Visa has launched a payment card in Europe that contains a keypad and an eight-character display for showing a one-time passcode, an additional defence against potentially fraudulent internet transactions.
Visa's CodeSure also acts as a chip-and-PIN (personal identification number) card, where people enter into a terminal a four-digit pin that is confirmed by a microchip within the card during a face-to-face or cash machine transaction.
Online transactions, however, are more susceptible to fraud as they do not use the PIN, often relying only on the details printed on the card. A hacker who has obtained details such as the card's number, expiration date and three-digit security code, may be able to make a purchase online.
Visa and MasterCard have been pushing online merchants to implement the more stringent 3D Secure (3DS) system, also known as Verified by Visa or MasterCard SecureCode. The system requires a person to enter a password or portions of a password in a browser frame displayed during a transaction in order to complete an on-line purchase.
But 3D Secure still uses a static password selected by a consumer and is vulnerable if someone mistakenly reveals their password through a phishing attack.
The alphanumeric display and a keypad on Visa's CodeSure card overcome that vulnerability. During an e-commerce transaction, the customer would press the 'Verified by Visa' button on the card and enter their PIN. If the PIN is correct, the card will generate an electronic one-time passcode that can be entered into the Verified by Visa frame.
This one-time passcode is only valid for a very short period of time. If it were to be intercepted by a hacker, it would have to be used quickly before it expired.
The card also has other modes that can be used for other authentication purposes such as online banking, according to Visa. The bank would show a number, called a dynamic numerical challenge code, which the customer would enter onto the card's keypad. If that number is verified by the card, it confirms that the request is from the customer's bank. The customer would then enter their PIN on the card to generate a one-time passcode for the transaction. The process is known as mutual authentication. The same steps could be used during a phone transaction with a bank using a CodeSure card.
It also can be used to sign online banking transactions using elements such as an account reference number or transaction amount. Another mode can provide authentication for access to third-party services such as VPNs, frequent flyer programmes or other online services. CodeSure cards have an estimated three-year battery life.
In the UK, fraudulent card-not-present payments amounted to £266.4 million (US$389 million) in 2009, down 19 percent from 2008, where the total reached £328.4 million. The decline was attributed to increased use of 3DS, according to the UK Cards Association and Financial Fraud Action UK.