VeriSign bids to boost online payment card security with password system

Many corporate road warriors carry tokens that generate one-time passwords they use to log in to their corporate networks. Now two companies aim to bring that security technology to consumers by enabling standard-size credit and debit cards to generate and display passwords that change continuously, eliminating the threat that a hacker could drain a bank account by stealing a consumer’s user name or password or make a fraudulent purchase online with someone else’s credit card number.

VeriSign Inc., a supplier of one-time password tokens, has integrated that technology into payment cards from InCard Technologies Inc. Each card contains a small battery. The cardholder squeezes a button on the back of the card to generate a password that appears on a small display on the card. The 6- or 8-digit number displayed, which is good only for a short time, is verified by VeriSign.

While initially aimed at online banking and securities trading, the technology could make sense for online retailers, especially those selling high-priced items who may be suffering high fraud losses or turning down many sales for fear of fraud, says John A. Ward III, chairman and CEO of InCard. “For industries that are having high levels of fraud or denial of transactions, this is another way to ensure that the person who is calling holds that card,” Ward says.

IRCE 2008 Conference Multi-Media CD-ROM

The one-time password system would prevent fraud that occurs, for instance, when someone tries to use a credit card number from a discarded receipt to make an online purchase. Without the one-time number the VeriSign system expects from that card, the transaction would be turned down.

The additional layer of security may be reassuring to consumers who fear their personal information may be compromised when they shop on the web, says Jeff Schueler, CEO of Usability Sciences Corp., which researches consumers’ web experiences. He notes many online retailers already have introduced an extra step by requiring consumers to enter additional 3- or 4-digit codes on their cards in addition to the card’s account number. Many consumers remain fearful of entering credit card details online. A Forrester Research survey last year showed that only 26% to 37% of web shoppers, depending on their online experience, were confident their credit card details were safe online.

Payment service PayPal began offering members password-generating tokens in a test that began in February. Customers pay $5 for the tokens, which can be used to sign on to accounts at PayPal or eBay, the online auction company that owns PayPal. “The uptake has been strong,” says a PayPal spokesman who would not provide details. He says PayPal has agreed to buy up to 1 million of the tokens from VeriSign. Brokerage firm The Charles Schwab Corp. is testing the tokens as well, says Fran Rosch, vice president of authentication services at VeriSign.

Putting the password-generating technology into the form of a card means consumers need not carry an extra device like a token, says Ward of InCard. He says cards with the VeriSign technology will cost card issuers $12 apiece in quantities of at least 100,000. The cards are guaranteed to work for three years. He says several banks and securities firms around the world are conducting internal tests of the card and that larger rollouts could begin by late summer.

Rosch of VeriSign notes that the card can be used by any web site or call center that is linked to VeriSign’s authentication system. A retailer could issue its own card, branding it as PayPal is branding its token, and pay VeriSign a fee per user as well as paying for the card. Or a retailer could offer customers the option of registering VeriSign-enabled cards they receive from their banks or other sources and use the one-time passwords for authentication at that site. In that case, the retailer would pay a fee per registered cardholder. Rosch says the fees are negotiated with each company and the per-user fee goes down as the number of registered consumers goes up.

The card generates a number that changes every 30 seconds. The method used to derive the number is known to VeriSign’s host system so the host can verify at any point whether the number entered by the consumer is the correct number for that card at that time.