14 May, 2009
category: Contactless, Financial
MasterCard Worldwide and Cryptography Research announced an agreement that ensures future chip-based MasterCard payment products will be licensed by Cryptography Research and thus secured against Differential Power Analysis (DPA) attacks.
Cryptography Research identified the smart card vulnerability known as DPA and then patented countermeasures to protect chips against the attack. The company has been working to encourage semiconductor manufacturers and chip card suppliers to sign license agreements (and pay license fees) for products utilizing DPA countermeasures. To date, three of the six largest smart card chip manufacturers – Infineon, Renesas and NXP – have signed license agreements.
Until today, the licensees have come from the supplier side of the smart card value chain. This announcement with MasterCard represents the first reversal of this arrangement whereby a downstream entity (i.e. a payment association, card issuer, end user) has publicly mandated the use of DPA-licensed products. This puts pressure upstream forcing companies that supply chips and cards to MasterCard-issuing banks to be licensed.
In the announcement, MasterCard’s Christian Delporte said, “The new requirements and rigorous testing provide enhanced assurances to our smart cards and devices.”
“The agreement covers all smart cards and as well as other types of payment devices using a security chip,” Cryptography Research’s Kit Rodgers told SecureIDNews, suggesting that EMV contact cards, contactless cards, and even mobile handsets with a SIMs would be covered. “These devices need strong security including DPA countermeasures and MasterCard is acknowledging that our portfolio of protections is crucial.”
Will this trend continue throughout the payment industry and even into other industries? While many do not have a centralized entity such as MasterCard to mandate behavior, nearly every card-issuing industry has some organization, association, or body that at least influences or recommends security best practices.