A pragmatic approach to temporary payment card numbers
Pages 253 - 268
Abstract
With the push towards electronic payments that use a smart card and authenticate the cardholder by his or her personal identification number, much fraud has switched to the residual payment methods that just rely on knowing the card number: card-not-present transactions. There are various countermeasures; notably some issuers allocate temporary card numbers (TCNs). The snag is that this is an online solution that requires the cardholder to be identified and authenticated over a separate and direct link between the cardholder and card issuer each time a number is allocated. Some off-line mechanisms have been proposed but those TCNs do not act as the cardholder's identifier. This paper examines a sample of online and off-line TCN mechanisms and then proposes an off-line mechanism that gives a comparable service to the online mechanisms. The cardholder's privacy is protected whilst still allowing proof of payment.
References
[1]
Anderson, R.J., Bond, M. and Murdoch, S. (2006) 'Chip and Spin', Computer Security Journal, Vol. 22, No. 2, pp. 1-6.
[2]
APACS (2007) Card Fraud Losses Continue to Fall, Press release, March 2007. Available at: http://www.apacs.org.uk/media_centre/press/07_14_ 03.html, accessed on 18th December 2008.
[3]
APACS (2008) Plastic Cards in the UK and How We Used them in 2007. Available at: http://www.apacs.org.uk/resources_publications/card_facts_and_figures.html, accessed on 18th December 2008.
[4]
Assora, M., Kadirire, J. and Shirvani, A. (2007) 'A web transaction security scheme based on disposable credit card numbers', Int. J. Electronic Security and Digital Forensics, Vol. 1, No. 2, pp. 146-155, Inderscience.
[5]
BBC (2003) Operation Ore: Can the UK Cope? BBC News, 13th January 2003. Available at: http://news.bbc.co.uk/1/hi/uk/2652465.stm, accessed on 18th December 2008.
[6]
Boyd, D.J. (2008) 'Towards a private and anonymous EMV payment application', Proceedings of the 3rd Conference on Advances in Computer Security and Forensics (ACSF), pp. 53-59.
[7]
Dierks, T. and Allen, C. (1999) RFC 2246 - The TLS Protocol, Version 1.0 Internet Engineering Task Force.
[8]
EMVCo LLC (2008a) Integrated Circuit Card, Specifications for Payment Systems, Version 4.2, Book 1 - Application Independent ICC to Terminal Interface Requirements.
[9]
EMVCo LLC (2008b) Integrated Circuit Card, Specifications for Payment Systems, Version 4.2, Book 2 - Security and Key Management.
[10]
EMVCo LLC (2008c) Integrated Circuit Card, Specifications for Payment Systems, Version 4.2, Book 3 - Application Specification.
[11]
EMVCo LLC (2008d) Integrated Circuit Card, Specifications for Payment Systems, Version 4.2, Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements.
[12]
Feige, U., Fiat, A. and Shamir, A. (1987) 'Zero knowledge proofs of identity', Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC 1987), ACM, pp. 210-217.
[13]
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2006) 'ISO/IEC 7812-1:2006', Identification cards - Identification of issuers - Part 1: Numbering system.
[14]
Kerckhoff, A. (1883) 'La cryptographie militaire', Journal des Sciences Militaires, Vol. IX, pp. 5-38 and 161-191, January and February.
[15]
Li, Y. and Zhang, X. (2005) 'Securing credit card transactions with one-time payment scheme', Science Direct. Electronic Commerce Research and Applications, Vol. 4, No. 4, pp. 413-426, Elsevier.
[16]
Luhn, H.P. (1960) US Patent 2950048, Computer for Verifying Numbers, US Patent and Trademark Office.
[17]
National Institute of Standards and Technology (NIST) (1999) Federal Information Processing Standards (FIPS) Publication 46-3 - Reaffirmed - Data Encryption Standard (DES).
[18]
National Institute of Standards and Technology (NIST) (2002) Federal Information Processing Standards (FIPS) Publication 198 - The Keyed-Hash Message Authentication Code (HMAC).
[19]
Orbiscom Ltd. (2006) Do 'Virtual' Card Numbers Represent a Growing Market?, Press release, September 2006. Available at: http://www.orbiscom.com/presscentre.php?presssection= news51, accessed on 18th December 2008.
[20]
Rivest, R.L. (1994) RC4 Source Code, Cyberpunks Anonymous Mailing.
[21]
Rivest, R.L., Shamir, A. and Adleman, L.M. (1977) US Patent 4405829. RSA Cryptographic Algorithm, US Patent and Trademark Office.
[22]
RSA Security (2000) Isracard Partners with Cyota to Eliminate Online Fraud, Press release, 3rd August 2000. Available at: http://www.rsa.com/press_release.aspx?id=6834, accessed on 18th December 2008.
[23]
RSA Security (2005) RSA Security to Acquire Cyota; Creates Leading Provider of Layered Authentication Solutions, Press release, 5th December 2005. Available at: http://www.rsa.com/ press_release.aspx?id=6316, accessed on 18th December 2008.
[24]
Rubin, A.D. and Wright, R.N. (2002) 'Off-line generation of limited-use credit card numbers', Financial Cryptography. Proceedings of the 5th International Conference on Financial Cryptography (FC01), Vol. 2339, Springer-Verlag, LNCS, pp.196-209, ISBN: 978-3-540- 44079-6.
[25]
Shamir, A. (2002) 'SecureClick: a web payment system with disposable credit card numbers', Financial Cryptography. Proceedings of the 5th International Conference on Financial Cryptography (FC01), Vol. 2339, Springer-Verlag, LNCS, pp. 232-242, ISBN: 978-3-540- 44079-6.
[26]
The Guardian (2007) Operation Ore Flawed by Fraud, Newspaper article, 19th April 2007. Available at: http://www.guardian.co.uk/crime/article/0,2059880,00.html, accessed on 18th December 2008.
[27]
The Independent (2005) No Evidence against Man in Child Porn Inquiry Who 'Killed Himself', Newspaper article, 1st October 2005. Available at: http://www.independent.co. uk/news/uk/crime/no-evidence-against-man-in-child-porn-inquiry-who-killed-himself-509120. html, accessed on 18th December 2008.
[28]
Visa Europe (2006) Dynamic Passcode Authentication, Overview Guide. Available at: http:// www.visaeurope.com/documents/merchant/dynamicpasscodeauthentication.pdf, accessed on 18th December 2008.
[29]
Visa Europe (2008) Visa's innovative PIN Card Pilot Brings Step Change to Tackling CNP Fraud, News release, 10th June 2008. Available at: http://www.visaeurope.com/pressandmedia/ newsreleases/press363_pressreleases.jsp accessed on 18th December 2008.
[30]
Visa International Service Association (2008) Visa Approved, Visa Smart Debit Credit (VSDC) Chip Cards. Available at: https://partnernetwork.visa. com/vpn/global/retrieve_document.do? documentRetrievalId=69, accessed on 18th December 2008.
- A pragmatic approach to temporary payment card numbers
Recommendations
Provably secure integrated on/off-line electronic cash for flexible and efficient payment
Due to the ubiquity of the Internet and wireless networks, the development of electronic commerce is growing up rapidly. Many payment mechanisms, such as electronic cash (e-cash), credit cards, and electronic wallets, for electronic transactions have ...
Innovations in the payment card market
Graphical abstractDisplay Omitted Identifies the directions for the development of payment cards market in Poland.Makes short-term forecasts of the development of this market.Focuses on the intensity measures of payment card use and the use of payment ...
Online payment service providers and customer relationship management
With the rise of e-commerce, online payment service providers, such as PayPal, have proven to be an effective tool for online transactions. A personal interview of 190 semi-professional and professional working adults within the metropolitan area of ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
Inderscience Publishers
Geneva 15, Switzerland
Publication History
Published: 01 July 2009
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in