Community

The appearance of connected smartcard readers on the UK market is very interesting. Are they being aimed at Chip and PIN usage online? 

To date, AFAIK the only online Chip and PIN applications have used un-connected smartcard readers, to generate OTPs for Internet banking. But the connected reader is hugely more powerful, for it allows digital signatures. 

To date I reckon thinking about digital signatures has tended to be a bit wooden, being overly preoccupied with "non repudiation".  But that's not the be all and end all. A digital signature is actually more complex than a handwritten 'legal' autograph; it allows all sorts of digital attributes to be baked into online transactions -- like credit card numbers, scheme membership, account numbers, qualifications, government IDs, whatever is relevant to a transaction, even personal properties like age or nationality as might be notarised by a trusted third party.

And thanks to PKI, digital signatures plus attributes can be processed in 'open' settings (and even offline!). In contrast, OTPs and all conventional two factor authenticators only work in closed 'hub and spoke' environments. 

So, for instance, an OTP generated by a Chip and PIN card and an un-connected reader is good for accessing my Internet bank account, but it cannot be recognised by anyone else, notably web merchants. However, my smartcard in a connected reader can allow me to send a notarised (digitally signed) copy of my credit card details to any merchant, to stop CNP fraud. 

In effect, a connected smartcard reader together with PKI could help make Card Not Present transactions over the Internet look much more like Card Present. 

Cheers,

Stephen Wilson.

I do believe the best hope for a solution to ID theft (including CNP fraud) is through safeguarding personal details in chips, be they EMV cards, SIMs, other smartcards, perhaps TPM chips [There are huge latent benefits to be had in applying government ID cards to secreting and notarising personal identifiers, protecting citizens from cyber crime, which would go a long way to redress community angst that ID cards don't really deliver much good to the individual.] 

But the most practical way forward, short term, would be for EMV card issuers to use their chips to secrete and notarise customer details for use online. Compared with using cards in unconnected readers to generate OTPs, this is a far more powerful and scalable way to leverage EMV cards into the online world. It could shore up 3D Secure (by hardening the personal details) or offer an alternative to 3D Secure, by sending notarised cardholder details direct from chip to merchant server. 

How to "sell it"?  EMV cards could be "Specially Personalised" [marketing speak!] for secure online payments, perhaps for a small fee levied annually against the cardholder.  Merchant sites could accept smartcard-notarised payments with very simple updates to their commerce servers.  For a bank to go ahead on its own with this, it might have to work with select merchants, through the acquiring side of its business, to have them preferentially accept such specially personalised cards (as opposed to regular CNP) for web transactions. Payment gateways could be important players; in many jurisdictions they act as systems integrators for merchant commerce servers, so they could make the necessary web site updates. 

Merchants, issuer and customers alike would all enjoy reduced exposure to fraud. Ideally that sort of proposition should 'sell itself' ;-)

Cheers,

Stephen Wilson.