Why OTP?
Maintaining the security of customer’s funds in their banking accounts is of utmost important for banks and financial institutions. Upon providing a bank card as the key to the customers’ accounts, the card issuers must ensure the customers that they are the only ones capable of using these keys to access their account. Security standards, like PCI DSS, have mandated some measures to mitigate the risks of unauthorized access as much as possible. However, in case of stolen or lost cards, or other fraudulent activities like skimming, if the finder can find out the PIN, they can easily access the accounts.
Employing dynamic password solutions, financial institutions guarantee that even if the card is copied, it cannot be used to access the account without the dynamic password provider gadget. This gadget can be a token device, cardholder’s cellphone, or even an online interface like cardholder’s email. Whenever the cardholder requests to perform a financial transaction, an OTP (one-time-password), which is only valid for a short period of time or for one transaction, will be provided to them through secure channels. This ensures the safety of cardholder’s account even if they lose their bank card.
Variations
NIUniverse design team has foreseen various options for receiving the dynamic password so the customers can choose the one most fitting to their requirements and desires. The security of all of these options are guaranteed by NIUniverse and the variety is only provided for convenience purposes.
Per customer’s request, bank provides a token device on which an OTP will be generated upon transaction initiation. The token device is a small gadget with the size of a bank card with a digital display for presenting the OTP. This is an offline device and can be used at any place and any time.
Mobile application is another type of offline OTP provider that will be installed on customer’s cellphone or tablet. This application must first be activated and verified online and then can be used offline.
Online OTP services include SMS, email, IVR, and even social media accounts. If the customer requests one of these online forms of OTP service, a dynamic password will be provided to them through the selected interface whenever a transaction is initiated.
Adoption
A convenient feature of adopting an OTP device or service, whether it’s online or offline, is that it can be used to access different cards issued by various CMSs. It means, if someone has multiple cards issued by different CMSs, they can have a single OTP device or service to receive the dynamic password for each of them.Mobile application use case is provided here for better understanding of how the OTP solution works.
After installing the application on a smart device, you can use the device as a token. You can add as many card numbers to the application as you desire since it stores a ‘seed’ per PAN and you can choose for which card you require an OTP. As the application runs for the first time, internet connection is required for application activation as shown in the following figure. Customer accepts the conditions and terms of OTP use. This agreement will be declared to the server online.
Afterwards, customer enters CIF / account number / PAN or other card related data to be sent to the server through the application. Server checks the entered data against the CMS data. If they don’t match with any customer info in the CMS, an error will be shown to the customer. Otherwise, customer’s phone number will be fetched from the CMS and a verification code will be sent to the phone number via SMS. The customer must enter the verification code on the application. The application then sends the code to the server for verification.
In case the customer enters CIF or account number, customer’s PANs will be sent to the app from which he/she can select the desired ones. After that, the customer’s desired cards will be reported to the server and will be linked to the application. When the OTP service is activated successfully for these cards, whenever the customer wants to make a transaction, he/she will receive an OTP via the application.
Appellation
“Setareh” means “star” in Farsi and stands for Smart Password Generation and Authentication System. Although there are infinite stars in the sky, everyone has their own unique star. Likewise, OTP devices have a unique ID per customer and can provide infinite dynamic passwords for the customer’s selected cards.