Thales Blog

The Quest For Security: SDA Vs DDA

September 30, 2009

In the beginning there were magnetic stripe cards. But as EMV has been rolled out across Europe, many banks, especially in the UK, made the decision to upgrade to static data authentication (SDA) smart cards. SDA cards are much harder for fraudsters to attack and counterfeit than magnetic stripe cards. However, SDA cards have known security weaknesses which mean fraudsters may still be able to collect the necessary chip data from SDA cards at the point of sale to produce counterfeit chip data.

To address this, both Visa and MasterCard have issued a mandate for European banks that all offline capable cards issued after 2011 should use dynamic data authentication (DDA) which is more secure than SDA. This mandate is also in line with SEPA requirements. DDA cards are more secure than SDA ones as DDA cards store an encryption key that generates a unique number for each transaction that is only valid for one authentication. By contrast, the signature used for SDA cards is the same every time. As a result, unless issuers send transactions from SDA cards over the processing network for online authentication, terminals might not be able to detect fraudulent cards.

So what is delaying the evolution to DDA smart cards? The main reason is that issuing these cards is not as straight-forward as issuing SDA ones. There are significant capacity and cryptography challenges associated with DDA. For example, it can take up to eight times longer to generate the cryptography on a DDA card. Yes, up to eight times. However, with the SEPA deadline just around the corner, not to mention the Visa and MasterCard mandates, DDA must become a priority for issuers. They urgently need to look at effective ways of managing their card encryption processes in order to smoothly implement DDA technology by 2011.