The reader provides the user interface to the card and displays a one-time passcode once it has read the smart card and the user has entered his/her PIN. The user then manually types this passcode into the computer at the appropriate prompt. Only the issuing bank can authenticate this one-time passcode. To avoid repeat attacks, the one-time passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction.



Assuming that consumers will not resist the introduction of unconnected readers, this new system will have an extremely positive effect on fraud and in turn help boost consumer confidence in e-Commerce. However, it is not just internet-based transactions that will benefit. Theoretically, any transaction where the card has to be used, and the cardholder is not present, could use this scheme. For example, if purchasing a good or service over the phone, the user could simply read the one time passcode to the person at the other end who could validate it in the usual way through the payment system. As such the smart card is transformed into a personal security module to validate every financial transaction the user wishes to make.

The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have as well as something you know should dramatically reduce fraud.


The move towards two-factor authentication for all transactions using smart cards is an important example of a security model that is able to grow organically and embrace and integrate new transaction technologies and channels, as and when required. This kind of flexible, yet secure and dependable system, is key for today’s advancing e-business world and, crucially, is now a commercially possibility.