Plastic card transactions come in the two general forms: “card present” and “card-not-present” transactions. An example of a card present transaction is providing a credit or debit card to a merchant at a point of sale device while purchasing any item. Examples of card-not-present transactions are e-commerce web sites, mail order, and telephone orders transactions.
Plastic card fraud has become a significant issue not only in the United States but also worldwide. Fraud levels can be measured in the tens of billions of dollars each year or higher when the various stakeholders that are involved in the losses associated with fraudulent transactions measure their total costs. A merchant loses not only the revenue and profit related to a sale, but the product itself, and possibly higher transaction fees when fraud occurs frequently in its business. A merchant must also incur the costs associated with investigating certain types of fraudulent transactions. Credit card associations like the VISA® and MASTERCARD® associations cover some costs associated with fraud but the credit card issuers incur significantly more costs, including costs associated with refunding the amounts charged to a card holder account, investigating possible fraudulent transactions and issuing new plastic cards if a significant breach of security has been identified. When the total costs of fraud are measured among all the parties involved in financial transactions, the losses are staggering.
Plastic card fraud has also opened up a market for all sorts of fraud detection and educational services. Neural network software to detect and hopefully prevent a fraudulent transaction from occurring costs card issuers and their processors millions of dollars to operate. Educational seminars to teach card issuers, merchants, and card holders on how to better safeguard the information that can be used to commit identity theft and plastic card fraud also cost card issuers millions of dollars. Existing security standards, like the Payment Card Industry (PCI) Data Security Standard, while being excellent network and system security practices also require merchants to take extra measures to safeguard the information they possess and these measures cost merchants millions of dollars to implement. An entire industry has been created to protect the static data used in today's plastic card transactions. All told, billions are spent and still fraud levels continue to increase. These increases are due not only to defective security; rather, plastic card programs continue to utilize static data that, if obtained, can be used to commit plastic card fraud.
Over the years, the industry has continued to layer additional static data on credit, debit, and ATM transaction cards. Pin numbers and card security codes have been implemented to help address specific issues of security but criminals continue to adapt their schemes to steal this information. Current plastic cards and payment processes have heavy reliance on static security codes. The Card Verification Value (CVV) code is a three digit number contained on the magnetic stripe and the Card Security Code (CSC) is a three or four digit number printed either on the front (American Express) or the back of a plastic card. The CSC is also referred to as the CVV2, CSC2, or CID code depending on the card association related to the issued plastic card. The CVV was meant to be a hidden value for authenticating that the card is valid during “card present” transactions. The CSC is a security code used for “card-not-present” transactions to prove the card is in the hands of the card holder.
The problem with these codes is that they are static. Thieves have found numerous ways to obtain the values and either create cloned plastic cards or use the information to make fraudulent online transactions. Millions of card numbers have been stolen as a result of card skimming and large scale data thefts have compromised hundreds of millions of credit card accounts. This information has also been obtained by Internet “phishing” and “pharming” attacks.
The plastic card industry has focused on preventing the use of the static code data rather than adopting a means of implementing some level of dynamic information into these transactions.
One Time Passwords (OTP) have been in use for access control applications for a number of years and provide a level of security by allowing dynamic data to be included in accessing physical and logical assets and by providing for multi-factor authentication.
An improved and more cost-effective solution for preventing plastic card fraud is desired. An improved and more-cost effective OTP card is also desired.