Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 11:06 0 likes

@Stephen W: It's refreshing to read the full picture about EMV, especially the fact that it cannot mitigate CNP fraud, which reportedly constitutes 70% of all card fraud. While a smartcard reader for each customer could provide total protection against fraud, the savings achieved from such a solution needs to be carefully weighed against its additional cost and potential to shrink the target market (e.g. mobile shopping would become impractical; not many people would like to carry a cardreader around). Existing 2FA technologies like VbV/SecureCode could provide a viable alternative. Of course, they also introduce additional friction in the checkout process, thereby threatening loss of revenue from increased shopping cart abandonment. Unfortunately, there seems to be no magic bullet to solve this problem - yet!  

Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 11:33 0 likes

A very simple EMV solution to CNP fraud is for cardholders to use the EMV cardreader they already use for secure online banking to generate a dynamic SecureCode/VbV for secure e-commerce. More and more banks around the world are already deploying such Remote Chip Authentication - effectively transforming CNP into card present.  Note that the one-time-password can also be used over the phone, and the only thing the cardholder needs to remember is their existing PIN.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 12:07 0 likes

@Nick C: I've come across solutions that generate dynamic virtual card numbers that expire after a single e-commerce use e.g., NetSafe from HDFC Bank, India. However, the concept of a dynamic VbV password is interesting and news to me. I've looked all over the Visa / VbV website but could only spot references to static VbV password. Would appreciate public domain references that describe the concept of dynamic VbV passwords as also a list of banks whose Internet Banking cardreaders can be used to generate them.

Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 14:28 0 likes

Hi Ketharamen - This is quite a new solution and I think MasterCard banks are leading the way, with CAP/SecureCode.  As far as I know, Nordea, and all the Belgian banks (KBC, Dexia, Fortis, ING ...) use this solution, as well as several in Eastern Europe and Turkey.  Technically, it's very straightforward - as an issuer you just treat the OTP as a SecureCode and authenticate in the same way as you would an online banking transaction.  Cardholder education and marketing is more challenging - you have to explain that the cardholder must use their EMV card and cardreader to generate the SecureCode when the SecureCode window pops up.  But I understand it's catching on as a really secure and cost-effective answer to CNP fraud.  If you email me on nick@ncollin.demon.co.uk I'll send you an article I wrote for banking Automation Bulletin on the subject.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 15:42 0 likes

@Nick C: Thank you for the clarification that such a solution is led  by MasterCard/SecureCode. I was able to locate its launch press release dated 5 Nov 2008 on the Internet. CAP/SecureCode is surely a highly secure solution. However, going back to my original comment, for an issuer that does not already use cardreader (which is probably 100% of US banks), CAP/SecureCode introduces additional costs. As against this, technologies like (a) VbV/SecureCode with static password, and (b) NetSafe type of dynamic/OTP virtual card numbers, appear to provide adequately secure, yet far more cost-effective, e-commerce alternatives since they don't need cardreaders.

Many US etailers don't seem to have implemented even (a) several years after its launch by Visa/MasterCard, which seems to suggest that the cost and/or friction of deploying (a), (b) - let alone CAP/SecureCode - technologies outweigh CNP fraud losses. Which is anyway the same argument used in the US to keep EMV itself away.

Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 16:04 0 likes

It's possible to make a very positive business case for CAP/SecureCode, not just in terms of less fraud, but also lower fraud prevention costs, lower password management costs, less call centre enquiries, most use of cost-effective remote channels etc.  The cost of the readers is about £5 or less now, and if you don't like them then we're just begining to see CAP/SecureCode on Display Cards.  As to US banks being any kind of model for the rest of the industry - well just look at the mess they've got themselves into by lagging behind on EMV chip!