence hopes to expand the scheme to other European countries, and it will be helped in that effort by the Single Euro Payments Area standards that aim to bring about a common market for electronic payments. Banks in a couple of other European countries that have set up a domestic standard for allowing consumers to pay for Web purchases out of their bank accounts also hope to expand the standard across their borders.
Credit transfers among banks, which banks generally use to settle these types of transactions, are the first category of pan-European e-payments banks are implementing under SEPA. The standard credit transfers began less than two months ago (see News story on page 8).
In addition, the European Payments Council, which is directing the SEPA rollout for banks throughout Europe, in December formed a committee to draft standards for a generic banking-payment application European consumers could use when they shop online. Consumers could use the application with a second factor of authentication, such as cards and handheld readers, but the standards would not require it.
The international card schemes, which do not want to get cut out of such transactions, have equipped their 3-D Secure online security systems to work “seamlessly†with two-factor authentication systems, including handheld readers, says MasterCard’s Merschen.
The 55,000 merchants supporting SecureCode from MasterCard (or thousands of merchants using a similar scheme from Visa) would not have to implement anything extra on their Web servers, he says. The transactions go straight through to the card issuer for authorization when the consumer checks out.
Backers of the handheld card readers say there are other uses.
A major online gaming company in Scandinavia, for example, is using readers and specially issued chip cards to authenticate players. And large Nordic bank Nordea plans to expand from online banking to enabling customers to secure e-government services with its payment cards and readers. The project will require the readers to be connected to computers, which is more of a hassle for cardholders. But officials will insist upon this because the transactions with agencies could require highly secure electronic signatures.
Moving beyond home banking to e-commerce with chip cards and readers will take time, however. Among other things, banks need to roll out a much larger base of readers. And cards need another application, as they do with Web banking.
In the UK, for example, while card-not-present fraud soared 44% during the first half of 2007–the latest period for which figures are available–British banks have no plans yet even to test their readers for securing home shopping.
Those banks using the devices are still gauging how customers are taking to the concept for e-banking. The last thing they want to do is to frustrate consumers at the checkout page.
“There are more security concerns (among consumers) around Internet banking than shopping,†a Barclays spokesperson tells Cards&Payments, citing focus-group research the bank has conducted around its “PINsentry†handheld readers. Barclays has distributed about 800,000 of the readers since last summer, which customers must use every time they log on to the Barclays Internet banking site and also to set up payments to another party for the first time.
While British banks and others in Europe see their EMV cards and low-cost readers as a possible remedy for growing online-shopping fraud, it will take some time before most of them will require any additional authentication for their Web-shopping customers.
The more narrowly focused world of Internet banking is another matter. Expect more banks in Europe and elsewhere to put their growing base of EMV cards to use to ward off the ever-present threat from identity thieves and other fraudsters.
Banking Online With Cards
* Customer of UK-based Royal Bank of Scotland receives an 8-digit transaction-challenge code from the e-banking site.
* He inserts his debit card into the handheld reader, enters the card’s PIN and then the challenge code from the Web site.
* Customer types into the Web site the response code produced by the card and displayed by the reader.
* The RBS e-banking server checks this response code and, if it is correct, authorizes the transaction.
(c) 2008 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
http://www.cardforum.com http://www.sourcemedia.com
Bulking Up Internet Security: The Chip Card Option
March 01, 2008, 8:58 p.m. EST 10 Min Read
