As methods and devices for engaging in financial transactions have increased, old problems such as fraud and counterfeiting persist.
One of the primary sources of fraud, which is prevalent in the credit card industry is skimming. Skimming refers to the electronic copying of a card's magnetic stripe data to create counterfeit cards.
Skimming is a problem for contactless cards and cards with magnetic stripes. However, in a wireless environment, the opportunity to skim magnetic stripe data is more prevalent. In a wireless environment, a potential skimmer need not physically possess the card to be skimmed nor have access to any of the physical equipment (e.g. POS terminal, communication lines, etc.) which is required for skimming in a wire based environment. A skimmer can, without the knowledge of the consumer or merchant, intercept the wireless transaction and copy the data being transmitted from the card to POS terminal.
To address the above problems, a dCVV or a dynamic card verification value can be used. The dCVV can be generated using an algorithm which uses at least a counter and input data such as an account number, expiration date, and other information. The counter can increase by one each time a transaction is conducted. The dCVV can be independently generated by either a phone or POS terminal at the front end of a transaction and can be sent to a back end computer. The counter may be sent from the merchant to the back end computer so that it knows the current counter value associated with the phone. In other cases, the counter may simply be present at the back end computer. In the latter case, the counter increments every time the back end computer sees a transaction. The back end computer, using a similar algorithm to the one that generated the dCVV at the front end, the counter value, and input data, can independently generate a second dCVV. If the received dCVV and the generated dCVV match, the transaction can be considered authentic. If the dCVVs do not match, this may indicate that the transaction is fraudulent.
Although the above-described dCVV process is useful, improvements can be made. For example, in the dCVV process that is described above, a counter is used as a dynamic data element and generally passes unencrypted from a front end of a transaction to the back end of the transaction. Because the counter is in the open, it may still be possible that someone could intercept the counter and that someone could potentially figure out the dCVV (although it would be very difficult to do). Also, the counter itself is a rather simplistic dynamic data element that an unauthorized person could potentially determine. It would be desirable to provide for a verification value generation process that is even stronger than the dCVV method that is described above.
The above-described problems can also be present when phones are used in transactions.
Embodiments of the disclosure address the above problems, and other problems, individually and collectively.