VISA CodeSure— Chip and Pin of online or Card not present transactions

To effectively address the risks threatening the security of online or ‘card not present’ (CnP) transactions, VISA Europe has successfully launched an innovative solution named, VISA CodeSure.  CodeSure is a technology which fused traditional credit cards with one time password (OTP) providing devices.  VISA Europe has developed this technology by partnering with an Australian company called Emue Technologies (www.emue.com).

Cards produced under CodeSure technology have similar look and feel as an ordinary credit/debit card albeit few difference like: an embedded e-ink display and  12 digit keypad on the back-side of card.  

While chip and pin (EMV) cards have provided reasonable assurance of security for face-to-face transactions, yet they are somewhat equally vulnerable as a mag-strip card during a CnP transactions. CodeSure promises to provide similar to EMV level of security for online or CnP transactions.

While contemporary cards depend upon CVV (three digit number written on the back of card which is not stored in track data) or static passwords (used by  3D Secure), CodeSure requires cardholder to punch in their PIN number , using 12 digit keypad, and obtain one-time key to be used for online or CnP transactions.  Transaction validation process is carried out as per following order:

1. During online shopping cardholder activates the authentication process by pressing the “Verified by Visa” option button on the card’s keypad
2. Upon prompted the cardholder enters PIN into the keypad embedded in the card
3. A unique one-time-passcode appears on the card’s display, which is then used by the cardholder to authenticate a normal Verified by Visa transaction.

According to VISA Europe (http://www.visaeurope.com/en/newsroom/news/articles/2010/visa_codesure_gets_green_light.aspx) CodeSure has been approved for use in the following services:

• PIN generated one-time-passcode for Verified by Visa payments at participating merchants globally – without changes to merchant software or cardholders having to register and remember passwords
• PIN-generated one-time passcode for online banking access
• PIN-generated one-time passcode for telephone banking services
• Transaction signing for online banking services, using specific elements such as Account Reference Number or amount of transaction
• Access to third party services such as corporate virtual private networks (VPN) for commercial card users, or frequent flyer programmes and other online services

CodeSure also enables mutual authentication of both parties i.e. bank and cardholder.  Such mutual authentication will allow cardholders stay safe from phishing and related identity theft attacks.  CodeSure is capable of providing such mutual authentication for transactions conducted via phone as well.

While CoduSure is a promising technology and a step in right direction but it apparently seems that such technologies will take some time to be adopted as institutions will be weiging the benefits vis-à-vis the cost.  Issuing new cards might not be that complicated but migrating existing customers might be a daunting task.  Nevertheless, CodeSure is definitely a futuristic step and hopefully comes here to stay.