Transmission of magnetic stripe data has been done primarily by swiping a magnetic stripe card against a magnetic stripe reader (MSR) to enable payment, identification (ID), and access control functions. Mobile wallet applications on smartphones and tablets have had difficulty interacting with existing merchant point of sale (POS) devices or other devices with MSRs. Contactless reader enabled POS terminals (typically using, for example, an ISO-14443 standard) are not ubiquitous to accept contactless or near field communications (NFC) payments. It would be expensive and would take time to replace the millions of merchant POS devices (or door locks) that only accept magnetic stripe cards, just to interact with NFC phones or other transmission means like barcodes.
Additionally, financial payment cards contain a card number, called the Primary Account Number or PAN, whose purpose is to identify the account the payment is made against. Cards also carry an Expiry Date, which indicates when the card expires. Most cards also carry in the magnetic stripe data a cryptographically generated Card Validation Value (also known as a CVV1), which prevents a valid card to be created from its PAN and Expiry Date information. Typically, cards are replaced after about 2 to 3 years, as the magnetic stripe gets worn out and issuers do not want a card to be active indefinitely.
Today the PAN is used not only to identify the account, but also to authorize charges in Card-Not-Present (CNP) transactions (as opposed to Card-Present (CP) transactions in which the card is physically swiped at a POS terminal), the vast majority of these being Internet transactions, but also include telephone orders and mail orders. The simple knowledge of the PAN, an Expiry Date, and the name on the card is sufficient to charge CNP purchases against the account. A CVV-2, as known in the art, is a 3- or 4-digit value printed on the card or signature strip, but not encoded on the magnetic stripe, to verify that the customer has the card in his/her possession. While a large percentage of e-commerce sites also require a CVV-2 for transactions, many do not.
The PAN and Expiry Date are hard to keep secret: they are printed on the front of the card and are contained in the magnetic stripe data or chip data of the card. During the POS transaction the magnetic stripe or the chip is read by the terminal and its data (including the PAN, expiry date, and CVV2) is transmitted through the retailer's system to the acquirer and then to the card issuer. The PAN, and to a lesser extent the Expiry Date, are used for a number of functions by retailer systems and cannot be obscured.
The magnetic stripe or chip card data is the target of data theft, either in transit or when in memory. Being static, the magnetic stripe data is subject to interception and copying, and a number of attacks. Stolen data, from which the PAN and Expiry Date can be easily extracted, can be used in fraudulent CNP transactions. A physical card can be skimmed by reading the magnetic stripe data on the card, or putting a reading device proximate to retailer POS terminals to capture magnetic stripe track data including the PAN and Expiry Date and the name on the card. A sniffing device can also be used to pick up track data from contactless cards in purses and wallets of unsuspecting shoppers at a retail establishment. Malware in a retailers POS system can also be used to capture the card data in route to the payment processor. Such stolen data may contain the PAN and the Expiry Date, both in magnetic stripe and smart card (for example, an Europay, MasterCard and Visa (EMV) card) transactions and can be used for CNP fraud. Additionally, captured magnetic stripe data also includes the CVV1, while captured on-line card data can include the CVV2. The key weakness of both CVV1 and CVV2 is that they are static: once learned they can be used in fraudulent transactions.