The Fraud Blog with Tracy Kitten

A Step Closer to EMV

STAR Network Puts Weight Behind Chip & PIN
A Step Closer to EMV

The good ol' magnetic stripe - it's served us well, but how much longer can it survive?

I've been blogging about outdated mag-stripe technology for a couple of months now. I admit I've been one-sided. I'm in favor of a U.S. move to chip & PIN.

So I've appreciated the responses I've received from our readership. Technology does exist that can improve mag-stripe security. One such example is MagTek's MagnePrint solution - a mag-stripe fingerprinting technology that basically requires transactions to read unique particle qualities in a mag-stripe, rather than the mag-stripe information itself, to authenticate a transaction.

But how worthwhile are investments in technology that secures mag-stripes, when eventually we in the United States will have to stop and see that we really must embrace a global payments standard?

That's a question being asked in circles that go far beyond the periphery of my blogs. And I'm glad to see it. Yesterday, I got the lowdown on some new debit-card technology being released by First Data Corp. for merchants and card issuers on the STAR Network. The new technology, called STAR CertiFlash, will bridge mag-stripe to chip & PIN, bringing the U.S. a step closer to EMV, otherwise known as the EuroPay, MasterCard, Visa standard.

Having First Data - a global leader in electronic payments and e-commerce - get behind the chip & PIN movement is impressive, and a sure sign of things to come.

"It will offer much higher security in the U.S. debit payment industry," says Julie Saville, vice president of the STAR Network. "With that chip, as our European friends and other parts of the world have learned, you can do a lot of different things, because the chip has the intelligence to improve security."

Over the next two to three months, STAR expects to pilot and test CertiFlash. The technology should hit the mass market in early 2011.

It's a contactless payment, something we've tried unsuccessfully in the United States before. Do MasterCard PayPass and Visa payWave ring any bells? But, as with most things, it's all about timing - and First Data says now the time is right.

CertiFlash is betting on the mobile movement. Participating CertiFlash institutions, Saville says, will likely identify and target heavy mobile banking users, issuing CertiFlash chip stickers to those users, who will then put the stickers to their mobile phones. "It was designed to migrate payments, so your phone is used for the contactless transactions," she says.

The sticker, in theory, could be adhered to anything, really - a key fob, for instance. And some institutions may forego the sticker all together, instead opting to simply issue a chip card to cardholders identified as heavy users of the tap technology. The transaction requires the entry of a PIN, so it's not the tap-and-go method first introduced via PayPass and payWave, though First Data is marketing CertiFlash as a faster-than-mag-stripe transaction.

In addition to the PIN, other layers of security have been incorporated, taking advantage of that chip intelligence Saville mentions. The chip actually encrypts the cardholder's debit number when it communicates with the POS terminal via near-field communications (radio frequency identification). A one-time transaction number is created, so the cardholder's actual number is never part of the payment.

"If you have that one-time card number and it goes through the system and a hacker takes it during a merchant data breach," it's worthless, Saville says, because that number has already been used one time. But what if the one-time number is somehow skimmed before the transaction is conducted? Still a no-go, Saville says. "The one-time card number has to be verified with other information contained on the chip," she says. "And, of course, we do have the PIN. So without that, they can't do anything."

STAR CertiFlash is available for transactions that are less than $25. All transactions, regardless of the amount, are protected with a one-time card number and additional layers of security. Transactions that are more than $25, as well as those that contain cash back, also require the entry of a PIN.

"On the merchant side, there's a lot of buzz about trying to get ready for chip & PIN," Saville says. "As they're integrating new technologies, we want them to know we are ready."

I don't know how much of an investment issuing these chip-based stickers will be for banks and credit unions. STAR is working that out on a case-by-case basis, I am sure. What's more interesting to me is the merchants. If the merchants get behind this effort, I have to assume the card issuers will, too.

At least I hope that's the case.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.