Consumers who bank or initiate retail purchases online already can secure those transactions through a variety of means, including passwords used only for the Web, card readers that plug into personal computers or challenge-response procedures that can include images they preselect.
Some companies, however, are trying to make money by securing Web commerce and online banking with cards that display one-time passcodes designed to stop counterfeiters. They hope the combination of increasing online consumer activity, relatively lax fraud protections in some parts of the world and the fact the cards are the same size as traditional payment cards will lead to more demand for the devices.
“The credit card form factor is very familiar, and you can brand [the cards] in a similar way,” says Thomas Flynn, director of marketing for identity and access management for France-based smart card vendor Gemalto NV, explaining the potential appeal to consumers. For instance, consumers and issuers might feel more comfortable with familiar card forms instead of code-generating key chain tokens, he says.
The drive behind one-time passcode cards comes as more consumers use the Web for banking and purchasing. Bank of America Corp., for instance, says more than 50% of its retail customers–30 million of the 59 million overall consumers–are connecting with the bank online.
Cambridge, Mass.-based Forrester Research predicts that 66 million U.S. households will use online banking by 2014, up from 54 million now. Meanwhile, U.S. consumers on Dec. 15 spent $913 million with online retailers, the largest daily total so far, according to Reston, Va.-based research firm comScore Inc.
The numeric data displayed on one-time passcode cards are based on algorithms unique to each cardholder. Once the card creates the passcode, the cardholder types the number into the appropriate location on the visited Web site to authenticate himself. Financial institutions typically store the algorithms on central servers.
One-time passcode cards face significant challenges, however, not the least of which is the product’s high price, which has hampered demand. “The reason the market is what it is is because of the price barrier,” says Richard Nathan, president and CEO of Innovative Card Technologies Inc., which in October completed a financial restructuring that gave the U.S.-based company $1.2 million in capital to expand sales of its DisplayCard product.
Indeed, low volume has helped keep prices for the cards between US$10 and US$20, Gemalto’s Flynn says, declining to be more specific.
One of the pioneers in the field, Innovative has shipped at least 500,000 such cards, Nathan says, including to online-payment provider PayPal Inc., a unit of online auction site eBay Inc.
At least “one major bank in the U.S.” uses Gemalto’s Ezio Display Card, Flynn says, declining to name the institution.
Bank of America Corp. offers customers a SafePass card with a one-time, six-digit passcode generated in the upper-right corner when a button is pressed on the card. BofA also sends customers passwords via mobile-phone text messages as an alternative form of user authentication.
Putting more one-time passcode cards into consumers’ hands likely will require reducing the cost of the products. BofA, for instance, charges customers a one-time $19.99 fee for its SafePass cards. PayPal charges $5 for its one-time passcode card, though Nathan says PayPal pays twice as much.
“PayPal is subsidizing the card to get the security they need,” he says. PayPal declined to comment.
Costs Still High
Dennis Brestovansky, president and CEO of the U.S.-based Aveso Inc., which makes modules that power one-time passcode cards, says the company hopes to get the price of cards down toward $5 per unit. “We will be close to that” by late next year, he predicts.
Even with price reductions, however, demand could lag. Josh Peirez, group executive, innovative platforms, at MasterCard Worldwide, questions the convenience of the technology. “I’m not sure about the display reader on the card,” he says. “It really requires you to have a separate piece of plastic.”
Consumers might prefer technology that enables them to have “virtual” account numbers that exist only for specific transactions or for specific periods of time, or that enable the passcodes to be displayed on mobile phones instead of on additional cards, he adds. MasterCard earlier this year paid $100 million to acquire Orbiscom Inc., an Ireland-based software developer that holds a patent related to the issuance of virtual card numbers.
Meanwhile, Aveso sees promise for one-time passcode cards in South America and South Korea, Brestovansky says. Though Aveso so far has shipped a relatively small number of the modules, Brestovansky expects fraud laws in South America that generally hold consumers liable for more losses than do those in the United States, along with regulations mandating security for large online-banking transactions in South Korea, to spark demand.
One-time passcode cards can include chips or magnetic stripes, and consumers could use them to withdraw money from ATMs without damaging the technology, Brestovansky says.
Vendors such as Germany-based Giesecke & Devrient are buying the modules for their cards, he adds. Giesecke & Devrient declined to comment.
Demand appears more likely to come from the U.S. for the time being than from Europe, says Gemalto’s Flynn. The “jury’s out” on whether the technology will win over Europeans, he says.
“We are going to see the adoption of card [form] factors in the U.S. because it’s familiar and people like it,” Flynn says. “In Europe, you have familiarity with home [card] readers,” which attach to consumers’ personal computers to enable more-secure online-banking transactions via EMV chip cards and passcodes.
Gemalto in late 2009 gained a larger stake in the at-home reader market. The vendor, which already sold such readers, spent 20 million euros (US$29 million) for the banking business of Xiring, a France-based smart card reader company.
Cardholders can insert an EMV-enabled card into a Xiring reader to generate a one-time passcode to use to authenticate themselves when logging in to an online-banking site. In Europe, banks typically issue readers to online-banking customers.
One-time passcode cards are gaining in popularity, but even with price cuts and more online-banking and shopping activity, the technology still faces significant challenges from other forms of security. PS
