In order to protect a cardholder from common threats posed by the Internet and similar environments, it is necessary to secure the very process of generating Mobile Virtual Cards. Compared to an inherently insecure channel such as the Internet, a mobile phone provides more protection, control, and privacy. Before a mobile phone owner can start using VCpayTM, he/she needs to activate the application by registering with the Issuer, selecting a funding account, and choosing a PIN that will be used to protect the application. It is important to note that the PIN is created offline on the mobile phone itself, is not stored on any host server, and is only known to the user. RSA Keys are used to establish a secure channel between the VCpayTM Host Server and the VCpayTM application during the activation process and for any further data exchange.
After successful activation, the user will be in a position to generate MVCs, which are totally compliant with international payment standards, thus consisting of a virtual card number, an expiry date, and a CVV/CVC. MVC numbers are complex cryptographic certificates generated offline using algorithms and cryptography based on 3DES with strong 168-bit keys. Specific information is embedded in the encrypted MVC, preventing anyone from being able to copy, change or reproduce. No financial data or consumer bank account information is stored on the phone and no SMS, WAP or browsing session is needed to generate the MVC. These security mechanisms prevent any attempt to compromise the MVC, as no one (except the user) is aware of its creation until it is used. In addition, MVCs can only be decrypted by the VCpayTM Host Server.