banner

Thales Blog

SEPA - 2011 DDA Deadline

August 21, 2009

As EMV has been rolled out across Europe, issuers have faced a choice between static data authentication and dynamic data authentication, or SDA and DDA. Many banks, especially in the UK, made the decision to migrate initially to SDA smart cards, but with the long-term aim of ending up with DDA.

Until now, most EMV card issuers have been issuing SDA cards, which are much harder for fraudsters to attack and counterfeit than magnetic stripe cards. However, unlike DDA, SDA cards have known security weaknesses which mean fraudsters are able to collect the necessary chip data from SDA cards at the point of sale to produce counterfeit chip data.

To address this, both Visa and MasterCard have issued a mandate for European banks that all off-line capable cards issued after 2011 should use DDA. This mandate is also in line with SEPA requirements.

If EMV cards in a given country carry out all transactions online, then arguably only SDA is needed, as the cards are already conducting dynamic authentication online. However, many countries, such as Finland and the UK, have offline infrastructures under which the card’s EMV profile determines whether the transaction goes online. Inevitably, that means that some SDA cards stay offline for some transactions. This poses a significant security risk.

DDA technology allows banks to more securely approve offline transactions without having to send them over the network for authorisation. Whereas DDA cards store an encryption key that generates a unique number for each transaction that is only valid for one authentication, the signature used by SDA cards is the same every time. Unless issuers send SDA transactions over the processing network for online authentication, terminals might not be able to detect fraudulent cards.

However, issuing DDA cards is not as straight-forward as issuing SDA cards and many issuers are not aware of the capacity and cryptography challenges associated with DDA. For example, it can take up to eight times longer to generate the cryptography needed for a DDA card. If banks are unable to extend the time they have to create the data, this could cause a major headache.

The SEPA deadline / MasterCard / Visa mandate is just around the corner and DDA must be on the agenda for issuers. As such, they will urgently need to look at effective ways of managing their card encryption processes in order to smoothly implement DDA technology by 2011.