Token-based authentication

Fraudsters are increasingly trying to commit crime to reflect the way we behave – as we shop more online or by phone (card-not-present transactions), fraudsters are increasingly targeting those areas.

To protect retailers and customers and to help drive use of these remote channels, APACS is working closely with banks, card schemes and systems vendors on a range of initiatives to ensure that the person making a card-not-present payment is the genuine cardholder. A remote card authentication system (or token-based authentication system) is one key initiative being considered within the next generation of solutions.

How does the remote card authentication work?

A remote card system enables two-factor authentication, which uses something a cardholder has and something a cardholder knows. There are a number of different solutions to implement such a system.

One solution is for a cardholder making a card-not-present transaction to insert their chip and PIN card into a hand-held card reader (i.e. something the cardholder has) provided by their bank, and enter their PIN (i.e. something the cardholder knows). On confirming the PIN entered, the reader generates a one-time only passcode, which the cardholder provides to the retailer for authentication with the cardholder’s bank.

The card reader uses the security features built into the chip on the card and is never connected to the internet.

This solution leverages customers’ familiarity with chip and PIN in the ‘card-present’ environment as well as building upon the current technology implemented by both the banking and retailing industries.

Will this be piloted to ensure customer adoption?

APACS is working towards a trial in 2007. The intention is to involve a number of banks, card schemes, retailers and cardholders.