The firms?Verisign and Innovative Card Technologies (ICT)?announced Tuesday that they are jointly trying to sell this concept to various credit-card (and debit card) issuers, with per-card prices ranging from $10 to $30, depending on volume purchased. That compares with a traditional card that costs less than a dollar and sometimes far less than a dollar. Verisign VP Fran Rosch guessed that major banks would likely pay "in the teens" for the new formfactor, given the volumes they would likely be using.
The concept of the card is powerful and timely, as retailers are desperately trying to improve POS security, especially for E-Commerce transactions. With thefts of credit-card identifying data growing rampant, the idea of an authentication code that?in theory?couldn't possibly be stolen from some retailer's database is quite compelling.
"Personally, I think this form factor makes tremendous sense," said Gartner security analyst Avivah Litan. "It's much more convenient for users and it can be used in multiple channels ? point-of-sale, ATM, voice and web. Most of the data stolen from breaches would be rendered useless unless the thief stole the actual card."
Litan said it looked quite likely that banks will end up supporting this approach. "I am fairly certain they?ll get one or two top-ten banks to pilot it. And let?s be real: considering all the charges consumers get on their credit card or debit card bills, the banks could easily slip in another $10 'security fee' if they believed in the solution. This would be a lot less offensive than their late fees and financing charges."
But that's not necessarily going to happen. Even assuming the extreme lower-end of that price range, the price could easily be far too expensive for the typical large card issuer, said David Robertson, publisher of The Nilson Report, a well-respected research site tracking the payments space.
"The cost is way too high for mass market distribution in the U.S., even at $10," Robertson said. "There are cheaper fraud solutions for online purchases."
The typical card today costs 27 cents to make, compared with the $10-$30 range for the one-time-password-issuing version. Although an oft-quoted figure for credit card cost is $1/card, that includes 73 cents for the customization of the embossed name, the magstripe programming, packaging and distribution, among other things. All of those other charges would still have to happen with the higher-priced secure card, making the true comparison price 27 cents, Robertson said.
With more than 1.2 billion cards in the market today, this could only be "a niche card for people who are doing a lot of online purchasing," he said. But he doesn't see how one could make a business case for it.
"That's a lot of money of money to spend to push someone who might be a fence-sitter, who might be hesitant to make purchases online. The differential between 27 cents and $10 and you're going to take a reluctant customer and try and push them beyond their insecurity?" Robertson asked. "You're not going to find any major financial issuer in the United States adopting this kind of technology."
Given the fact that consumers have not pulled back from online purchasing even in the wake of TJX and other recent well-publicized large data breaches, Robertson can't see the ROI argument here. "Online sales are increasing and the good guys are able to stay one step ahead of the bad guys at this time," he said. "Fraud is part of the cost of doing business. It's a manageable cost at this time."
Even if the market changes enough to make the price acceptable, there are still technological hurdles that would have to be overcome. "Work has to be done to upgrade the payment/ATM/VRU and Web systems to accept this form factor and one-time-passwords but those costs are less than the costs of security upgrades today," Gartner's Litan said. "The banks need to spend more on the cards though so we haven?t seen that much momentum from financial institutions and card issuers but it could help solve a lot of security problems out there in the market today."
Banks would theoretically have several payment options, including passing all of the charges along to the consumer, some of the charges to consumers or absorbing the whole cost and turning it into a marketing advantage for nervous consumers.
Verisign and ICT's statement said that would "integrate the security of a one-time password token into a card the size of a standard credit or debit card. At the push of a button on the back of the card, an integrated display shows a password that changes with every transaction. During an online transaction, this number is entered into a user interface with other information (such as the user?s static PIN and login name) for multifactor authentication."
The credit-card formfactor is the most interesting part of the announcement, but the two companies are also trying to sell their one-time-password-issuing device in other formfactors, primarily pocket-sized standalone security devices. The one-time-password device being tested by EBay's PayPal is one such application from Verisign and ICT.
Verisign's Rosch said many banks are conservative and hesitant about new formfactors. "When they start changing, they're very cautious," which is why the pair are offering a standalone security device in addition to the credit card version.
When asked, Rosch said "we think we'll have 1.5 million out by the end of the year" but then clarified that "a relatively small percentage will be credit cards."