New For Your Wallet, Secure Credit Cards With Displays and a Button

Written by Evan Schuman
May 2nd, 2007

Two security firms have crafted a fully-functional credit card with a tiny monitor and button that will issue one-time passwords. But whether any banks will offer the expensive formfactor is another question.

The firms?Verisign and Innovative Card Technologies (ICT)?announced Tuesday that they are jointly trying to sell this concept to various credit-card (and debit card) issuers, with per-card prices ranging from $10 to $30, depending on volume purchased. That compares with a traditional card that costs less than a dollar and sometimes far less than a dollar. Verisign VP Fran Rosch guessed that major banks would likely pay “in the teens” for the new formfactor, given the volumes they would likely be using.

The concept of the card is powerful and timely, as retailers are desperately trying to improve POS security, especially for E-Commerce transactions. With thefts of credit-card identifying data growing rampant, the idea of an authentication code that?in theory?couldn’t possibly be stolen from some retailer’s database is quite compelling.

“Personally, I think this form factor makes tremendous sense,” said Gartner security analyst Avivah Litan. “It’s much more convenient for users and it can be used in multiple channels ? point-of-sale, ATM, voice and web. Most of the data stolen from breaches would be rendered useless unless the thief stole the actual card.”

Litan said it looked quite likely that banks will end up supporting this approach. “I am fairly certain they?ll get one or two top-ten banks to pilot it. And let?s be real: considering all the charges consumers get on their credit card or debit card bills, the banks could easily slip in another $10 ‘security fee’ if they believed in the solution. This would be a lot less offensive than their late fees and financing charges.”

But that’s not necessarily going to happen. Even assuming the extreme lower-end of that price range, the price could easily be far too expensive for the typical large card issuer, said David Robertson, publisher of The Nilson Report, a well-respected research site tracking the payments space.

“The cost is way too high for mass market distribution in the U.S., even at $10,” Robertson said. “There are cheaper fraud solutions for online purchases.”

The typical card today costs 27 cents to make, compared with the $10-$30 range for the one-time-password-issuing version. Although an oft-quoted figure for credit card cost is $1/card, that includes 73 cents for the customization of the embossed name, the magstripe programming, packaging and distribution, among other things. All of those other charges would still have to happen with the higher-priced secure card, making the true comparison price 27 cents, Robertson said.

With more than 1.2 billion cards in the market today, this could only be “a niche card for people who are doing a lot of online purchasing,” he said. But he doesn’t see how one could make a business case for it.

“That’s a lot of money of money to spend to push someone who might be a fence-sitter, who might be hesitant to make purchases online. The differential between 27 cents and $10 and you’re going to take a reluctant customer and try and push them beyond their insecurity?” Robertson asked. “You’re not going to find any major financial issuer in the United States adopting this kind of technology.”

Given the fact that consumers have not pulled back from online purchasing even in the wake of TJX and other recent well-publicized large data breaches, Robertson can’t see the ROI argument here. “Online sales are increasing and the good guys are able to stay one step ahead of the bad guys at this time,” he said. “Fraud is part of the cost of doing business. It’s a manageable cost at this time.”

Even if the market changes enough to make the price acceptable, there are still technological hurdles that would have to be overcome. “Work has to be done to upgrade the payment/ATM/VRU and Web systems to accept this form factor and one-time-passwords but those costs are less than the costs of security upgrades today,” Gartner’s Litan said. “The banks need to spend more on the cards though so we haven?t seen that much momentum from financial institutions and card issuers but it could help solve a lot of security problems out there in the market today.”

Banks would theoretically have several payment options, including passing all of the charges along to the consumer, some of the charges to consumers or absorbing the whole cost and turning it into a marketing advantage for nervous consumers.

Verisign and ICT’s statement said that would “integrate the security of a one-time password token into a card the size of a standard credit or debit card. At the push of a button on the back of the card, an integrated display shows a password that changes with every transaction. During an online transaction, this number is entered into a user interface with other information (such as the user?s static PIN and login name) for multifactor authentication.”

The credit-card formfactor is the most interesting part of the announcement, but the two companies are also trying to sell their one-time-password-issuing device in other formfactors, primarily pocket-sized standalone security devices. The one-time-password device being tested by EBay’s PayPal is one such application from Verisign and ICT.

Verisign’s Rosch said many banks are conservative and hesitant about new formfactors. “When they start changing, they’re very cautious,” which is why the pair are offering a standalone security device in addition to the credit card version.

When asked, Rosch said “we think we’ll have 1.5 million out by the end of the year” but then clarified that “a relatively small percentage will be credit cards.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.