Dynamic Security Codes: A Primer

Secure Technology Alliance Payments Council Mar. 23, 2021

Copyright © 2021 Secure Technology Alliance. All rights reserved. Who We Are Payments Council

… focuses on securing SELECTED COUNCIL RESOURCES payments and payment applications in the U.S. • Biometric Payment Card through industry dialogue, • Contactless Payments: Proposed Implementation Recommendations commentary on standards • Contactless Payments Security Q&A and specifications, technical • guidance, and educational Dynamic Security Code Cards: A Primer • Electric Vehicle Charging Open Payment Framework with programs about the means ISO 15118 of improving the security of • EMVCo Payment Account Reference (PAR): A Primer the payments infrastructure • Implementation Considerations for Contactless Payment- and enhancing the Enabled Wearables payments experience. • IoT and Payments: Current Market Landscape • Blockchain and Smart Card Technology Webinar Topics and Speakers

1. Introduction

2. Benefits of Dynamic Security Code Cards

Francine Dubois Cyril Lalo Oliver Manahan 3. Issuer perspective IDEMIA Ellipse Infineon Technologies 4. Stakeholder implementation considerations

Gerry Glindro Tom Rapkoch IDEMIA Visa

4 Dynamic Security Code Cards Introduction Francine Dubois, IDEMIA

5 The Shift to Digital Commerce Is Here to Stay 79% of consumers plan to 45% continue the digital shopping practices Share of consumers who have shifted to they adopted during the digital1 pandemic1

+42% North America digital transactions from June 12.3% 2019 to June 20202

Mar 2020 Nov 2020 3 2020 CNP fraud x2 1. PYMTS.com, Online security and the DEBIT-CREDIT divide, January 2021 2. CNP Newsletter, February 11, 2021 3. Robert Tharle, Fraud Prevention, November 21, 2020

6 Dynamic Security Code Cards CNP Fraud and COVID

• Opportunistic fraud tied to Pandemic • Fraudulent e-commerce shops set up to steal card data with CVV • Bot and “carding” attacks increasing. Fraudsters deploy bots to make small purchases to identify valid cards, followed by more frequent higher value transactions. Target = vulnerable merchants with less robust fraud systems like small to medium eCom businesses, QSRs or charitable websites • Huge increase in click and collect or Buy Online, Pickup In-Store (BOPIS) which helps fraudsters evade robust in-store EMV defenses and gain access to goods the same day with compromised credentials1

• 40 million cards exposed in 2020 (50% issued in the US) and a corresponding 20% YoY increase from 2019. Similarly, demand for CNP records rose in 2020 with a 20% YoY increase2

1. FIS, Early indicators of fraud trends emerging from COVID-19, July 13, 2020 2. Gemini, Annual Report 2020, December 17, 2020

7 Dynamic Security Code Cards False Positives/Declines

Legitimate purchase made with a valid payment card that is incorrectly rejected by the card issuer 25% of cardholders move a declined card to • Prevalence the back of their wallet2 • New shoppers 2x greater than pre-Covid and 5-7x more likely to get declined1

• Impact on eMerchants 39% of cardholders • 40% of declined users never come back to that site1 change their payment • Millions in lost revenue1 method after a decline3

• Impact on Issuers • Loss of market share to competitor $361 • 68% Reduction in cardholder spend average • Cost of customer support call, etc… 68% spend reduction per $159 4 • Impact on Consumers order after a decline • Frustration Approved Declined customers customers 1. Forter “New User Missed opportunity” 2. Ethoca Research, "Solving the CNP False Decline Puzzle, Collaboration is Key" 2016. Referencing: Javelin, Future Proofing Card Authorization, August 2015 3. Ethoca Research, "Solving the CNP False Decline Puzzle," 2017. 4. Radial, False Positives White Paper, The monster that’s really killing you and how to survive, 2018

8 Dynamic Security Code Cards The Need for New Solutions

The right balance Dynamic Card Security Code between security & STATIC APPROVED SECURITY CODE transaction approval TRANSACTIONS

• Increase in security • Lower CNP fraud rate • Lower fraud management costs • Less card reissuance

• Increase in revenue STRICT • Less false positives & missed AUTHORIZATION RULES opportunities

CNP FRAUD PREVENTED

9 Dynamic Security Code Cards What Are Dynamic Security Code Cards? Cyril Lalo, Ellipse

10 The Natural Evolution of Payment Cards Extending the security enhancements of EMV to eCommerce

EMV RAILS

▸ Card & transaction data • PAN : 9000 7500 0001 ▸ Authorization 5996 • Date : 12/25 Contact EMV • Amount : $50 ▸ Authentication & synchronization ▸ • Merchant : 25001 • Location ID: 90232001 • Contactless • etc… • Speed & convenience

• DCVx2 • Dynamic Card Security Code for more secure CNP transactions

11 Dynamic Security Code Cards What Are Dynamic Security Code Cards?

Regular EMV Dual Interface payment card with embedded mini-screen

• Electronic paper display

• Security code refreshes automatically • Using a timer or • During every EMV transaction

• Identical characteristics of regular payment card

12 Dynamic Security Code Cards Dynamic Security Code cards – Overview

Time-based solution EMV integrated solution

• Code changes automatically, at set intervals • New code generated natively by the EMV App • Utilizes an internal real-time clock (RTC) during every EMV transaction • Battery powered • Powered by terminal (POS, ATM, contact or contactless)

13 Dynamic Security Code Cards Demonstration

14 Dynamic Security Code Cards Benefits of Dynamic Security Code Cards Oliver Manahan, Infineon Technologies

15 Dynamic Security Code Cards Increase in Security Additional layer to other CNP fraud solutions

Combats fraud Addresses Disrupts points at the source false positives of collection

DCVx2

• Provides protection at the card level • Brings issuer-controlled dynamic • Provides date, time and place of • Deters card information theft data point to verification process origin for each DCVx2 • Enables more accurate and (EMV integrated) reliable authorizations • Benefits all cards, including those with static security codes

16 Dynamic Security Code Cards Consumer Purchase Experience

Familiar & easy to use

• Used exactly the same way as regular static security codes • Works on any channel • Does not require additional apps or plugins • Provides peace of mind

17 Dynamic Security Code Cards Transparent to Merchants

Transparent to eMerchants

• No additional action required to process dynamic security codes • No impact on infrastructure, checkout page, and ordering systems • Works on existing card not present channels

18 Dynamic Security Code Cards Issuer Advantages

Stronger card security Revenue increase • Reduction of CNP fraud • New customer acquisition • Lower fraud management cost • Value add service • Less card reissuance

Improve cardholder Market differentiation trust and confidence • Brings real consumer appeal Top of wallet for in-person • Improve brand image transactions, eCommerce, and eWallets

19 Dynamic Security Code Cards Stakeholder Implementation Considerations Gerry Glindro, IDEMIA Tom Rapkoch, Visa

20 Dynamic Security Code Cards Implementation: Issuer

Time-based solution EMV integrated solution Technology Dynamic Security Code refresh choice Educate users on regular POS frequency transactions to refresh Decisions on validation server • In-house development/Off-the- shelf software • Payment network service

Proper Card/battery disposal

21 Dynamic Security Code Cards Implementation: Personalization Bureau

Time-Based Solution EMV-Integrated Solution

Personalization Timeframe Some battery drain while in vault storage. No change

2nd contactless module required (ISO Hardware 154693) No change

Personalization EMV chip and display personalization Regular EMV personalization

Certification Payment network certification Payment network certification Synchronization with UTC time used with Time server Not applicable Verification Server Proper removal of battery from scrapped Perso Scrap Not applicable cards Special fulfilment and special mailing Fulfilment/packaging Regular fulfilment and mailing packaging Automated inline camera inspection during Visual check – sufficient sampling size to Visual inspection EMV personalization or visual check with ensure DSC refreshes tied to refresh period card reader

22 Dynamic Security Code Cards Implementation: Issuer Processor

Time-Based Solution EMV-Integrated Solution

Time based. Automatically updated at Updated during a card-present EMV Change mechanism configured intervals. transaction.

The change interval is based on the issuer’s risk The change interval is based on the frequency Change frequency policy and can range from 15 min. to 24 hrs. of card-present EMV transactions.

Clock management Yes Not Applicable Infrastructure integration Requires light integration Leverages existing EMV infrastructure Leverage algorithms available in current authorization platforms (i.e., algorithms used to Algorithms OATH, Visa, others generate static CVV or contactless magnetic stripe CVV) • Proprietary server software Verification server Leverages existing Issuer processor HSM • Visa solutions

23 Dynamic Security Code Cards Implementation: Processor – Time Based

24 Dynamic Security Code Cards Implementation: Processor – EMV Integrated

Existing Infrastructure

VERIFICATION REQUEST FOR CVX2 * CNP CVX2 VERIFICATION AUTHORIZATION REQUEST WITH DCVX2 CARD IDENTIFICATION+ (BIN/PAN RANGE OR PRODUCT ID) SAME HSM

DCVX2 VERIFICATION VERIFICATION REQUEST FOR DCVX2

DCVx2 verification request replacing CVx2 verification request

+BIN/PAN range or product ID *CVx2 = CVV2 (Visa) or CVC2 (Mastercard)

25 Dynamic Security Code Cards Implementation: Network

Time-based solution EMV integrated solution

Disable static security code checking Disable static security code checking

Network and card must be in sync Transparent, no change • Time Window Unit Key designation

In-flight transactions, deferred authentication

26 Dynamic Security Code Cards Conclusions Cyril Lalo, Ellipse

27 Dynamic Security Code Cards Conclusions

Dynamic Card Security Card level security An issuer-centric Codes are more secure addresses fraud at the solution than static data source

Transparent for Robust addition to cardholders analytical/behavioral-based security layers

28 Dynamic Security Code Cards Q&A

29 Payments Resources

• Secure Technology Alliance Knowledge Center - https://www.securetechalliance.org/knowledge-center/ • Dynamic Security Code Cards: A Primer white paper • EMV Connection web site • mDL Connection web site • U.S. Payments Forum – https://www.uspaymentsforum.org Speaker Contact Information

• Jason Bohrer, Secure Technology Alliance - [email protected]

• Francine Dubois, IDEMIA – [email protected]

• Cyril Lalo, Ellipse – [email protected]

• Oliver Manahan, Infineon Technologies – [email protected]

• Gerry Glindro, IDEMIA – [email protected]

• Tom Rapkoch, Visa – [email protected] 191 Clarksville Road Princeton Junction, NJ 08550