Cryptogram Credit Card

[Rosella Bowlan]

Cryptogramsare encoded messages, best known as a tool for subterfuge and secrecy as they kept sensitive information away from prying eyes throughout history. While your everyday experiences may not revolve around smuggling important missives across enemy lines, cryptograms are likely an invisible part of your normal day-to-day.

EMV Chip Cards were designed to solve the security issues of the magnetic stripe card. Magnetic stripe cards hold cardholder information using a magnetic strip of tape and transmit this information when swiped. However, this method of sharing information is incredibly easy to steal.

Magnetic strips have security flaws similar to phones that are not password protected. Even if you carefully guard the item that holds the sensitive information, it remains easily accessible if someone gains unauthorized access. Hackers found multiple ways to steal this unguarded information from magnetic stripe cards, which led to EMV chip cards being created.

This code is generated by the chip and the terminal where the payment is taking place. The cryptogram they create is used to validate the transaction for the bank by proving the security and authenticity of the card. Additionally, the issuer may send a return cryptogram that further verifies the approval of the transaction.

This cryptogram is not only important for verification purposes, it is also what makes the replication of EMV chip cards impossible. While magnetic stripe cards were easy to replicate, even advanced hackers who find a way to steal chip card information cannot create a new card. Without the ability to replicate the chip and the cryptogram, hackers cannot create EMV chips themselves.

IDEMIA is full of innovative minds. And thanks to them, we have developed a seamless way to drastically enhance the security of Card-Not-Present (CNP) transactions. MOTION CODE cardholders will find that the traditional static 3-digit security code on the back of their card has been replaced by a mini-screen displaying a code, which automatically refreshes every hour. This solution renders copying of card information useless. By the time would-be fraudsters try to use it, the stolen number will have already changed several times.

The best and most innovative aspect of this invention? It requires zero changes in user habit. The magic of MOTION CODE happens behind the scenes. As this technology relies on a complex algorithm to automatically generate a new code, it does not require any disruptive process such as installing a plugin or having to key in data.

Thanks to this new dynamic cryptogram technology, the customer feels reassured and more confident when he uses his card. Everyone agrees on its simplicity as it does not require any change to the online shopping experience.

Your email address will be used exclusively by IDEMIA to send you newsletters related yo your selected topics of interest. In accordance with the law, you have rights of access, rectification and erasure of your personal data, as well as opposition of processing, which can be exercised by writing to d...@idemia.com.

Payment transactions originating from the payment applets include a payment cryptogram along with a Device Account Number. This cryptogram, a one-time code, is computed using a transaction counter and a key. The transaction counter is incremented for each new transaction. The key is provisioned in the payment applet during personalization and is known by the payment network or the card issuer or both. Depending on the payment scheme, other data may also be used in the calculation, including:

These security codes are provided to the payment network and to the card issuer, which allows the issuer to verify each transaction. The length of these security codes may vary based on the type of transaction.

Network tokenization is an innovative technology that replaces payment card data with a network-issued token and unique transaction cryptograms. This represents a vast improvement over the more common approach to protecting transactions with tokenization, known as PCI tokenization or vault tokenization. Network tokenization reduces the potential for fraud, improves the merchant and consumer experience, increases approval rates, and reduces overall transaction costs.

Network tokenization is a new way to process card payments that helps to keep sensitive customer card data more secure while increasing authorization rates and reducing costs for both card-present and, more recently, for card-not-present transactions.

When a merchant wants to charge a card, the usual workflow is to send an authorization request to a payment processor with the card number, expiration date, CVV, and amount. The payment processor or gateway will pass on the card details to the card network, which will then forward them to the card issuing bank for approval. Then the approval message is sent all the way back to the merchant.

Throughout this process, the card number, expiration date, and CVV are passed from one party to another. Of course, this presents many potential points of failure where this sensitive card data could be exposed.

Ecommerce merchants in the industry have tried their best to keep fraud in check with additional fraud checks that happen as data flows to the payment processor, card network, and issuing bank. The issuing bank will check if the person has the funds for the purchase and whether the card number is valid, and attempt to confirm that no fraud is happening.

When a fraudulent transaction occurs the cardholder initiates a chargeback, and the issuing bank kicks off the chargeback process. Now with EMV and NFC for point of sales transactions, the issuer bears more risk and responsibility for those losses. Unfortunately for merchants, with most card-not-present transactions, the merchant ends up bearing the cost of the fraudulent transaction. If the merchant fights the chargeback, then it will go back to the issuer. This process continues until someone pays for the chargeback.

Network tokenization aims to solve this problem by removing the card number from most of the steps in the card transaction data flow and also providing a cryptogram for each individual transaction. This has greatly reduced card-present fraud.

PCI tokenization was introduced by the PCI Security Standards Council as a way to reduce the exposure of card information for merchants. In this approach, the card number is replaced by a token at a specific endpoint instead of across the entire payment ecosystem. This is a technique used by many payment service providers like Stripe, Braintree, Cybersource, and Adyen.

The merchant registers the card number with the payment services vault and the payment service returns a token. The merchant can safely store this token and remain PCI DSS compliant. The payment service is responsible for securely storing the card details in a compliant way.

When the merchant wants to issue a transaction against the card, they can pass the token and transaction details to the gateway (processor) as shown above. The payment processor then swaps the token for the card number and passes the card information downstream to carry out the transaction.

Once a token is provisioned for a card, transactions are carried out using the network token representation of the card rather than the card details, as shown below. In addition, a cryptogram is generated and sent along with the authorization. This cryptogram is unique to the token, merchant, and individual transaction.

The end-to-end security that network tokenization introduces significantly reduces the risk of fraud. Outside of the initial collection point, network tokenization removes the need for merchants to directly handle any sensitive card information. Instead they deal with a network token, which has no exploitable value. Second, the cryptogram further secures the authorization. Visa has seen an increase in authorization rates and a 26% average reduction in fraud as a result of using network tokenization.

The card network that maintains the mapping of cardholder information to network tokens updates the mapping on the backend if a change happens. This means that the merchant always has an active card to try based on the persistent token and should experience less churn from inactive cards.

Second, network tokens also support Payer Account Reference (PAR). PAR is designed to ensure that the underlying PAN that was used to support various payment processing and value added services can still be performed without having to rely on the PAN.

When a card is charged, a merchant typically pays a transaction fee, which is based on an interchange rate and a few other inputs. Fraud rates impact interchange fees, which is why the interchange rate is higher for card-not-present transactions versus card-present transactions. To support the rollout of network tokens and the decrease in fraud rates, Visa announced an average ten basis points reduction in interchange for card-not-present network token transactions in April of 2022. Other networks are expected to follow suit.

Additionally, the industry is expecting a liability shift for card-not-present network tokenization. Traditionally, merchants are responsible for covering fraud charges, but with network tokenization the liability is expected to shift to the issuer, similar to the pattern we saw with card-present EMV transactions.

Skyflow supports network tokenization for Visa, Mastercard, and American Express cards. The integration process for using network tokens with Skyflow is exactly the same as it is for PCI tokenization. Skyflow abstracts away the complexity of integrating directly with each network token service individually, so that provisioning a card or carrying out a transaction requires just a simple API call.

Network tokenization is a fantastic innovation that reduces fraud, decreases costs, and creates a better consumer and merchant experience. With Skyflow, you get all of the benefits of network tokenization, without the complexity of integrating with multiple card network providers.

3a8082e126