Dynamic Passcode Authentication

Overview Guide

enables

Chip and PIN security

Dynamic passcode reader

Bank authentication service

Dynamic passcod

Visa cards are used in all payment environments: point-of-sale (POS), via the Internet, by mail or by telephone. No other payment mechanism offers such flexibility, ease of use and convenience. Visa cards are well suited to the Internet, offering consumers the same familiarity, convenience and trust they are used to when purchasing face-to-face. Usage of Visa cards via the Internet continues to grow at a higher rate than face-to-face sales. As additional levels of security are introduced via chip and PIN, fraudsters are focussing more closely on the card-not-present (CNP) environment. It is therefore essential that consumer confidence in this environment is not eroded. To this end, Visa is working closely with its member banks to understand the implications of introducing additional levels of security. One of these areas is dynamic passcode authentication.

provides
additional
security for:

de authentication

e-banking

e-commerce Card Not Present Environment

Telephone Order

What is dynamic passcode authentication?

Dynamic passcode authentication enables the added security that chip and PIN introduces, to be used in the CNP environment. It provides an additional layer of security that has been designed to guard against online fraud. Like chip and PIN in the face-to-face environment, dynamic passcode authentication enables a form of two-factor authentication. These two factors are: 1) Something the consumer has, a card 2) Something the consumer knows, a PIN For CNP transactions such as online banking and shopping, dynamic passcode authentication validates the cardholders identity and physical presence of their card through the combination of a Visa chip card and a corresponding pocketsized card reader provided by their issuer. Based on the chip and PIN cryptographic algorithms, these generate a unique numeric passcode that provides verifiable proof of the cardholder identity. With additional data entry the passcode can also serve as a digital signature for the transaction. The reader itself is not intelligent it simply enables a user interface to the authentication application contained in the chip on the card.

The one-time dynamic passcode is an alternative to static passwords commonly used today in online banking or when making purchases over the Internet. Because the one-time dynamic passcode is useless in subsequent transactions, dynamic passcode authentication extends protection against online fraudsters and phishing attacks. It also leverages Visa member banks investment in chip card technology and consumers familiarity with chip and PIN. Visa card issuers with smart card programmes could implement dynamic passcode authentication on their online banking sites and Verified by Visa authentication page to further enhance fraud protection.

Potential benefits
Cardholders: A tangible security device increases confidence in remote transactions Reduces the hassle associated with forgotten or stolen passwords Merchants: The baseline infrastructure for securing online purchases through Verified by Visa means that merchants could get full benefit from dynamic passcode authentication by simply participating in the Verified by Visa programme Potentially the same solution as that for e-commerce can be used for telephone order transactions Member banks: Provides a form of strong authentication in the CNP environment Helps counter spoofing and phishing attacks that target passwords Leverages chip card investment

How would a transaction using dynamic passcode authentication feel?

Dynamic passcode authentication enables cardholders to use the added security that their chip and PIN card offers, in conjunction with a pocket-sized reader, to create a one-time passcode each time they make a CNP transaction. The cardholder would insert their Visa card into a handheld reader and enter their PIN, thereby validating their identity. If the PIN was valid, the reader would respond by displaying a unique numeric passcode. The cardholder would enter this passcode when prompted by the online banking website or at the Verified by Visa authentication page in order to complete their transaction. Optionally, the cardholder could also be prompted to enter a challenge number that had previously been sent to them by their bank, providing an even stronger level of authentication. In either case, because the reader is completely offline and has no Internet connectivity itself, it is largely protected from compromise by hackers, thereby mitigating many of the risks associated with open networks.

Reduces costs associated with forgotten passwords for online banking Could simplify the enrolment process for Verified by Visa, since cardholders would not need to register a Verified by Visa password

Where are we?

Visa Europe has demonstration kits (for both e-commerce and telephone order) and a case study that are available for members. It can also supply the associated technical specification. Visa Europe is currently working with members to validate: Implications for merchants of using this technology across a number of CNP channels Cardholder impacts and usability across a number of CNP channels Member impact from use across a number of CNP channels Receptiveness of different markets to use dynamic passcode authentication across the payment card arena, as opposed to the online banking/current account environment

the specifications. This approach would offer the greatest economies of scale, an important consideration if moving to mass issuance. Visa can provide the requisite specifications and card personalisation parameters for enabling a Visa card to interact with standard readers. Visa can also provide a list of vendors who provide suitable readers. This information is available to Visa member banks upon request.

Future roadmap
The initial issuer motivation for implementing dynamic passcode authentication is most likely to be as a way to secure their current account environment from phishing and related fraud. Since it is the Visa debit product that it typically associated with current accounts, Visa debit cardholders are likely to be the first to receive dynamic passcode authentication enabled cards and associated readers. Verified by Visa transactions for increased security in the e-commerce environment would be facilitated by the fact that the underlying infrastructure has been designed to accommodate dynamic passcode authentication. Therefore, issuers are also likely to extend dynamic passcode authentication to Visa credit cards as well. In the future and using Verified by Visa as the platform, it could be possible to utilise dynamic passcode authentication in the telephone order environment. Ultimately dynamic passcode authentication may provide the consumer with a single unified payment experience. Regardless of whether they are paying in the face-to-face or CNP environments they will know that they are protected by chip and PIN technology.

What are the member implementation options

Implementing dynamic passcode authentication is entirely an issuer decision, although in a number of markets we expect issuers will collaborate at a domestic level to agree on a national roll-out thereby potentially reducing costs and encouraging consumer adoption. Once a decision is made, implementation is a relatively simple process, as the core EMV chip infrastructure is already in place. The essential requirement is personalisation of the authentication application in the card to match the banks back-end authentication service although it is technically possible to utilise existing cards in the market. Standardised card readers are available that will work with all cards meeting

Next steps
Visa can provide active support to members seeking to further understand or to rollout a dynamic passcode authentication service. For further information, please contact: Dipak Chotai Tel: +44 (0)20 7795 5039 Email: chotaid@visa.com John Griffiths Tel: +44 (0)20 7795 5281 Email: griffitj@visa.com

Visa Europe 2006 XXXX-XXXX-X-XX-XX