Since the beginning of 2015, there have been over 20 major data breaches logged in the United States; Anthem, the Mandarin Hotel and Chick-fil-A are three of the biggest, but it seems that the international cybercriminal community is determined to surpass 2014 in its efforts to illegally harvest data from businesses big and small nationwide.
“Fraudsters, hackers and dark-side programmers – whether they are organized crime or terrorists or even state sponsored groups – they are funding themselves with these activities and don’t want to stop. And the question for us has been, can anyone really stop the breaches and is the breach the problem? These folks are always going to be out there kicking around,” FiTeq CEO Joan Ziegler told PYMNTS in a recent conversation.
Ziegler says that when the ecosystem today talks about fighting cybercrime, the discussion is fairly limited to the systems themselves – how can we best lock criminals out of the POS so that they can’t easily harvest and scrape the data. Ziegler says she is all for the layering on of multiple security initiatives to try to detect hackers at work, but she says that’s still really only looking at part of the problem.
“Is the real problem that the payments cards we have in our wallet today are able to be easily reused by fraudsters?” Ziegler asked, noting that in her opinion that at least has to be factored in as a large part of the issue. “In the U.S. today, if they [cybercriminals] get your magstripe data and clone the card, they can shop at any brick and mortar location or shop on the Internet until the breach is noticed. Our means of looking at the problem – and the reason we started the company – is that we think the data on the payment card is static. We bring dynamic authentication to the card data.”
The way it works, Ziegler explained, is that the card itself generates a unique code with every purchase, a code that can be read by the issuing banks backend after FiTeq has embedded the coded reading software. If that sounds somewhat familiar to you, it should – it is a tokenization scheme. Instead of authorizing the transaction via the account number, a FiTeq card issues a one time data token – stealing it would be useless for a fraudster because the code would not be good for a future transaction.
“Instead of it being static data, in the case of a FiTeq card all the data is dynamic,” Ziegler noted.
What makes FiTeq unique is that it does this via a mag stripe card. Though their cards come EMV enabled with a chip embedded, their proprietary mag stripe will work at any standard terminal. The FiTeq card has also changed the nature of the three digit authorization code on the back of the card.
“Instead of the 3 digit code on the back of your card today that’s static, we have an e-ink display and every time you make an eCommerce transaction or order something over the phone, you get a new three digits.”
Developing a better mag stripe technology may seem a bit like perfecting the typewriter; sure it’s possible, but why would one bother to fix a piece of tech that is about to be made defunct by EMV and mobile?
Ziegler agreed that EMV and mobile – particularly wedded to tokenization – is the future.
“We very much believe in tokenization and when you look at what Visa, MC and Amex have done with mobile NFC wallets – it uses the very same patent portfolio that we have licensed.”
But she said, today’s customer and merchants don’t live in the future, they live in the present, where EMV is slowly rolling toward adoption.
“With many of the solutions that are out there today, merchants must change and they must change at the same time the bank changes – whether it’s Apple Pay, or EMV chip cards. What we can offer is that the merchants can do what they’re doing, with no change, and the consumer is safer. The big point of our solution is that banks are our customers, but they must be in lock step with the merchants to protect the consumer. We can’t just assume the merchants are going to change exactly at the same time the banks are. That is the big advantage of what we are doing.”
Ziegler says that FiTeq is about building a solution that is both backward and forward compatible because for a solution to be truly frictionless, it can’t require big changes in behavior for the parties that need to adopt it. Consumers today use mag stripe cards – so FiTeq works with them now. If NFC enabled mobile or EMV is the future, Ziegler says FiTeq is ready for that too as their cards are compatible with both. The point, she says, is to make this better for consumers.
“The liability shift is good for the merchants and the banks,” Ziegler noted about the coming EMV transition. “If your card gets compromised though, no matter what at this point, you need to wait for a new card to come to you.”
And that, Ziegler noted, is unacceptable for most consumers and really the biggest problem with data breaches. The financial costs, she notes, are usually small and ultimately covered by the banks. The inconvenience is a whole other issue.
“Whether you’re traveling or have an emergency and need to use your card and then finding that you’ve been blocked when you are the genuine cardholder is a terrible experience. And one that will also mean now you have to go back through your statements and report it back to your bank,” Ziegler told PYMNTS. She said that in the extensive consumer polling FiTeq has done what comes up again and again is that the monetary loss isn’t as big an issue as the constant card changes.
“The net for the consumer was that when it comes to my card being breached for the third time this year – no one is looking out for me.”
And that, Ziegler noted, is really the strength of the dynamic authentication – since every transaction is unique the cards are more resistant to POS attacks.
“These cards would not need to be replaced in the event of a breach,” Ziegler confirmed. “They [cybercriminals] certainly will think of other things. We are an important layer, because while we don’t stop the breach, we do find a way to make the breach not disruptive to the consumer.”
And stopping the inconvenience for the customer is only the first step for FiTeq.
“Everything we do for security with dynamic authentication, we can use that same dynamic data to distribute rewards at the POS or distribute offers to the consumer at the POS. It’s not strictly a security play, but security is where the big focus is now.”
FiTeq is a new firm, and one that has to compete with a card when the rest of the world claims it is going mobile. But then, FiTeq says they are ready to go mobile too – they are just making sure consumers can all be as secure as possible until the mobile future is actually the mobile present.