Can Card Not Present Transactions Be Made Secure - Once And For All?
Recently all physical payment card manufacturers have announced availability of new generation of sophisticated EMV chip cards, with embedded biometric sensors, capable of authenticating cardholders by storing and verifying their biometric fingerprints. In addition, the same vendors announced that their cards can also display periodically changing dynamic CVV2 value on a small LCD display on the back of your card (instead of usual static CVV data).
In a nutshell, the biometric sensor built into the payment card, is designed to be used in card present transactions (i.e. in-store Point Of Sale payments), primarily to eliminate need for cardholders to remember their PIN codes. On the other hand, the dynamically generated and periodically rotating CVV2 value is primarily targeting e-commerce 'card not present' (CNP) transactions, in order to make them more secure, by eliminating the possibility of CVV values being captured and stollen, by online thieves or dishonest merchants.
At the present time, these two payment card innovations seem to be coexisting independent of each other. Several of my LinkedIn connections rightfully pointed out that, although remembering PIN might be a niche issue and challenge for just a minority of consumers, the much larger and still outstanding major challenge would be to fully secure e-commerce / CNP transactions. I fully agree. You see, even with cards that have dCVV, a thief can potentially steal dCVV card and still be able to use it to make an online purchase.
'Card Present' AND 'Cardholder Present' Online Transactions
Ideally, the industry should strive to ensure that during online transaction, it is only the legitimate cardholder that is using the genuine and legitimate card for payment - similar to the security level achieved with in-app payments via OEM-Wallets (ApplePay, G-Pay and SamsungPay). You authenticate yourself, usually with you fingerprint or face scan on your phone, and EMV applet inside mobile phone OEM-Wallet app generates unique per online transaction cryptogram, which in most of OEM-Wallet implementations is nothing but a version of dCVV. Nice and fairly secure.
Would it be possible to achieve the same level of security for online payments with plastic payment EMV cards? Yes of course it would be, and it is right in front of our eyes. For example, if card manufacturers could combine the two mentioned card innovations and make them work together, they could potentially create a super-smart-card, one that would ensure 100% safe online payments
What needs to happen to fully secure e-commerce transactions, is therefore following:
Card manufacturers (Gemalto, G&D, IDEMIA, Kona, etc) should ensure that their card's dCVV value is displayed ONLY when the biometric fingerprint scan matches that of the registered cardholder. NOTE: The similar set of online transaction security could be achieved even with current plain vanilla EMV cards, but combined with mobile app (provided by card issuer), able to generates similar dCVV value, only if user securely authenticates themselves, using phone's biometric fingerprint or face scan (meaning currently available static CVV is ignored).
Card issuers need to start adopting dCVV solutions like these and at the same time start declining any online transactions that do not contain dCVV values
Online merchants need to enforce capturing dCVV data on their online checkout forms, or otherwise risk their transactions being declined
Unless these three conditions are met, the online transactions will not be fully secure and will stay being vulnerable to potential fraud.