DDA on EMV cards offers best-in-class security to reduce fraud

The adoption of the EMV standard is spreading worldwide.

Looking at Europe, at the end of 2008, 55% of Payment Cards were EMV chip and PIN cards, 47% of POS and 61% of ATMs were EMV compliant. The equation is now simple for banks around the world: magstripe stripes cards = maximum risk of frauds. For each geographical market, changes in regulations impacting either the merchants, either the financial institutions in term of liabilities are the main driver for the adoption of chip and PIN cards.

In comparison to the magnetic stripe cards, the EMV cards based on Chip and PIN continue to be deployed offering higher security level during transactions. When it was easy to copy the magnetic stripe details, the Chip and PIN made it harder for criminals to create a fake card. Counterfeit card fraud losses continue to decrease thanks to EMV that makes it much harder for criminals to use fake cards in cash machines and shops in Europe. With the deployment of EMV technology in Europe, security during transactions became stronger. EMV cards can be SDA or DDA, i.e. Static vs Dynamic Data Authentication.

Fraudsters have reportedly attempted skimming frauds on SDA cards i.e trying to clone the card levering on the static mode during the off-line authentication. DDA shuts down this type of skimming fraud methodology thanks to its dynamic mode during the authentication process. EMV DDA is now the best-in-class recipe to protect Financial Institutions and their clients from frauds attacks. As an example in France the introduction of DDA in 2006 reduced the fraud from 17.5ME to 5.0ME, according to Banque de France. Since 2008 and the completion of the DDA migration program, no card cloning case has been reported. In addition to Germany and France who were early adopters of DDA, there are ongoing migration programs to DDA in the UK, Poland, Turkey (together with Contactless), Russia and Ukraine. This trend will accelerate since the two main international payment institutions : Visa and Mastercard made it a MANDATE that, as of January 1st 2011, all chip card issuers in Europe using their payment networks must be DDA compliant.

What does it take to go DDA ?

The move from SDA to DDA requires a new chip with a so-called crypto-processor. The main feature of a DDA card is the support of an RSA (a-symmetric algorithm used for private and public key) key pair unique per card. The card uses this key to generate a dynamic signature for signing information communicated by the terminal. The terminal checks this signature. If the signature is valid, it is the proof that the card contains the secret private key and therefore it is the proof that the card is not counterfeit. The impact on card personalization is that now one RSA key is generated per card, as well as an additional certificate and an additional card 3DES key.

Gemalto has done it already for multiple clients worldwide

The benefits of working with the market leader is that new customers benefit from the lessons learnt from previous migration programs. There is one EMV DDA but each country had a different approach to its migration program. France was very technology minded, the UK was very pragmatic. Germany had an industrial approach making sure all the stakeholders win. Poland and Turkey were very focused on innovation. Migrating from EMV Chip and PIN cards is a major milestone for geographical markets where magnetic stripe cards are clear threats fraud-wise. The migration from SDA to DDA brings another reduction of observed levels of fraud by a factor of 2.

Read the Press Release