Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Resources
See latest innovation showcase »

Channels

Retail banking Security
Lockstep applies PKI to EMV smartcards to tackle card-not-present fraud

Lockstep applies PKI to EMV smartcards to tackle card-not-present fraud

Source:

Card-not-present fraud incidents are growing, and this is an area of fraud that many companies are trying to address. While EMV smartcards are commonly deployed with unconnected readers to generate one time passwords, Lockstep's Stepwise is the first to fully exploit public key cryptography in chip devices. Thanks to its modifications to traditional the digital signature approach, and use of a connected card reader, it is inherently resistant to man-in-the-middle attacks.

Stepwise encapsulates customer reference numbers, identifiers, biometrics or any other personal ID, and seals them cryptographically into a chip. It can be a smartcard or a SIM, or it can be a dedicated USB key. Each identifier is isolated, stripped of all extraneous personal detail and linkages, and placed under the sole control of its owner. Stepwise ensures that when any identifier is presented online, the receiver knows that it’s legitimate, it came from a genuine security device, and that it was used with consent.

Stepwise involves a standard digital certificate, issued to a chip held by the user and signed by a business with whom the user has a trusted relationship, such as a bank, a health body, a licensing authority or a government agency. The Stepwise certificate declares that someone with a certain identifier is associated with a public key carried on a particular chip device, without revealing who that someone is. The individual remains anonymous to all third parties, unless and until they present their chip.

When a transaction is digitally signed using a Stepwise certificate, the transaction data is indelibly bound to the Stepwise encapsulated identifier but contains no other identifying information.

Lockstep currently has customers evaluating Stepwise as a standalone deployment for merchant shopping carts, whereby it displaces the collection of data such as full name, billing address and CVV2, produces a fast and easy user experience, and is technically simpler for merchants to integrate because it requires no authentication server. It is also being evaluated as an technology to integrate with MasterCard 3D Secure.

Finextra verdict: By finding a new application for digital certificates in an e-commerce and financial services context, Lockstep's approach will likely apppeal to retailers and processors alike, who are under constant pressure to maintain the security of the data they hold about customers. If they no longer have to retain such volumes of data, they will save significant effort and resources currently expended trying to keep it secure.

Channels

Retail banking Security

Comments: (2)

Nick Collin
Nick Collin - Collin Consulting Ltd - London 18 June, 2009, 10:57Be the first to give this comment the thumbs up 0 likes

While I applaud the principles of Lockstep's approach, I don't understand the need to introduce another PKI when there is already one embedded within EMV chip, and used by Remote Chip Authentication with handheld readers.  Surely this is a much more practical approach, or am I missing something?

Report abuse
Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 03 August, 2009, 00:01Be the first to give this comment the thumbs up 0 likes

Nick, The advantages of Stepwise over CAP include (1) it's faster to process at the merchant server, with no need for a third party authentication server, (2) it's far easier to use because there's less data entry and no re-keying from the CAP reader to the browser, and (3) it's more powerful and flexible because we create real signatures over the transactions.  The incremental cost of the 'extra PKI' is very small; if the Stepwise certificates chain via the issuing bank to a recognised Root CA, then the PKI is actually already in place; all we need to do is personalise the EMV DDA cards with an extra Stepwise key and certificate.  CAP is a clever stop-gap solution, and it was strategically important because it showed how EMV cards could be used online, but the best long term solution is genuine transaction signing using integrated card readers, so e-shopping becomes as natural and secure as regular POS.

Report abuse
Join the discussion

Write a blog post about this story (membership required)

Innovation Showcase resources
See all Innovation Showcase resources »
Barclays embraces cutting edge in flagship concept branch
/innovation showcase

Barclays embraces cutting edge in flagship concept branch

Barclays Bank has become the first bank in Europe to pilot Microsoft's Surface technology at a groundbreaking new branch in London that opened in December 2008 and takes its inspiration from leading retailers such as Apple and Nike.

Bravura and eBRC provide seamless bridge between EMX and Vestima+
/innovation showcase

Bravura and eBRC provide seamless bridge between EMX and Vestima+

Bravura Solutions' partnership with Luxembourg's eBRC provides software as a service to help seamlessly connect EMX, the leading UK based electronic funds trading system, with Vestima+, the automatic funds order routing service, which is of one of the largest electronic settlement and custody providers in Europe.

SEB launches social network trade finance professionals
/innovation showcase

SEB launches social network trade finance professionals

Swedish banking group Skandinaviska Enskilda Banken (SEB) has launched an open social networking site for trade finance professionals. The Web-based community, called the Benche, is open to all trade finance professionals and others active in international trade, providing a location to network and share knowledge and experience.