Transaction cards, and in particular commercial credit cards, have been in use in commerce for over 50 years. Transactions cards are a very popular mean in order to identify a person or an account holder. Transaction cards are used for a variety of applications from financial transactions and registering presence to library cards. Financial transactions in the form of credit cards are probably one of the most popular uses of transactions cards today. These financial transactions include debit and credit card (which will be both referenced herein as “credit cards”), which are typically used for retail purchases, online purchases and cash retrieval at Automatic Teller Machines (ATM's).
Financial transactions via credit cards are very popular since they offer several advantages for both users and merchants. Users do not need to carry large amounts of cash on them in order to purchase goods or services. In addition, some cards offer the user, the possibility of deferring some or all of the payments for the goods or services purchased thus offering accessible (though not always cheap) credit services.
Credit cards offer several advantages to merchants, for example, not holding or accumulating large amounts of cash in the business (cash that can be lost, stolen, robbed and that needs secured delivery for deposit), guarantee of payments by the card issuer as opposed to personal checks that may not be approved or honored. In addition, credit cards are an excellent tool to accept payment remotely from a user either on the Internet, via fax, mail or over the telephone.
As credit cards become such a popular tool for payment, fighting credit card fraud has become a major issue for financial institutions and merchants. Credit card fraud can be categorized into two main types of fraud: one where a genuine card is stolen or lost and arrives to the hands of an unauthorized user; the other type being when the information regarding a credit card arrives to an unauthorized user which uses this data to purchases goods or services online or alternatively manages to create a duplicate credit card which is then used in retail and/or for cash retrieval.
Credit card identification and authentication is achieved in retail in one of three ways:
1. Retail offline transaction (embossment)—the oldest way for reading credit cards is to “iron” the card over a credit card slip that uses a technology such as carbon paper in order to mark the credit card number present on the credit card as an embossment into the slip. The merchant then writes by hand the amount, transaction type and date, and the user authenticates the transaction by a signature. The merchant does not know if the credit card is valid. The merchant can validate whether the signature is substantially identical to the signature on the card and can authenticate the user name on the credit card with a picture identification that the user presents. Most importantly, the merchant does not receive any confirmation from the credit card company that the transaction is authorized, unless the merchant calls the credit company giving them all the details over the telephone.
2. Retail connected transaction (magnetic stripe)—most businesses today have a system that reads the card details present in the magnetic stripe of the card. The card details together with the requested transaction are then communicated to the clearing center (via a telephone line, data line or similar communication methods) which authorizes or denies the transaction. Once a transaction is authorized, the user signs the transaction slip and the merchant is guaranteed to receive payment by the card issuer for the goods or services provided.
3. Retail connected transaction with additional user identification using a Personal Identification Number (PIN code)—more and more credit cards now also include a microprocessor and dedicated memory (aka “Smart Cards”). The user is supplied with a PIN code that needs to be entered on location in order to confirm a transaction. Only after the PIN code is correctly entered, the card and transaction details are communicated to the clearing center to receive authorization for the transaction.
It is important to notice that today (2009) commercial credit cards issuers such as Visa™ and MasterCard™ still accept transactions via magnetic stripe reading and also number reading via embossment, since a credit card needs to be available for purchase worldwide. A Smart Card holder may travel to a remote location where the merchant may only have an embossment reader, so all Smart Cards today also include an embossment of the number for backwards compatibility.
Credit cards arrive to fraudulent hands via several ways: a genuine card may be stolen or lost, or the data of a credit card may be fraudulently obtained and used to create a duplicate credit card. In the first scenario of a lost or stolen credit card the owner informs the card issuer who then proceeds to block transactions with the card. In the case of a duplicate card, the card owner will only alert the card issuer after he notices purchases that have been made and that he recognizes as not being made by him.
A stolen or lost Smart Card cannot be used in retail since the fraudulent user does not know the PIN code necessary for confirming purchases or retrieving cash from an ATM. A stolen or lost Smart Card can nevertheless be used with retailers who only support magnetic stripe reading or number embossment reading transactions.
More and more credit card transactions are performed nowadays remotely either over the Internet, telephone, fax or mail. These types of transactions are known as “card not present (CNP) transaction” wherein the merchant does not physically see the actual credit card being charged. The PIN code of the Smart Card is not used or requested in these remote transactions.
In order to improve the security of in-person and remote transactions two additional 3 or 4 digit numbers are typically printed on the back a credit card. The first code is known as Card Verification Code 1 (CVC1) or Card Verification Value 1 (CVV1) and is intended for transactions in person and is encoded on the magnetic stripe. In contrary, the second security code known as Card Security Code (CSC) is not encoded on the magnetic stripe and is used for remote transactions such as over the telephone, Internet, by mail or by fax. The CSC is also known as Card Verification Value (CVV or CV2), Card Verification Value Code (CVVC), Card Verification Code (CVC), Verification Code (V-Code or V Code), or Card Code Verification (CCV). Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
There is thus an ongoing need, with great financial implications, to provide credit cards that include improved security features for both retail and remote transactions.