Response to comment from Alvin

December 12th, 2008

Hello Alvin,

Good to hear from you and thanks for your feedback. Good question too because at the moment, outside of Germany, I don’t know of any banks issuing cards configured to do CDA. A CDA card is no different in cost to a DDA card – both need RSA capability. Once a card can do DDA, it has the capability to do CDA.

So my opinion on why no-one is doing CDA yet comes down to 3 things -:

1. CDA means both the card and the terminal need to do another 3 level RSA calculation to verify a 2nd cryptogram. So where we often have concerns about transaction response times in older terminals re DDA – then we double that concern for CDA. As we are still gathering experience with DDA, and we have had some terminal problems with DDA (poor response times, buffer overflows etc), I don’t think issuers want to risk moving into even more unknown waters with CDA.

2. Not all terminals support CDA. Both Visa and MasterCard have mandated DDA for all EMV terminals, but no mandates yet for CDA – although I did hear a rumour that MasterCard is going to mandate CDA support in terminals in Europe.

3. The risk of the attack that CDA guards against is very small because there is still so much opportunity to counterfeit with magstripe and SDA out there, and fraudsters have not even started attacking SDA yet. The attack that CDA guards against is relativly difficult – much easier to skim magstripe, or even copy SDA cards. So we will probably see the industry move to CDA once most cards are DDA, when the opportunities to skim magstipe and SDA are much slimmer.

Anyway, hope you are well and getting lots of EMV work !!

On 12/10/08 9:07 PM, Alvin Mercado wrote:


Hi Paul,

Interesting read…

I’m interested to know what your thoughts are regarding DDA vs CDA. Is the card cost the same for DDA and CDA? If it is, what is stopping issuers from going CDA? Will there be a huge update of CDA over DDA then since CDA is more secure?


Alvin Mercado

If you would like to provide feedback on this, or any previous blogs, you are welcome to email us at