Dynamic Passcode AuthenticationOverview Guide

 

enables

Chip and PIN security Dynamic passcode reader Bank authentication service Dynamic passco

Visa cards are used in all payment environments: point-of-sale (POS), via the Internet, by mail or by

telephone. No other payment mechanism offers such flexibility, ease of use and convenience.

Visa cards are well suited to the Internet, offering consumers the same familiarity, convenience and trust

they are used to when purchasing face-to-face. Usage of Visa cards via the Internet continues to grow at a

higher rate than face-to-face sales. As additional levels of security are introduced via chip and PIN,

fraudsters are focussing more closely on the card-not-present (CNP) environment. It is therefore essential

that consumer confidence in this environment is not eroded. To this end, Visa is working closely with its

member banks to understand the implications of introducing additional levels of security. One of these

areas is dynamic passcode authentication.

 

providesadditional

security for:

e authentication e-banking e-commerce Telephone Order

Card Not Present Environment

What is dynamic passcode authentication?

Dynamic passcode authentication enables the added security

that chip and PIN introduces, to be used in the CNP

environment. It provides an additional layer of security that

has been designed to guard against online fraud. Like chip and

PIN in the face-to-face environment, dynamic passcode

authentication enables a form of two-factor authentication.

These two factors are:

1) Something the consumer has, ‘a card’

2) Something the consumer knows, ‘a PIN’

For CNP transactions such as online banking and shopping,

dynamic passcode authentication validates the cardholder’s

identity and physical presence of their card through the

combination of a Visa chip card and a corresponding pocket-

sized card reader provided by their issuer. Based on the chip

and PIN cryptographic algorithms, these generate a unique

numeric passcode that provides verifiable proof of the

cardholder identity. With additional data entry the passcode

can also serve as a digital signature for the transaction.

The reader itself is not ‘intelligent’ – it simply enables a user

interface to the authentication application contained in the chip

on the card.

How would a transaction using dynamic passcodeauthentication feel?

Dynamic passcode authentication enables cardholders to use

the added security that their chip and PIN card offers, in

conjunction with a pocket-sized reader, to create a one-time

passcode each time they make a CNP transaction. The

cardholder would insert their Visa card into a handheld reader

and enter their PIN, thereby validating their identity. If the PIN

was valid, the reader would respond by displaying a unique

numeric passcode. The cardholder would enter this passcode

when prompted by the online banking website or at the

Verified by Visa authentication page in order to complete

their transaction.

Optionally, the cardholder could also be prompted to enter a

challenge number that had previously been sent to them by

their bank, providing an even stronger level of authentication.

In either case, because the reader is completely offline and

has no Internet connectivity itself, it is largely protected from

compromise by hackers, thereby mitigating many of the risks

associated with open networks.

The one-time dynamic passcode is an alternative to static

passwords commonly used today in online banking or when

making purchases over the Internet. Because the one-time

dynamic passcode is useless in subsequent transactions,

dynamic passcode authentication extends protection against

online fraudsters and phishing attacks. It also leverages Visa

member banks’ investment in chip card technology and

consumers’ familiarity with chip and PIN.

Visa card issuers with smart card programmes could

implement dynamic passcode authentication on their online

banking sites and Verified by Visa authentication page to

further enhance fraud protection.

Potential benefits

Cardholders:

• A tangible security device increases confidence in

remote transactions

• Reduces the hassle associated with forgotten or

stolen passwords

Merchants:

• The baseline infrastructure for securing online purchases

through Verified by Visa means that merchants could get full

benefit from dynamic passcode authentication by simply

participating in the Verified by Visa programme

• Potentially the same solution as that for e-commerce can

be used for telephone order transactions

Member banks:

• Provides a form of strong authentication in the

CNP environment

• Helps counter spoofing and phishing attacks that

target passwords

• Leverages chip card investment

• Reduces costs associated with forgotten passwords for

online banking

• Could simplify the enrolment process for Verified by Visa,

since cardholders would not need to register a Verified by

Visa password

 

Where are we?

Visa Europe has demonstration kits (for both e-commerce and

telephone order) and a case study that are available for members.

It can also supply the associated technical specification.

Visa Europe is currently working with members to validate:

• Implications for merchants of using this technology across

a number of CNP channels

• Cardholder impacts and usability across a number of

CNP channels

• Member impact from use across a number of CNP channels

• Receptiveness of different markets to use dynamic passcode

authentication across the payment card arena, as opposed to

the online banking/current account environment

What are the member implementation options

Implementing dynamic passcode authentication is entirely an

issuer decision, although in a number of markets we expect

issuers will collaborate at a domestic level to agree on a

national roll-out thereby potentially reducing costs and

encouraging consumer adoption. Once a decision is made,

implementation is a relatively simple process, as the core EMV

chip infrastructure is already in place.

The essential requirement is personalisation of the

authentication application in the card to match the banks

back-end authentication service – although it is technically

possible to utilise existing cards in the market. Standardised

card readers are available that will work with all cards meeting

the specifications. This approach would offer the greatest

economies of scale, an important consideration if moving to

mass issuance. Visa can provide the requisite specifications

and card personalisation parameters for enabling a Visa card

to interact with standard readers. Visa can also provide a list of

vendors who provide suitable readers. This information is

available to Visa member banks upon request.

Future roadmap

The initial issuer motivation for implementing dynamic

passcode authentication is most likely to be as a way to secure

their current account environment from phishing and related

fraud. Since it is the Visa debit product that it typically

associated with current accounts, Visa debit cardholders are

likely to be the first to receive dynamic passcode authentication

enabled cards and associated readers.

Verified by Visa transactions for increased security in the

e-commerce environment would be facilitated by the fact that

the underlying infrastructure has been designed to

accommodate dynamic passcode authentication. Therefore,

issuers are also likely to extend dynamic passcode

authentication to Visa credit cards as well.

In the future and using Verified by Visa as the platform, it

could be possible to utilise dynamic passcode authentication

in the telephone order environment.

Ultimately dynamic passcode authentication may provide the

consumer with a single unified payment experience.

Regardless of whether they are paying in the face-to-face or

CNP environments they will know that they are protected by

chip and PIN technology.

Next steps

Visa can provide active support to members seeking to further

understand or to rollout a dynamic passcode authentication

service. For further information, please contact:

Dipak Chotai

Tel: +44 (0)20 7795 5039

Email: chotaid@visa.com

John Griffiths

Tel: +44 (0)20 7795 5281

Email: griffitj@visa.com

© Visa Europe 2006

XXXX-XXXX-X-XX-XX