Prime Factors Blog

EMV Basics: How Do We EMV CNP (Card-Not-Present)?

Posted by Jeff Cherrington on Oct 11, 2014 8:00:00 PM

In one of my recent posts, I promised to answer another question raised to the speaker panel of the recent IT GRC Forum webinar “Why EMV is Not the Only Answer to Payment Security”, as part of a series where we will speak to all the questions raised. The question this post means to address is “What other specific solutions exist besides 3-D secure for Internet transactions?” While additional technologies and techniques continue to emerge, the top three current schemes for mitigating card-not-present (CNP) fraud appear to be:

  • The familiar use of CVV/CVC and like values (printed on the back of MasterCard and Visa plastics, and the front of Amex cards)
  • Visa’s 3-D and its implementations by the other card plan under different labels
  • A relatively new scheme developed by MasterCard, called CAP, adopted by Visa as DPA, and most certainly being considered by others

The latter actually leverages the EMV infrastructure to reduce online transaction fraud -- it actually does apply EMV to CNP, as explained below.

(For those who did not attend the webinar, the general context of the question is the US EMV liability shift of point-of-sale counterfeit card fraud responsibility from EMV card issuers to merchants.  The impact of EMV is having, and will have on, counterfeit card fraud is recapped in this prior post.  Click here for a complete course of free EMV basics and advanced educational webinars, available free for on-demand replay.)

This has already been proven in many other countries, as the US has been very slow to adopt the technology. Over 80 countries have migrated to the EMV standard, with card adoption rates higher than 81% and POS device rates at 99% in Western Europe, while card adoption rates are still in single digits in the US. In the UK, counterfeit card fraud dropped from nearly 40% of all card fraud in 2001 to less than 10% in 2012 after the EMV Liability Shift in 2005, with a proportional reduction on lost/stolen card fraud. Similar studies in Australia, Canada, and France show similar outcomes.

How EMV address card-not-present fraud

However, it’s fair to observe that EMV only addresses a symptom and not the underlying appetite for illegally defrauding card issuers. Criminals will still look to steal, and will direct their sight to the next likely target. EMV adoption, like any new security technology, pushes in one side of a balloon, metaphorically speaking, meaning that another side will necessarily push out. If criminals cannot defraud using counterfeit cards to get what they want, they will shift focus to the next easiest approach to defraud the issuers, card-not-present (CNP) transactions. This is borne out by the same studies noted in the prior paragraph, where steep increases in CNP fraud correlated with the migration to EMV cards. EMV technology alone does not address the risk of fraudulent transactions that are submitted without interacting with the integrated chip, including phone order and, particularly, online transactions. Unless the chip is used to generate the transaction’s unique cryptogram, EMV plays no role in the process – hence, the question “What other specific solutions exist besides 3-D secure for Internet transactions?”

For those unfamiliar, 3-D Secure is a Visa developed protocol that adds an authentication step during online transactions. In simplest terms, it requires a cardholder attempting an online transaction to enter a password into a second form when prompted, after entering and submitting the card number and other details for the transaction as normal. The password is validated by the card issuer implementing, for all practical purposes, a two-factor authentication of the cardholder, requiring something they have (the credit card number and the CVV code on the back) and something only they know (the password). This protocol is used by several payment card networks (with some variations in the implementation details), under several brands:

  • Visa: Verified by Visa
  • MasterCard: SecureCode
  • JCB: J/Secure
  • American Express: SafeKey

There are criticisms of the scheme that stem from the generalized weaknesses inherent in any system that allows password reset without face-to-face interaction, and other issues. [While these criticisms are valid, the 3-D authentication scheme still provides more protections than doing nothing at all, I note.] Fortunately, there are alternative schemes emerging that may complement or supplant 3-D that leverage existing EMV card architecture and bring many of the same virtues to on-line transactions that EMV provides to point-of-sale transactions. One particular scheme is developed by MasterCard, labeled CAP (for Chip Authentication Program), and adopted by Visa as DPA (for Dynamic Passcode Authentication).

Both CAP and DPA rely on a free standing or PC attached device with a smartcard slot, a key pad, and a display that can show at least 12 characters. Cardholders would be required to insert their EMV compliant cards into the device, read the string of characters on the display generated by the chip on the card, and then enter that string of characters with the other details for the online purchase. This has a similar user experience, in some respects, to the experience many of us have had when using the RSA SecurID tokens displayed on key fobs for logging into VPN or other network assets.

While feasible, CAP/DPA have the obvious impediment that consumers are required to obtain and use another device when making their online transactions. This can only add expense for the consumers, the card issuing banks, or both, and almost certainly will be met with resistance by consumers. Banks may have to provide the devices to their customers at little or no cost to foster adoption, at least in the beginning. Plus, banks will certainly incur even more costs as introduction increases calls to their support desks and turnover of their customer base.

Those early stage adoption woes aside, I predict that, unless a more compelling approach emerges, this card reader & cryptographic “password” generation capability will come to be a standard part of PCs. Take a look at your laptop, if you use one – very likely it already has a smart card reader slot that can be used to authenticate to the operating system. You see this used frequently in Federal facilities where staff are required to use their CAC or PIV cards to access systems.

Those are the leading horses in the CNP fraud mitigation race we see – what did we miss? Please submit your observations in the Comments section below.

To learn more about EMV basics, the US liability shift date, and other advanced EMV topics, click on the image below to register for Prime Factors' series of free on-demand replay educational webinars.

Click here for EMV-compliant card issuance educational webinars