MasterCard Introduces Two-Factor Authentication Solutions

Both solutions are based on the proven MasterCard authentication standard, known as the OneSmart Chip Authentication Program (CAP), currently in use in multiple countries around the world. The two solutions provide enhanced security by offering "two-factor authentication," whereby a consumer employs something only he or she knows (such as a PIN) in tandem with something he/she has (an authentication device or a mobile phone).

In the financial community, interest in two-factor authentication continues to rise. Last October, to help protect banks and consumers from online fraud, the Federal Financial Institutions Examination Council (FFIEC) issued guidance that directed financial institutions to, upgrade from single- to two-factor authentication for "high-risk" online transactions. The FFIEC considers high-risk transactions to be those involving access to customer information or the movement of funds to other parties.

MasterCard has unveiled the MasterCard All-in-One Authentication Device, a slim, self-contained product that features a OneSmart Chip Authentication Program-compliant chip. A user enters his or her PIN into the device, which then creates a unique, one-time password that must be entered to permit the user to conduct online banking or e-commerce transactions at MasterCard SecureCode(TM)-enabled merchant sites. The one-time password that is generated is based on EMV and CAP, only works once, then becomes invalid upon the completion of the transaction.

The XIRING solution is the first of several "all-in-one" devices that may be offered by MasterCard through other authentication providers. XIRING is a leader in smart card security products and solutions.

MasterCard Mobile Authentication(TM) (MMA) allows consumers to use certain mobile phones and/or PDAs as one-time password generators. MMA customers download an authentication application to their J2ME-compliant mobile phone or PDA. Upon doing so, they are prompted to enter their PIN into their mobile device, which, similar to the MasterCard All-in-One Authentication Device, then generates a unique one-time password that must be entered to permit the user to conduct online banking or e-commerce transactions at MasterCard SecureCode-enabled merchant sites. The MMA solution is currently available through Cardinal Commerce, a leading provider of authentication services, and may also be available through other licensed vendors in the future.

"At KeyBank, we believe that harnessing the ubiquity of mobile phones and PDAs in support of secure e-commerce makes sense on a number of levels," said Carl Stauffeneger, senior vice president, Key Consumer Product Development. "We have worked closely with MasterCard and Cardinal Commerce to test MasterCard Mobile Authentication with our cardholders in numerous markets and their reaction has been almost uniformly positive. We expect solutions such as MMA to be a component of our product offerings moving forward."

"The MasterCard All-in-One Authentication Device and MasterCard Mobile Authentication are both cost-effective, security solutions for online banking and e-commerce transactions," said Art Kranzley, executive vice president, Advanced Payments, MasterCard International. "These solutions help financial institutions provide their customers with additional security and peace of mind when conducting financial and payment transactions online."

For 40 years, MasterCard has pioneered security innovations and continues to be committed to providing the safest, most secure and most reliable payment programs. The MasterCard All-in-One Authentication Device and MasterCard Mobile Authentication are the two newest additions to MasterCard's suite of online security solutions.

Existing Internet security offerings include MasterCard® SecureCode(TM), a global e-commerce solution that authenticates cardholders when they use their MasterCard payment cards to make purchases online. Before a SecureCode participant completes an online transaction, a Web page is presented by the issuer and prompts the cardholder to enter a predetermined password. Once the cardholder's identity is authorized, the transaction proceeds. SecureCode readily accommodates a broad spectrum of authentication methods ranging from passwords to unique, one-time passwords generated by the MasterCard All-in-One Authentication Device, a MasterCard Mobile Authentication-enabled mobile phone or PDA, and the OneSmart MasterCard Chip Authentication (CAP) program.

MasterCard's OneSmart Chip Authentication(TM) Program (CAP) leverages cardholders' existing chip cards issued in EMV environments (regions such as Europe and Asia Pacific). A cardholder inserts his or her EMV chip-enabled payment card into a smart card reader and enters his or her PIN. The hand-held or PC-connected reader then generates a unique one-time password that must be entered to permit the user to conduct online banking or e-commerce transactions.

For additional information on MasterCard's security initiatives, please visit www.mastercardsecurity.com.