As EMV compliance and the functionality
applications for payment cards are being pushed forward, there
remain numerous challenges for the cards industry regarding the
security of the technology. Truong Mellor investigates the
progress being made.
applications for payment cards are being pushed forward, there
remain numerous challenges for the cards industry regarding the
security of the technology. Truong Mellor investigates the
progress being made.
The primary business case for the introduction
of EMV-compliant cards was the increased security factor that they
were to offer. In markets such as France and the UK, which have
traditionally seen high levels of card fraud, this was a huge
factor in driving migration towards EMV standards. However, there
are a whole range of other potential applications that could be
employed with chip and PIN cards. Because the chip can support
several different functions on the same card, banks can potentially
join forces with business partners such as retailers and transport
operators to include loyalty programmes or identification
applications on the cards.
of EMV-compliant cards was the increased security factor that they
were to offer. In markets such as France and the UK, which have
traditionally seen high levels of card fraud, this was a huge
factor in driving migration towards EMV standards. However, there
are a whole range of other potential applications that could be
employed with chip and PIN cards. Because the chip can support
several different functions on the same card, banks can potentially
join forces with business partners such as retailers and transport
operators to include loyalty programmes or identification
applications on the cards.
While the migration towards chip cards began as
long as ten years ago in some European countries, it has taken a
fair amount of time to gather any serious momentum across the
board. According to Visa Europe, 53 percent of its cards issued are
now chip and PIN, and this figure looks set to increase over the
next few years with the onset of SEPA requirements. The company has
been one of the key movers behind the shift towards EMV compliance
in Europe, and was unique in putting in place an incentive
programme to facilitate this migration process.
long as ten years ago in some European countries, it has taken a
fair amount of time to gather any serious momentum across the
board. According to Visa Europe, 53 percent of its cards issued are
now chip and PIN, and this figure looks set to increase over the
next few years with the onset of SEPA requirements. The company has
been one of the key movers behind the shift towards EMV compliance
in Europe, and was unique in putting in place an incentive
programme to facilitate this migration process.
“On the POS terminal side, the percentage we
measure is the volume we get from devices that are EMV-compliant,”
Pekka Mattila, head of chip integration at Visa Europe, told CI.
“We compare the acceptance infrastructure, and on purchases in
Europe it is around 57 percent. We also do this for the ATM side,
which is currently around 83 percent.”
measure is the volume we get from devices that are EMV-compliant,”
Pekka Mattila, head of chip integration at Visa Europe, told CI.
“We compare the acceptance infrastructure, and on purchases in
Europe it is around 57 percent. We also do this for the ATM side,
which is currently around 83 percent.”
Functionality
Globally, EMV markets are in varying stages of maturation. While
the UK and French markets are very developed, in these countries
the EMV cards are proprietary cards and not truly multi-application
products. The only truly multi-application cards are the Multos and
GlobalPlatform cards, which are less common in the UK and mainland
Europe. In Europe, it is the payment applications on the chip that
are utilised.
When the cards were launched across the
continent around a decade ago, many observers believed that they
would offer multiple dynamic applications that cardholders would be
able to download after being issued with the products. However,
almost all are single-application, low functionality cards.
continent around a decade ago, many observers believed that they
would offer multiple dynamic applications that cardholders would be
able to download after being issued with the products. However,
almost all are single-application, low functionality cards.
The key stumbling block to further development
in this area has primarily been a business issue, according to
David Dix, electronic payments expert at security solutions
provider Cryptomathic. “When you issue a card, it is issued with
certain logos on it – of the bank, Visa or MasterCard,” he says.
“If the customer downloads a new application for the card, for
instance a loyalty programme or a healthcare application, the
company behind that application has rented some space on the card
off the issuer, but they cannot put their logo onto the cards.
Obviously from a marketing perspective, they want their logo on the
cards.”
in this area has primarily been a business issue, according to
David Dix, electronic payments expert at security solutions
provider Cryptomathic. “When you issue a card, it is issued with
certain logos on it – of the bank, Visa or MasterCard,” he says.
“If the customer downloads a new application for the card, for
instance a loyalty programme or a healthcare application, the
company behind that application has rented some space on the card
off the issuer, but they cannot put their logo onto the cards.
Obviously from a marketing perspective, they want their logo on the
cards.”
While there have been some cards that have
included extra functionality, a prime example being old Egg cards
that came with a loyalty programme for Boots pharmacies and the new
Chip Authentication Programme (CAP) application from MasterCard,
what Dix would call “true” multi-application – dynamic downloads
available post-issuance – has yet to take off.
included extra functionality, a prime example being old Egg cards
that came with a loyalty programme for Boots pharmacies and the new
Chip Authentication Programme (CAP) application from MasterCard,
what Dix would call “true” multi-application – dynamic downloads
available post-issuance – has yet to take off.
According to Mattila, there are two types of
functionality extensions for chip and PIN cards – one being
applications that are offered by the card issuer, such as combining
debit and credit functions or adding dynamic passport applications
for increased web banking security, the other being functions added
by businesses other than the issuing bank such as merchant loyalty
or government identification. One of the more notable latter
schemes currently in operation is the Barclaycard OnePulse
programme, which incorporates a transport application into a
banking card.
functionality extensions for chip and PIN cards – one being
applications that are offered by the card issuer, such as combining
debit and credit functions or adding dynamic passport applications
for increased web banking security, the other being functions added
by businesses other than the issuing bank such as merchant loyalty
or government identification. One of the more notable latter
schemes currently in operation is the Barclaycard OnePulse
programme, which incorporates a transport application into a
banking card.
Mattila believes it is certainly more
complicated to run these types of programmes, not from a technical
standpoint but simply trying to manage the various business
relationships involved. “However, it is not impossible, and those
types of applications are still growing,” he adds, citing various
examples in Turkey, Sweden and Finland.
complicated to run these types of programmes, not from a technical
standpoint but simply trying to manage the various business
relationships involved. “However, it is not impossible, and those
types of applications are still growing,” he adds, citing various
examples in Turkey, Sweden and Finland.
Multi-application cards have made further
inroads in other parts of the world, most notably in Asia and Saudi
Arabia. The Saudi Arabian Monetary Authority (SAMA) has mandated
that all card issuers within the region will have to use Multos
cards. While the Multos cards currently being rolled out still only
have the payment function included on them like the EMV cards, the
capability is now in place for future development.
inroads in other parts of the world, most notably in Asia and Saudi
Arabia. The Saudi Arabian Monetary Authority (SAMA) has mandated
that all card issuers within the region will have to use Multos
cards. While the Multos cards currently being rolled out still only
have the payment function included on them like the EMV cards, the
capability is now in place for future development.
While it is difficult to predict which of the
myriad of applications potentially available for chip and PIN cards
will prove popular, it would seem likely that functionalities that
are characteristic to the banking or purchasing environment would
be easily combined with a financial card. Although people have
discussed the possibility of combining passport and health cards
with a payment card, Mattila does not see this as a logical
progression.
myriad of applications potentially available for chip and PIN cards
will prove popular, it would seem likely that functionalities that
are characteristic to the banking or purchasing environment would
be easily combined with a financial card. Although people have
discussed the possibility of combining passport and health cards
with a payment card, Mattila does not see this as a logical
progression.
“I believe that combining credit, debit and
dynamic passport code authentication all into the same card will be
successful, as it strengthens the relationship with one entity,
which is the issuing bank,” he says. “On the other hand, something
like merchant loyalty would probably work because you use the same
card for payment in the same environment, so they are related to
each other, and it would speed up the transaction from having two
separate cards.”
dynamic passport code authentication all into the same card will be
successful, as it strengthens the relationship with one entity,
which is the issuing bank,” he says. “On the other hand, something
like merchant loyalty would probably work because you use the same
card for payment in the same environment, so they are related to
each other, and it would speed up the transaction from having two
separate cards.”
Fallback
While Visa and MasterCard attempted to shift the liability for
fraud onto the parties that were not EMV enabled (i.e. the
merchants) in order to precipitate a wider move towards chip and
PIN, this was not successful. It was the differing levels of fraud
and the types of fraud that were prevalent in each region that led
to a multitude of approaches, with countries such as Spain delaying
the implementation of chip and PIN standards until this year. As
fraud was never as pronounced as in other markets such as the UK,
they were willing to take the financial hit.
In markets that are not EMV-compliant, card
fraud can be practised by forcing a ‘fallback’ to magnetic stripe
from the new chip technology. As the business case for chip and PIN
varies in each market, with each taking its own stance as to the
timing of the EMV rollout, so there will be a window for fraudsters
to use this method for quite some time.
fraud can be practised by forcing a ‘fallback’ to magnetic stripe
from the new chip technology. As the business case for chip and PIN
varies in each market, with each taking its own stance as to the
timing of the EMV rollout, so there will be a window for fraudsters
to use this method for quite some time.
This is something that will be unavoidable for
the cards industry, as the only alternative is to decline a
significant portion of cardholders. “You’ve got to be clever about
how you do the fallback,” says Dix. “While the world is still
migrating to EMV, there will always be that risk.”
the cards industry, as the only alternative is to decline a
significant portion of cardholders. “You’ve got to be clever about
how you do the fallback,” says Dix. “While the world is still
migrating to EMV, there will always be that risk.”
Mattila is keen to differentiate between
fallback through a damaged chip or card reader and the differing
levels of EMV migration between various regions on either the
merchant or issuing side. “We have to support the magnetic stripe
infrastructure,” says Mattila. “Even in the case where SEPA
mandates that all European internal transactions would be
chip-based, we still have to support the magnetic stripe to be
backwards compatible for the foreseeable future.”
fallback through a damaged chip or card reader and the differing
levels of EMV migration between various regions on either the
merchant or issuing side. “We have to support the magnetic stripe
infrastructure,” says Mattila. “Even in the case where SEPA
mandates that all European internal transactions would be
chip-based, we still have to support the magnetic stripe to be
backwards compatible for the foreseeable future.”
EMV fraud
While there has been a spate of scare stories in the media
regarding the security of chip and PIN cards in the UK, with
various teams based in universities claiming to have cracked the
security of these cards, Dix believes that the threat has been
somewhat amplified. “This is all being done in a very controlled
laboratory environment, with access to a lot of machinery and
manpower. Although there are some large fraud organisations that do
have access to similar kinds of things, they are few and far
between,” he explains. “Generally speaking, fraudsters want to find
an easy way to make money.”
Additionally, these reports have focused on a
particular aspect of EMV’s security features. However, there are a
number of security processes within EMV that protect different
parts of a transaction. “They’ve broken one step of the EMV
process,” continues Dix. “It is never really qualified what
cracking this one step actually means. Obviously, it’s not a good
thing, but what does it mean in relation to the transaction?”
particular aspect of EMV’s security features. However, there are a
number of security processes within EMV that protect different
parts of a transaction. “They’ve broken one step of the EMV
process,” continues Dix. “It is never really qualified what
cracking this one step actually means. Obviously, it’s not a good
thing, but what does it mean in relation to the transaction?”
In the case of these research teams breaking
Static Data Authentication (SDA), where a single security key is
shared between each card and the issuer for verification, the card
can then be cloned as a chip card and some of the parameters on the
card can be changed so it will stay offline more often. In the case
of the UK, there is a £50 ($99) limit on a purchase before a
terminal will go online to the issuer. While cracking SDA means
that a fraudster will be able to carry out more transactions before
the issuer will be contacted by the card or the terminal, the £50
limit still applies, severely limiting the amount of financial
damage that could potentially be carried out.
Static Data Authentication (SDA), where a single security key is
shared between each card and the issuer for verification, the card
can then be cloned as a chip card and some of the parameters on the
card can be changed so it will stay offline more often. In the case
of the UK, there is a £50 ($99) limit on a purchase before a
terminal will go online to the issuer. While cracking SDA means
that a fraudster will be able to carry out more transactions before
the issuer will be contacted by the card or the terminal, the £50
limit still applies, severely limiting the amount of financial
damage that could potentially be carried out.
“Obviously, we are pleased to see that in
laboratory environments people are trying to crack these systems
and trying to find these loopholes,” says Mattila, “because that
will help us to find better solutions. On the other hand, looking
at the vulnerabilities of this technology in terms of the impact on
the market, we are much more concerned about the vulnerabilities of
magnetic stripe than we are about those of chip technology. Looking
at the statistics, chip and PIN is definitely much more
secure.
laboratory environments people are trying to crack these systems
and trying to find these loopholes,” says Mattila, “because that
will help us to find better solutions. On the other hand, looking
at the vulnerabilities of this technology in terms of the impact on
the market, we are much more concerned about the vulnerabilities of
magnetic stripe than we are about those of chip technology. Looking
at the statistics, chip and PIN is definitely much more
secure.
“We have never claimed that chip and PIN is 100
percent secure – no technology is,” continues Mattila. “At some
point in time, the issuers will move to Dynamic Data Authentication
away from SDA; an improvement, but it doesn’t happen overnight.
It’s a gradual improvement of the security infrastructure.”
percent secure – no technology is,” continues Mattila. “At some
point in time, the issuers will move to Dynamic Data Authentication
away from SDA; an improvement, but it doesn’t happen overnight.
It’s a gradual improvement of the security infrastructure.”
Figures from UK payments association APACS
indicate that card fraud losses in 2007 rose by 25 percent, mainly
driven by a £90.5 million (77 percent) rise in fraud committed
abroad as more UK card details were stolen for use in countries yet
to upgrade to chip and PIN. However, chip and PIN continues to have
a positive effect on card fraud committed in the UK. Over the past
three years losses on face-to-face transactions on the UK high
street have fallen by two-thirds from £218.8 million in 2004, to
£73 million last year. Fraud on lost and stolen cards (£56.2
million), and mail non-receipt fraud (£10.2 million), are at their
lowest levels for 10 years. In some countries such as Malaysia, the
shift to chip and PIN cards has almost completely eliminated
domestic card fraud.
indicate that card fraud losses in 2007 rose by 25 percent, mainly
driven by a £90.5 million (77 percent) rise in fraud committed
abroad as more UK card details were stolen for use in countries yet
to upgrade to chip and PIN. However, chip and PIN continues to have
a positive effect on card fraud committed in the UK. Over the past
three years losses on face-to-face transactions on the UK high
street have fallen by two-thirds from £218.8 million in 2004, to
£73 million last year. Fraud on lost and stolen cards (£56.2
million), and mail non-receipt fraud (£10.2 million), are at their
lowest levels for 10 years. In some countries such as Malaysia, the
shift to chip and PIN cards has almost completely eliminated
domestic card fraud.
Beyond PIN?
While PIN is certainly a more secure process than signature
verification, as it forces a stronger process of validation, the
increased threat of ‘shoulder-surfing’ still means that cards can
potentially be compromised. As cardholders are required to enter
their PIN number more often, the threat of inadvertently revealing
their PIN number to fraudsters grows.
“Chip and PIN wasn’t really put in for that
security feature,” says Dix. “Although it is possible to fake a
signature, it is probably harder to fake a signature than it is to
find out somebody’s PIN number by shoulder-surfing. But in the
signature world, nobody ever checked the signature. It was a
pointless security step.”
security feature,” says Dix. “Although it is possible to fake a
signature, it is probably harder to fake a signature than it is to
find out somebody’s PIN number by shoulder-surfing. But in the
signature world, nobody ever checked the signature. It was a
pointless security step.”
However, while fraudsters are still able to
procure stolen PIN numbers, chip-based cards will be vulnerable to
fraud. There is no evidence to suggest that merchants at the till
are any more vigilant than before, and some observers have
suggested that the introduction on PIN numbers has completely
removed the human element from retail transactions.
procure stolen PIN numbers, chip-based cards will be vulnerable to
fraud. There is no evidence to suggest that merchants at the till
are any more vigilant than before, and some observers have
suggested that the introduction on PIN numbers has completely
removed the human element from retail transactions.
According to Dix, methods such as biometrics
are a definite possibility for the future. Fingerprints can be
easily duplicated or captured from a cardholder, and Dix points
towards iris or retina scans as well as palm vein technology,
although he notes that eye scans are far from customer friendly.
“It’s a case of what is acceptable to the user in that particular
scenario,” he explains.
are a definite possibility for the future. Fingerprints can be
easily duplicated or captured from a cardholder, and Dix points
towards iris or retina scans as well as palm vein technology,
although he notes that eye scans are far from customer friendly.
“It’s a case of what is acceptable to the user in that particular
scenario,” he explains.
“It’s a difficult thing to predict,” says
Mattila. “Obviously we are keeping watch on what technologies take
off. A lot of governments are working on applying biometrics in
their access control systems, and we would try to learn from
them.”
Mattila. “Obviously we are keeping watch on what technologies take
off. A lot of governments are working on applying biometrics in
their access control systems, and we would try to learn from
them.”
As a standard, EMV is prepared for biometrics –
identification does not necessarily have to be through signature or
through PIN. However, Mattila believes that it will still be some
time before this technology will be widely applied and used
throughout the merchant environment. “This is something that we
will keep an eye on, and try to pilot,” he adds. “I believe that at
some point, biometrics will be more common than it is today.”
identification does not necessarily have to be through signature or
through PIN. However, Mattila believes that it will still be some
time before this technology will be widely applied and used
throughout the merchant environment. “This is something that we
will keep an eye on, and try to pilot,” he adds. “I believe that at
some point, biometrics will be more common than it is today.”
Share this article
