We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Visa launches one-time passcode cards

Cards contain keypad, display & password generator

Visa has launched a payment card in Europe that contains a keypad and an eight-character display for showing a one-time passcode, an additional defence against potentially fraudulent internet transactions.

Visa's CodeSure also acts as a chip-and-PIN (personal identification number) card, where people enter into a terminal a four-digit pin that is confirmed by a microchip within the card during a face-to-face or cash machine transaction.

Online transactions, however, are more susceptible to fraud as they do not use the PIN, often relying only on the details printed on the card. A hacker who has obtained details such as the card's number, expiration date and three-digit security code, may be able to make a purchase online.

Visa and MasterCard have been pushing online merchants to implement the more stringent 3D Secure (3DS) system, also known as Verified by Visa or MasterCard SecureCode. The system requires a person to enter a password or portions of a password in a browser frame displayed during a transaction in order to complete an on-line purchase.

But 3D Secure still uses a static password selected by a consumer and is vulnerable if someone mistakenly reveals their password through a phishing attack.

The alphanumeric display and a keypad on Visa's CodeSure card overcome that vulnerability. During an e-commerce transaction, the customer would press the 'Verified by Visa' button on the card and enter their PIN. If the PIN is correct, the card will generate an electronic one-time passcode that can be entered into the Verified by Visa frame.

This one-time passcode is only valid for a very short period of time. If it were to be intercepted by a hacker, it would have to be used quickly before it expired.

The card also has other modes that can be used for other authentication purposes such as online banking, according to Visa. The bank would show a number, called a dynamic numerical challenge code, which the customer would enter onto the card's keypad. If that number is verified by the card, it confirms that the request is from the customer's bank. The customer would then enter their PIN on the card to generate a one-time passcode for the transaction. The process is known as mutual authentication. The same steps could be used during a phone transaction with a bank using a CodeSure card.

It also can be used to sign online banking transactions using elements such as an account reference number or transaction amount. Another mode can provide authentication for access to third-party services such as VPNs, frequent flyer programmes or other online services. CodeSure cards have an estimated three-year battery life.

In the UK, fraudulent card-not-present payments amounted to £266.4 million (US$389 million) in 2009, down 19 percent from 2008, where the total reached £328.4 million. The decline was attributed to increased use of 3DS, according to the UK Cards Association and Financial Fraud Action UK.

See also:

PC security advice


IDG UK Sites

Samsung Galaxy S6 release date, features and specs rumours: When will the Galaxy S6 come out?

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...