Can You Make Security Pay?
By Patrick Walker, Prime Factors
In this brief article, I will attempt to describe how new MasterCard security requirements can offer many card manufacturers an opportunity to add to their revenues for manufacturing magnetic stripe cards.
Improved Security
Each bank uses a 3-digit code on each bankcard to verify that it was created by that bank for a unique account number with a specific expiration date. This code is called a CVV (Card Verification Value) and is normally printed in the signature area on the back of the card. This allows a customer to provide proof to a merchant that he physically has the card in his possession when making a payment via the Internet or the telephone.
The method used to generate the CVV involves encryption with two secret keys (called CVKs) that are known only to the bank issuing the card. Knowledge of the account number and expiration date of the card, therefore, isn’t enough to generate the CVV. The number of different CVKs that could be used by a bank is so large that it is impractical for criminals to guess those keys.
Because the CVKs are so important, MasterCard is becoming stricter about how each banks’ CVKs are stored by both the bank and the card manufacturer. The CVKs will soon be required to be encrypted inside special hardware devices called Tamper-Resistant Security Modules (TRSMs), instead of being encrypted inside a general-purpose computer such as a PC running Windows. The TRSMs use a Local Master Key (LMK) permanently stored inside the unit to encrypt external keys like the CVKs. The TRSMs must be designed and constructed to comply with strict U.S. Government regulations as outlined in the FIPS 140-2 standard. They are physically tamper-resistant, and in some cases, if the TRSM is physically opened or moved, the LMK is erased.
Increased Flexibility
New hybrid technology can combine software for a general-purpose computer (PC running Windows) with a TRSM, so that card manufacturers can offer a more complete and secure service to the banks. Additionally, this hybrid technology can also help card manufacturers migrate from encrypting keys with general-purpose computers to encrypting keys with TRSMs.
This new technology consists of two main components: a menu-driven, interactive program to manage the database of encrypted keys and the interface to the TRSM, and a utility program that uses cardholder information and a database of encrypted keys to create the CVVs, PINs and other codes needed to issue plastic cards and send out PIN mailers.
Normally, the card manufacturer receives each CVV along with each account number in order to personalize each card. The bank must choose an expiration date, calculate the CVV for each account number, and then protect the CVV for each card en route to the card manufacturer.
The new technology allows the bank to provide general rather than specific information to that card manufacturer. For example, the bank might provide a sequence of account numbers for a given expiration date, enabling the card manufacturer to calculate thousands of CVVs on the bank’s behalf. This process allows more flexibility and shifts most of the cryptographic processing from the bank to the card manufacturer.
Additional Revenue
The requirement for improved security and the flexibility for card manufacturers to handle that security provide an opportunity to generate additional revenue. Card manufacturers can charge banks a higher fee per card for this extra service; and using the new technology will allow card manufacturers to offer their bank customers an all-in-one bundle that is safe, profitable and flexible.