Credit and debit card fraud is one of the top fears of Americans in the midst of this global financial crisis. Concern about fraud exceeds that of terrorism, computer viruses, health viruses and personal safety. (Source: Unisys Security Index: United States, March 2009). According to Verizon, there were more electronic records stolen in 2008 than in the previous four years combined. The recently well-publicized breaches at Heartland and previous breaches at Hannaford and TJX have brought this issue to the forefront. In addition to these highly publicized breaches, identity theft and card fraud are occurring at continually increasing rates at local business establishments like gas stations, restaurants and bank ATMs.
Merchants are also victims and suffer damaged reputations and significant monetary losses when card fraud occurs. PCI DSS compliance that is verified through a Qualified Security Assessment (QSA) is one the primary tactics merchants use to battle card fraud today. Another tactic is to use various levels of encryption to protect payment transaction data. This includes both point-to-point encryption where the data is encrypted between two points (e.g., from the merchant to a processor) as well as end-to-end encryption where the data is encrypted from initiation of the transaction through the processors, interchanges and finally to the bankcard issuer. The latter is is difficult to coordinate and rarely used today. In addition to these security tactics, are various methods of customer authentication and verification services that attempt to validate cardholder identity. These security solutions are a step in the right direction but are they enough to fix the problem?
Sometimes we look at complicated problems (such as card fraud) and overlook simple solutions. At the 2009 Global Security Summit, Visa, Inc.'s Chief Enterprise Risk Officer Ellen Richey stated that "Visa believes that the best way to make data unusable is by introducing dynamic data into the transaction authentication process." In other words, instead of trying to protect the gold, why not take the gold out of the room. The gold that thieves are attempting to steal in the payment card industry is the actual payment card number. Taking the gold out of the room means using dynamic/virtual numbers to replace actual card numbers in card payment transactions at every step of the card transaction approval process, except at the issuing bank where the account is established and the virtual number is tied to the customer's account (actual card number). The virtual number is transparent to the merchant and is processed using the existing card processing system. The main purpose for using a virtual card number is to hide the real number from individuals who intend to use it for criminal activity.
The concept of a virtual number is not new to the payment industry. However, there are a number of key requirements that are absolutely necessary for this type of technology to succeed and achieve widespread adoption.
 First and foremost, the virtual number generating device must be simple to use for consumers or they won't use it.
It has to be extremely fast and able to generate the virtual number anytime, anywhere without requiring any type of connection to an external source. In other words, it has to operate like a calculator where you press a button and the virtual number is generated and transmitted or used by the merchant for payment.
The virtual number must be completely transparent to the existing merchant services payment card approval system.
Any merchant that currently accepts payment cards would be able to process the virtual number transaction.
The virtual number should contain hidden information that can be used to validate the transaction and identify fraudulent use.
This hidden information must be completely transparent to the transaction approval process and to potential thieves.
The virtual number solution must be usable in both e-commerce (card-not-present) and POS (card present) transactions.
It must work for both debit and credit card accounts.
It must be a software-based solution to allow card issuers to save money through ease-of-use and reduced card fraud expense.
The technology should be both transmission and encryption agnostic.
It doesn't matter what type of transmission technology is used (NFC, Bluetooth, Wi-Fi, etc.) or what type of encryption is used during the transmission process because it is ultimately just a number that looks and functions like any other payment card number.
One of the primary benefits of using a virtual number is that the merchant never sees the actual debit/credit card number. They only see the virtual number. As a result, merchants only store virtual numbers and there is no exposure to users if the merchant's data system is breached and payment card numbers are stolen.
Another significant benefit is that virtual number technology is ideally suited for the mobile payment (m-payment) industry because it provides unprecedented fraud protection and removes the risk of a thief using a sniffer within the wireless transmission field of a contactless transaction to steal the payment card number. The actual payment card number is never used and consequently never accessible to thieves at any point during the m-payment transaction. The virtual number essentially renders the data transmitted to a contactless receiver valueless to a thief. Consequently, it makes feasible the use of any type of wireless technology as the transmission medium for contactless transactions (NFC, Bluetooth, Wi-Fi, etc.) and minimizes the need for encryption.
Tests have been conducted in Australia with The Commonwealth Bank and the National Australia Bank who are among the first to offer mobile phone Near Field Communication (NFC) contactless payment technology to its customers. In Melbourne the National Australia Bank used approximately 200 people and 30 merchants including pharmacies, restaurants and convenience stores to conduct tests. The feedback was very good from consumers and rollout is expected some-time in the future. This method of payment can also be considered "green" due to the fact that actual plastic card production would not be necessary, just an account number at a bank. And "germ-free" as the consumer does not need to touch the PIN pad buttons or electronic pens that everyone else does.
By taking the "gold out of the room" through the use of virtual numbers, the risk and fear of card fraud is greatly reduced and monetary losses due to card fraud are avoided. As a result, merchants and ISO's can focus on the ordinary business of supporting increased payment card transactions.  |
