MAG Insights

Announcements from the MAG & Featured Articles

Innovate Now: Payment Card Industry Fraud (MAG Quarterly- Volume Three, Issue Four)

mimi_hart  magtek_logo copy
By Mimi Hart, President, CEO, MAGTEK

December 8, 2015

It’s time to address the root cause of Payment Card Industry fraud.  How does an inexpensive, PAN-free, one-time token generating card sound as an alternative to incumbent-only token solutions? 

October 1st has come and gone and the Brands’ imposed liability shift is firmly in place. Now what?  Interestingly, the move to EMV has highlighted its own glaring deficiencies; hence the Brands are now calling for more layers of security, namely Tokenization and Point to Point Encryption.  For tokenization they reference the EMVCo specification and PCI DSS for the P2PE specification.  Will these initiatives bring needed security to merchants and consumers or will they instead headlock merchants into fee generating services and forced infrastructure changes, with little or no return on investment?   

MagTek has a better idea.  We call on MAG and its members to endorse a powerful industry initiative that addresses the root cause of payment card fraud.   That initiative is to remove the Primary Account Number (PAN) from the payment card. PANs are dangerous.  PANs are lucrative and extremely attractive to thieves and hackers.  PANs have cost retailers millions of dollars in fines and breach remediation.  The PAN should be removed from the card entirely and MagTek has the technology to accomplish that goal. We can also teach others how to do it.  

The PAN does not belong on the card. Account numbers should only reside inside account owning institutions (usually Financial Institutions) and their core processors. FIs are best able and most suited to protect account numbers, as well as their relationship with consumers or businesses. Merchants and consumers should not have to be responsible for protecting the PAN.  They should not have access to it in the first place. If  the PAN and all other Personally Identifiable Information (PII) were removed from the card, data breaches would disappear.  There would be nothing to steal.  Let’s say a customer’s card was skimmed or stolen in a massive heist. If the PAN was not obtained in the theft, it could not be used to clone a card or make a fraudulent online purchase. This holds true regardless of the technology on the card: magstripe, chip, laser, printing or embossing.

So, if there is no PAN on a card, how can one make a payment?  The answer is easy, with the right technology. One can make a payment by the presentment of a unique transaction token, which can be validated, and then act as a pointer to a PAN safely housed within the Issuing Institution. How can this be done?  MagTek has an exciting technology called Cyberstripe.  It’s based on generation 3.0 magstripe media.  The stripes look like ordinary magstripes, but they are not encoded with a PAN.  The lower layer contains a Card Seed Token (CST).  The Card Seed Token is the Initial Token, but it is NOT a number that can be used to make a purchase.  If someone steals this Card Seed Token, nothing can be done with it.  Its only purpose is to act as a seed for the propagation of future payment tokens. With Cyberstripe cards, there is no sensitive data carried on the card.  The PAN is not embossed, encoded, or printed on the card. The cardholder name need not be encoded or printed either. With Cyberstripe cards, a portion of the card may be reserved for the consumer to add whatever personal data he or she might comfortably choose to apply. There is no need for a signature on a Cyberstripe card, adding another layer of safety. 

These are no risk cards. A Card Serial Number (CSN) is encoded on the upper layer and can be used to report the card lost or stolen. It can also be used to make inquiries on transactions that occurred using the card.  The last four digits of the CSN will appear on the consumers’ receipt and their monthly statements, just like traditional debit and credit cards. The critical difference between Cyberstripe cards and other branded cards lies in the security provided.  With traditional payment cards, even those using EMV and P2PE, PAN data is still present on the card and it is in-the-clear. The PANs on traditional cards can be read by skimming devices, cameras, imprinters, or pencil and paper, and for large heists they can be captured by a computer or a communication network. To the contrary, with Cyberstripe cards, one can record the card data, skim them, clone them, read them, store them in a PC, or expose them on the internet, but the card data obtained by any of these methods will be totally useless.  The data cannot be used to make a purchase, create a counterfeit card, or link it to a PAN stored within the FI. In short, one cannot use the data to transact; only an authentic digital derivative token may be used to make a payment. 

So what is the secret sauce? How do Cyberstripe cards work?  Cyberstripe cards work in concert with Secure Card Reader Authenticators (SCRAs) at the point of sale and a secure Cyberstripe Detoken Module (CDM) located at the Issuer, Core-Processor, Acquirer, or Gateway. Inside the SCRA is a powerful security chip which takes the Card Seed Token from the Cyber-entropic layer of the card and generates a Derived, Unique, Token per Transaction.   This dynamic, one-time-use token is elastic and can be combined with external data for expanded authorization requirements or restrictions.  The token is then encrypted inside the SCRA and can be sent over any communication channel for authentication and authorization.  The issuer or a validation agent has a Cyberstripe Detoken Module (CDM). Within this hardened appliance the token is decrypted, detokenized, and validated. If the token is authentic, it reveals the pointer to the PAN at the FI and the transaction can proceed.  If it is not authenticated, the transaction can be aborted. 

It’s a quantum leap forward. The cards are pre-numbered and unchangeable, so the consumer portion of the PAN will always contain zeros. The Card Serial Number and the initial Card Seed Token are recorded during production. Going forward, the Card Seed Token will change unpredictably with every use, just like encryption keys do when using the DUKPT key management scheme. It works on the same basis as quantum physics. There is a sensor inside the SCRA, which excites the magnetic seeds in the cyber-entropic layer creating a digital token.  When they settle back down, the seeds never land exactly as before.  The act of swiping the card causes a slight mutation of the cyber-entropic layer, and that subtle change ensures that no two derivative tokens will ever be identical.     

So Cyberstripe cards can be swiped simply and safely, while generating a new one-time-use payment token each time. One can tokenize at the swipe and detokenize just before authorization. Imagine: no sensitive data on the card, data breaches with no fraudulent consequences, no successful skimming attacks, while protecting consumers from identity theft. It’s all within reach. 

When a simple Two Factor Authentication solution is needed, Cyberstripe cards can be used with self-selected Personal Identification Numbers (PINs) for the ultimate in two-factor authentication: a dynamic, one-time use Cyberstripe token – something one has, and a PIN – something one knows.  This pairing is easy to use and will prevent card lost and stolen fraud as well as fraud from skimming and data breaches.

Cyberstripe tokens can also be safely provisioned to phones, mobile tablets or PCs via a MagTek SCRA or by Host Card Emulation (HCE) where a Cyberstripe Token is stored in lieu of Card data.  All payment channels can use Cyberstripe derivative tokens. 

MagTek offers Zero Liability token generation.  When Cyberstripe cards are used there is no blame game. There are no liability shifts and no liability finger-pointing. The liability for counterfeit Cyberstripe token generating cards falls squarely on MagTek.  There is zero liability for the merchant, the consumer or the issuer if a Cyberstripe card is cloned, copied, or compromised in a breach.  MagTek can offer this warranty because there is no sensitive data stored on the cards.

Cyberstripe tokens are vault-less.  In many token schemes, the tokens are all stored in a database alongside the PANs.  This creates a “honeypot” effect, because the vast quantities of PANs all assembled in one place with their associated tokens is the ultimate challenge for a hacker. The effort is great but the payback can be huge when an enormous number of PANs can be harvested. Cyberstripe tokens are PAN-free. They are generated on demand and are detokenized and validated in a hardened security module as needed. There is no need for a vault or its associated risk.  

Consumers will find this really easy. At the point of swipe, there’s nothing new to learn. They swipe the same way, the receipt looks the same, and the transaction is processed in milliseconds.  The unseen but dramatic difference is a Cyberstripe-generated, vibrant payment token that travels through the merchant’s POS, over a public network and on to the issuer for detokenization has replaced the perilous PAN, which hackers and crooks find so attractive. On the consumer’s phone or tablet, the Cyberstripe Token can be presented as a 2D Barcode or abbreviated to 8 characters which can be typed or read by a traditional barcode scanner. 
This technology is suitable for alternative payment networks, merchant private label cards, prepaid, gift and EBT cards, or storage, protection and transmission of cryptocurrencies. It can also perform as a secure surrogate for a traditional magstripe card or a card on file. It’s fully compatible with EMV chip and PIN and chip and signature, but does not depend on either.

 This is a responsible move.  PANs do not belong on cards.  It’s time we as an industry acted responsibly and removed them. A card serial number can be safely placed on the card and indexed to a PAN that is known only to the FI. Remember, if a thief discovers this card serial number, he cannot use it to purchase.  If he copies the card serial number onto another card, the token validation will fail. Plastic cards will be with us for a long time even as we add other forms of payment access, like phones and wearables.   The opportunity is here to put trust back into the payment card industry and eradicate data breaches.  

Is there precedent for PAN-free cards? Note that Apple PAY does not store a PAN on the phone; it uses a static Device Account Number (DAN) instead. And that DAN is converted back to a PAN by the brands before presentment to the issuer for authorization.  Cyberstripe CSNs are to cards what DANs are to phones, except the former is a safer and lower cost alternative.

Ultimately, EMV will prove to be costly, clunky, confusing, hackable, time-consuming and will not stop fraud. Neither merchant nor issuer will see an ROI on its investment in EMV and so with that lesson learned, the marketplace will seek out better technology, one that addresses root cause.   The visible, machine readable static PAN is the root cause of the problem and it should be removed from the equation when using magstripe, EMV, NFC, barcode, BLE, or any other transmission method.   

Merchants must consider an approach that works best for them and play a larger role in influencing the direction of security solutions. It’s time for the community to act in concert with each other and not at the behest of the rule makers. Merchants can lead this industry by example.  Start with your private label cards, for example. More than ever, members of the MAG, have an opportunity to make a lasting and vital impact on the future of payments.  If this message resonates with your organization, please join us for an in depth conversation to discuss the Cyberstripe strategy for combatting fraud and restoring simplicity and confidence to electronic payment acceptance.