It is not always easy to explain the advantages of using smart cards for payment security, because most people lack knowledge about the security of payment with a card. So, here is some information about it, and in particular about the codes used to authenticate a valid payment card.
Every card is identified by a card number, an expiration date, and a cardholder name. Naturally, there is more to it, and the interesting thing is that this “more” depends on the card you have and the way you use it. Let’s consider three examples of payment in the US:
- In a standard store. In such an interaction, your card is present. You swipe it, and provide a signature if required. In that case, the security code is encoded in your card’s magstripe. This code is often called CVC1 in jargon (Card Verification Code 1).
- On Internet. In such an interaction, the merchant can’t see your card: this is a card-not-present transaction. Therefore, you need to provide the code. Here, it is the 3- or 4-digit code that is printed somewhere on your card. This code is different from the one on the magstripe, and it is called CVC2 in jargon.
- In a store with contactless payment. In that case, instead of swiping your card, you tap it. When you do that, the card generates a Dynamic CVC, based on a secret it contains and on a random number provided by the terminal. In that case, a different code is generated on each transaction.
On every transaction, there is a code, but this code depends on the transaction type. The two first ones are easy to steal from you: The CVC2 is printed on your card, and the CVC1 can be read in 2 seconds with a $5 skimmer. Naturally, in that case, this security measure is only a small part of risk management, and there is more. For instance, since merchants have the best opportunity to steal these codes from you, banks are very good at detecting that fraudulent transactions come after a transaction at a given merchant.
With a contactless card, the code is generated dynamically for each transaction. This means that, even if someone intercepts your communication (which remains rather easy, since it happens over-the-air), the code that they intercept can only be used for this particular transaction, an not for a new one. Basically, it is useless.
In the US, mobile NFC payment uses the same technology as other contactless payments, which makes it rather secure. In addition, it is not possible to turn off a contactless card, whereas a mobile phone’s card emulation mode is usually only active when the phone’s screen is on (i.e., when you actively use it).
Outside the US, things are even better, because card transactions use a more sophisticated cryptographic protocols, which include an authentication of the cardholder (the (in)famous PIN). This is actually quite efficient, and fraud statistics in France show that most fraud is based on magstripe and Internet sales.
Finally, one last authentication method. Chip-based payment cards can also be used to secure Internet transactions. Some companies like Vasco sell small card readers that generate authentication codes dynamically, allowing these codes to be used to secure a single Internet transaction. This brings the security of in-person EMV payment to Internet payments.
Naturally, like usually in security, this is all a question of trade-offs. It is only worth investing in such technologies if the fraud is high enough. Card companies seem to believe that something is needed in the US now, since chip-based credentials will be required by 2015 in the US.