| Chip and PIN
What is
Chip and PIN?
Credit and debit card fraud is an international
problem, resulting in the need for a global system to increase
security for card transactions. Chip – or Smart - cards provide
the basis for this and are built to an internationally-agreed
standard, with many countries around the world already implementing
chip systems.
Initially the major advantage of chip
cards is the increased security they provide against counterfeit
card fraud. Chip technology uses sophisticated processing
to identify genuine cards and make counterfeiting both extremely
difficult and prohibitively expensive.
By the end of 2004, all 100 million
debit and credit cards in the UK will have been reissued with
embedded microchips, with the aim of drastically reducing
card fraud losses.
Chip cards also have the ability to
support future additional services such as loyalty schemes
or electronic purse and will provide opportunities for secure
new services in the fields of electronic commerce and home
banking.
To ensure chip cards are recognised
and accepted in all countries where card payments are made,
countries around the world are implementing them to a specification
drawn up by the international card schemes Europay, MasterCard
and Visa (EMV). Although some countries already have Chip
and PIN systems in place, they do not meet the agreed International
EMV standard – the UK will be the first country in the World
to have a fully-operational EMV Chip and PIN infrastructure.
Chip cards will still have a magnetic
stripe on the back for a number of years to ensure compatibility
with legacy card readers and for use in countries yet to adopt
Chip and PIN.
How can
3C Communications Help? |
| For 16 years, 3C Communications
has been a leading provider of payment processing
software for any form of payment card and transaction,
whether generated in-store, at a call centre, from
an IVR system or over the Internet. 3C Communications
's card authorisation and EFT software - responsible
for transactions worth more than 25 billion Euros
a year - is playing a key role as Britain prepares
to adopt EMV Chip and PIN. The company has very
strong International presence and has strategic initiatives
underway across Europe, the United States, ASPAC and
Africa. |
The chip gives the card a degree of
computer intelligence (roughly speaking about the same power
and memory capacity of Personal Computers dating from the
early 1980s), which has led to them being dubbed Smart Cards.
Due to the complexity of the chip, criminals will find it
uneconomic to copy Smart Cards whereas a magnetic stripe card
reader/writer can be purchased for a few pounds enabling copies
to be made at negligible cost – a process known as skimming.
Skimming normally occurs at retail
outlets - particularly bars, restaurants and petrol stations
- where a corrupt employee secretly reads a customer's card
with a small, hand-held electronic device before handing the
card back, then sells the information to other criminals who
fabricate counterfeit cards. The fraudsters then go shopping
with a copy of the credit or debit card with cardholders remaining
blissfully-unaware of the fraud until a statement arrives
containing purchases they did not make.
--------------------------------------------------------------------
How
does a Smart Card work?
The card's chip is powered from the
card reader when it is inserted. Unlike magnetic stripe cards,
which are swiped through a reader, a Smart Card remains in
the reader for the duration of the transaction. This allows
the card itself to check the cardholder's PIN, whereas a magnetic
stripe card's PIN can only be checked remotely by the banks
and then usually only at cash dispensers.
The chip allows PIN to be used everywhere:
signature checking at the point of sale will eventually disappear.
In February 2002, the Association for Payment Clearing Services
(APACS) announced that from January 1st 2005 all credit and
debit card transactions should be authorised by the customer
keying in a PIN rather than signing a receipt. Retailers failing
to meet this deadline will find themselves liable for any
fraud that might have been prevented had Chip and PIN technology
been in use.
The chip combats counterfeit fraud
where criminals skim the magnetic stripe and clone a card,
while the PIN prevents lost and stolen card fraud where criminals
could easily forge a signature. The chip establishes the validity
of the card, the PIN that of the cardholder. Together, Chip
and PIN are expected to reduce UK card fraud by more than
half.
--------------------------------------------------------------------
The
Chip and PIN programme
The UK's Chip and
PIN programme is
driven by the Government and the banking industry to crack
down on card fraud. The aim is to guide the UK's migration
from signature-verified magnetic stripe to full EMV Chip and
PIN by the end of 2004.
Changing to Chip and
PIN involves
large scale technical changes, training for an estimated 1.5
million retail staff and education for some 42 million card
holders. The final bill for implementing Chip and PIN across
the UK is anticipated to be around £1.1 billion.
Apart from the changes to the cards
themselves, all stand-alone terminals, cash dispensers and
customer activated terminals - kiosks, ticketing machines
and outside payment terminals - need to be upgraded to accept
chip cards and provide a PIN pad. Banking systems have already
been upgraded to process EMV chip information and to provide
the capability to manage cardholder PIN changes (all debit
and credit cards held by a customer can be changed to the
same PIN number for convenience). Comprehensive processes
of certification for all new cards and terminals will provide
compatibility and operability across the globe.
The considerably-improved security
offered by the cardholder entering their own PIN creates new
possibilities for cardholder operated terminals. Traditional
kiosks and ticketing machines will be able to offer higher
value items; new payment channels over the Internet and TV
set top box will emerge; and self-scanning and payment can
become a reality in the supermarkets.
--------------------------------------------------------------------
What
are the benefits to merchants and cardholders of moving to
EMV Chip and PIN?
-
Card fraud will reduce significantly
-
A validated EMV chip and PIN transaction
guarantees payment from the bank to the merchant
-
Charge backs and the associated
administrative costs are minimised
-
PIN checking is computerised and
the risks of human error associated with signature checking
are eliminated
-
PINs can be checked offline, eliminating
the need for a connection to the bank
-
Savings on till roll – two hard
copies of each transaction are no longer required
-
The overall transaction process
for chip and PIN payment is less timing consuming than
for signature so customers need spend less time at the
till
-
It will no longer be necessary to
store signed copies of card vouchers for many years to
deal with disputed transactions
-
The integral security of the cardholder
entering their own PIN creates new possibilities for cardholder
activated terminals. Traditional kiosks and ticketing
machines can start to offer higher value items. New payment
channels over the Internet and TV set top box are emerging.
Self-scanning and payment can become a reality in the
supermarkets.
-
Chip based technology can be used
for other applications such as e-coupons, e-purse and
e-loyalty
--------------------------------------------------------------------
What
does a retailer need to do?
Firstly, and most importantly, if you
haven't started planning your move to Chip and PIN, do it
now. There are finite resources available to implement and
accredit your payment solution. As the January 2005 deadline
approaches, a logjam of retailers awaiting accreditation is
almost certain to occur, leaving some with the liability for
any card fraud that takes place.
The experience of retailers that have
already gone through the implementation and accreditation
procedures shows that a six-month timescale is not uncommon
– excluding holidays and two Christmas buying periods – should
be allowed.
If a retailer is using stand-alone
transaction terminals supplied by a bank, they should be upgraded
by the bank. If they are using their own stand-alone terminals,
the supplier should be contacted to supply new terminals.
Alternatively, the move to Chip and PIN provides an ideal
opportunity to move to integrated EFTPoS, where the functionality
of a standalone transaction terminal is emulated on your point
of sale systems and fully integrated with them.
Retailers should also choose what EMV
Level 1 approved card readers and PIN pads to use to read
the chip cards and to allow the PIN number to be entered.
These can either use a separate card reader and PIN pad, or
a combined reader with PIN pad. Some large retailers prefer
the separate approach, where the till operator inserts the
card for the user, minimising the chance of the card being
inserted incorrectly and thus increasing the overall transaction
time.
The decision must be made as to if
the supporting EMV Level 2 software should run on the reader,
on the point of sale till or on a back office server.
Retailers should also check with their EFTPoS supplier to
make sure they have upgraded and certified their software
to handle the new EMV chip card data for both authorisation
and settlement.
How can
3C Communications Help? |
| 3C Communication's
approach takes the simple view that its software should
enable customers to choose the Chip and PIN solution that suits them best, rather than forcing them down
a proprietary route which locks them into a hardware
vendor. Put simply, 3C Communication 's products
will run anywhere, on any hardware from simple tills,
through Windows, Linux and Unix servers, to mainframes.
Other offerings from 3C Communications include
dynamic and fixed multi-currency conversion and e-commerce
applications. All 3C Communications products are designed
to integrate simply and quickly into clients’ existing
systems and provide immediate benefit through reduced
handling costs. |
In choosing new hardware and software,
consider both current and future needs:
-
How will EMV configuration, software
upgrades and firmware updates be accomplished?
-
How should new smart card applications
such as e-coupons, e-purse and e-loyalty be integrated
into existing systems?
-
How will card payments integrate
with the emergence of Customer Activated Terminals such
as kiosk, self-scanning and outside payment terminals
on the filling station forecourt?
--------------------------------------------------------------------
Some
key points to remember:
-
The migration process is complex.
-
Time is running out – start planning
now
-
Make the hardware as simple and
universal as possible
-
Wherever possible, emulate terminal
functionality in software – it is far easier, much faster
and cheaper to upgrade software rather than hardware
-
Don't forget that as
Chip and PIN progressively reduces fraud in a Customer Present
environment, fraudsters will increasingly look for more
vulnerable areas of card payment, such as buying over
the Internet. New fraud prevention schemes from card issuers,
such as Verified by Visa (VbV) and MasterCard's SecureCode,
are specifically-targeted at reducing the risk of online
identity fraud.
How can
3C Communications Help? |
| The 3CWeb2Pay merchant
plug-in, which fully supports VbV and SecureCode,
will benefit all parties in the payment chain and
stimulate consumer confidence in Web shopping by giving
those who are reluctant to shop online the ability
to take an active role in protecting themselves, while
merchants and card issuers will see a reduction in
losses from unauthorised card usage and transaction
disputes. Other 3C Communications’ products
offer comprehensive Card Not Present fraud and
risk assessment. |
--------------------------------------------------------------------
What
are the hardware choices?
Separate PIN pad and chip reader
Both PIN pad and reader must be designed so that any attempt
at tampering is readily obvious and will ideally render the
device useless and wipe any internal storage containing cryptographic
algorithms.
A secure link between the PIN entry
pad and reader must protect the privacy of the entered PIN.
The keys must also be set up in a secure manner, and a secure
method of changing them in the event of a hardware failure
necessitating replacement of either the PIN pad or reader
must also be provided.
Although favoured by large retailers
migrating from magnetic stripe to Chip only and then to Chip
and PIN, this method is almost twice as expensive as a combined
reader and PIN pad.
Combined PIN pad and reader
This approach is simpler in that no secure link between
PIN pad and card reader is necessary, although the enclosure
must still be tamper proof and rendered inoperable should
its integrity be compromised. The technology is considerably
cheaper and has a much lower cost of ownership than a separate
PIN pad and chip reader.
--------------------------------------------------------------------
Should
the customer or sales assistant insert the card?
The choice of who inserts the card
in reader boils down to the level of familiarity the customer
is anticipated to have of using Chip and PIN. Some retailers
believe that users will quickly adapt to the new technology,
while others prefer to rely on a trained checkout operator
to handle all aspects of the transaction (apart from the entry
of the PIN itself).
Tesco is taking the approach of a combined
'swipe and park' reader that can handle both magnetic stripe
and chip cards. These have the advantage that checkout operators
need not bother to identify if the card is smart or not, both
types being handled in exactly the same way.
This also means that identical hardware
can be installed in every store, regardless of whether it
is handling magnetic stripe or chip only (both with signature
verification) or full EMV Chip and PIN transactions. Only
the PIN pad needs to be added when the store is ready to move
to full Chip and PIN.
Other retailers rely on a higher level
of familiarity with the technology on the part of both sales
assistant and cardholder. The sales assistant decides if the
card has a chip and, if so, leads the customer through the
correct procedure. These retailers take the view that cardholders
are familiar with using a PIN at ATMs and will adapt readily.
A combined PIN pad and chip reader will be placed in a position
where either the sales assistant or cardholder can insert
the card. Initially the sales assistant will dip the card
but as cardholders become more familiar with the procedure
they will assume the responsibility.
--------------------------------------------------------------------
What
happens during an EMV transaction?
The card is inserted into the reader
and powers up. The card and till software negotiate a communications
protocol and identify which EMV payment applications are supported
by the chip, (credit, debit or e-purse) and, if applicable,
offer a choice of payment method to the cardholder.
The PIN is entered and checked by the
card itself – the till software itself does not 'see' the
PIN, even in encrypted form.
On the basis of floor limits, transaction
type, PIN verification, expiry dates, velocity and usage patterns
(e.g. have I been used for ten small transactions in a short
period of time?) the system decides whether to approve off-line,
go on-line or decline. The card can force the till software
to do an online verification check even if the transaction
is below the store's floor limit.
If the transaction goes on line, additional
EMV data is sent to the bank. Part of this is a cryptographic
packet validated by the issuer. The response from the issuer
may also contain a cryptographic packet for validation by
the chip. In this way, a secure link can be established between
chip and issuer despite the insecure data transmission linking
them.
The chip retains ultimate control of
whether the transaction is approved or declined, although
the response from the bank can contain a script to be processed
by the chip which may instruct it to disable itself if it
has been reported stolen, or to unblock a locked card following
three failed PIN entry attempts.
The transaction is now complete, the
chip is powered down and is removed from the reader.
How can
3C Communications Help? |
| 3C Communication’s
Multi-Pay® deals with the entire transaction from
start to finish and scales from single till installation
to multi-national, multi-lane operations. |
--------------------------------------------------------------------
Advanced
Smart Card features
3C Communications also supports
script files – a means to modify dynamically the functionality
of the card. Card issuers now have the ability to download
a script file to a Smart Card in any reader on an account
number basis during the online authorisation session. This
can be used to modify the card's risk management profile,
for example to force the card to go online for authorisation
for every transaction if the cardholder's account has been
badly run.
--------------------------------------------------------------------
The
Northampton Town Trial
Shops, pubs & hotels, restaurants,
supermarkets and garages across the town are now trialling
the system, which means that customers with the cards are
being asked to key in their 4-digit number, better known as
a PIN (personal identification number), instead of signing
a receipt when they go to pay. One hundred and fifty thousand
people in Northampton (over half the adult population) have
been sent new cards from their banks and outlets will be 'switching
on' Chip and PIN terminals. The trial will continue through
June and July and after this, the initiative will continue
in Northampton and start to be rolled out throughout the UK.
Shops in Northampton processing chip
and PIN transactions include ASDA (Corby), Blenders, Braylake
Cars, Chanse Leather Goods, Dollond & Aitchison, Gamestation,
Health Quest, Holiday Inn, Montague Jeffery, Phones 4 U, Pitsford
Water Cycles, three Safeway stores, Sanity Entertainment (Our
Price), Sisley, Spinadisc, Supabikes, Tie Rack and Vodafone.
Now the first wave of retailers has
been joined by a host of leading names including all:sports,
JD Sports, JJB Sports, Marks & Spencer, McDonald's, Morrisons,
Next, Moat House Hotels, Scottish_& Newcastle Retail pubs
including The Rat and Parrot, Tesco, Texaco Service Stations,
TOTAL petrol stations, WHSmith, Wilkinson and Woolworths.
In total, around 1,000 outlets will participate.
American Express, Barclaycard, Barclays
Bank plc, the Co-operative Bank, Egg, Girobank Merchant Services,
HSBC, Lloyds TSB, MasterCard, The Royal Bank of Scotland Group,
Switch and Visa are all participating in the trial.
| 
top
