Change is on the cards

With the January 2006 Europay MasterCard Visa (EMV) compliance deadline approaching, the Middle East’s financial sector is taking steps to ensure it meets the mandate in order to successfully participate in the global economy.

  • E-Mail
By  Sarah Gain Published  July 24, 2005

|~|Paul-Meadowcroft-Body.jpg|~|Meadowcraft: It is important that we take plastic cards into the 21st century.|~|The payment card has been in existence for many years. However, it has evolved to cope with worldwide increase in card-related frauds. A succession of anti-fraud measures have been introduced, such as the magnetic stripe, hologram, photographs of the cardholder and the card verification value (CVV), a value stored on the magnetic stripe which is used to determine if a card has been produced illicitly.

“Magnetic stripe cards have now been developed to the point where there is little or no further scope for introducing further anti-fraud measures. This is why card associations have been looking at new technologies to take the plastic card into the 21st century,” says Paul Meadowcroft, head of transaction security at Thales e-Security.

The smart card technology is a small computer chip embedded onto a plastic card with the same dimensions as the magnetic stripe card. The chip contains a set of electrical contacts through which the information can be accessed.

Discreet values can be stored on the chip that are not accessible to the outside world, allowing the card itself, or in conjunction with a terminal, to check the cardholder’s personal identification number (PIN) without having to go online to the card issuer’s host system to authorise transactions.

The EMV specification describes a set of requirements to ensure interoperability between these ‘smart chip’ cards and terminals globally. International card payments associations Europay, MasterCard and Visa, claim the chip-based credit and debit cards will solve the problem of fraudulent activities and provide multiple application opportunities for financial institutions. Other international and national credit card associations have now accepted EMV as the global standard for payment cards.

“The smart card can genuinely become the de facto tool for authenticating all financial transactions. The expectations are that in addition to the use of smart cards for payments, the widespread deployment of unconnected smart card readers will open up the potential for smart cards to become personal security modules. As such they will be used to authenticate all channels of transaction, be it physical, online, telephone or commerce through interactive TV,” says Meadowcroft.||**|||~|Erskine-Blunck-Body.jpg|~|Blunck: Anything that can better security and cut down on fraud is of critical importance to the entire financial sector.|~|The Middle East’s January 2006 deadline for compliance with the mandate means the EMV standard is sooner or later going to impact all businesses that deal with card payments, from retailers to acquirers, payment schemes to card issuers and payment processors to card and terminal suppliers. This is going to involve considerable investment that will need to be managed effectively.

Realising the business benefits of EMV will require all parties to understand the advantages of EMV, define the business requirements, assess the costs of implementation and calculate the payback timescales. To manage the technical impact of migrating to EMV requires analysis of the technical implications of issuing cards and acquiring or updating terminals, networks and host systems.

For the Middle East market, payments solutions providers are pushing for high-security, high-convenience offerings designed to cater to the need for integrated EMV compliance and comprehensive risk management solutions.

One of the key areas of interest for regional financial institutions is the possibility of in-branch card issuance, which enables banks to manage their chip data preparation centrally, and issue smart cards from their branches or in retail outlets.

“In many parts of the world, in-branch card issuance is the norm. We are seeing increased interest in these types of system as they can significantly improve the efficiency of the card preparation and personalisation process,” says Meadowcroft.

Personalisation of smart cards is the final stage in the issuance process and relates to the loading of cardholder-specific data on the card. Traditionally, cards were personalised in batches in a centralised and secure environment. However, with the in-branch solution, banks are able to bypass the need for a central bureau, lowering costs and reducing both customer delays and the potential of cards being fraudulently intercepted in the mail.

“While this kind of issuance has been possible with the magnetic stripe cards in the Middle East for some time, this is the first time such a service has been made possible for the more advanced EMV smart cards,” Meadowcroft continues.||**|||~|Osman-Mehta-Body.jpg|~|Metha: The Middle East is driving a well developed and highly innovative payments landscape.|~|Local branch personalisation enables the organisation to re-issue a fully functional card within ten minutes; minimising distribution costs accrued in sending out cards and PIN notification letters separately. Following enrolment with the institution, customer details can be recorded and validated and a card issue request is sent electronically to the central office. After a further validation and verification, encrypted personalisation data unique to the specific request is produced.

The encrypted data is then sent to the branch’s personalisation division where the data is loaded onto the chip and details printed or embossed on both sides. The customer can then enter his or her preferred PIN. “Key management is required to write information onto smart cards. It delivers strong cryptography, which ensures the chip’s security,” explains Dr. Erskin Blunck, vice president of product marketing for Thales in Northern and Central Europe.

One of the chief advantages of the instant issuance solution is that it enables all cryptographic keys to be managed centrally. There is no need for the keys to be embedded on hardware security modules, thanks to the use of the public key encryption-based mechanism for loading encrypted applications onto cards.

EMV and other applications are personalised and encrypted with the target card’s public key, sent in a single message over an intranet to the printer and then decrypted using a private key. “Anything that can better security and cut down on fraud is of critical importance to the entire financial sector,” states Blunck.

The approach also eliminates the additional expenditure incurred with traditional in-branch personalisation, which requires a secure IT platform. Such an infrastructure previously made instant issuance expensive to implement on a large scale.

“We have witnessed some concerns about how to effectively and economically deploy the in-branch smart card issuance system, but the public key based encryption scheme means the system can deliver maximum security without the need for secured networking or the extra expense of in-branch HSMs. This offers the opportunity for greater business agility and significant return-on –investment (ROI),” Meadowcroft enthuses.

Regional financial institutions are in the process of upgrading their ATM and point of sales (POS) infrastructures to meet the EMV mandate. National card scheme such as the Saudi Payment Network (SPAN) has provided incentive to the Kingdom’s banks to speed up the migration to chip cards as the institutions hasten to enable online electronic funds transfer (EFT) capabilities for ATM and POS terminals.

“The struggle of countries around the world to roll out the technology necessary to support EMV standards makes it apparent the Middle East is driving a well developed and highly innovative payments landscape,” says Osman Mehta, general manager (Middle East) at Level Four.

In order to cope with the changes, regional banks are deploying technology that can support the EMV infrastructure and as the dominant economic force in the region, the Kingdom of Saudi Arabia (KSA) is leading the way both in terms of debit card issuance and transaction volumes. “At the moment, we have observed that self-service is a banking trend in KSA and we anticipate that other GCC countries will quickly follow suit,” says Mehta.

Indeed, in light of the success of the SPAN project in KSA there has been a boom in the availability and usage of ATMs and POS terminals. In May 2004, for example, Samba Financial Group positioned itself to ensure its customers benefit from enhanced ATM services by deploying an EMV FastTrack tool to comply with the smart card standard.

"We pride ourselves on being early adopters of advanced technology. Our customers will benefit from a smooth migration to EMV smart cards and more importantly, faster deployment of new functionality at ATMs," says Derek Sham, assistant general manager of Samba Financial Group.

Saudi-based Arab National Bank (ANB), which understands the impact of non-branch distribution of services, both in terms of customer service and reduced costs, has moved quickly to deploy new ATM functionality across its 300-ATM network to ensure the delivery of high-availability service to its customers.

EMV FastTrack is aiding the bank’s migration to the international mandates for increased security, enabling the bank to fully automate testing directly from the smart card. “ANB will save both time and money through using automated testing tools, while gaining a greater level of control and flexibility for future additions to its ATM network,” Mehta claims.

The expansion of services by banks often includes the development or strengthening the bank’s online portal. This, combined with the global rise in e-commerce, means a significant use for smart cards will be in electronic financial transactions. User and password authentication is already seen as being inadequate for securing financial transactions.

To make online payments safe, organisations will need to provide unconnected smart card readers for customers wishing to make e-transactions, because despite the fact that inclusion of a smart card in every financial transaction will add a crucial second layer of authentication for payment cards, the EMV rollout is predicted to dramatically increase card not present (CNP) fraud.

“The availability of this technology is especially timely, as online credit card fraud has now topped US$180 million a year, an increase of 33% over a two-year period. The EMV migration is expected to push this value even higher as a lot of the annual US$820 million worth of credit card fraud will shift to CNP transactions,” warns Thales’ Meadowcroft.

Unconnected reader system will have a positive effect on fraud and in turn help boost consumer confidence in shopping online. From a business perspective, it will mean that CNP fraud can be eliminated for those banks, which implement this system as the liability shifts from the retailer and acquirer to the card issuer.

“Furthermore, card issuers who do not participate in the scheme will undoubtedly see the CNP fraud migrate to them as a result of tighter security being provided elsewhere and issuers that do not upgrade their systems will still be liable for CNP fraud if it can be proved the fraud could have been prevented by the use of unconnected readers. This will prove to be a massive incentive for issuers to roll out the readers.”

The introduction of unconnected smart card readers has the potential to provide enhanced security beyond just internet transactions. In addition, any channel of transaction can be made using this technology such as —telephone transactions, be it mobile or fixed line, interactive TV transactions or help desk authentication.

The ability to embrace new technologies and channels without the need to implement a new platform, and most importantly without compromising security, means that card issuers are beginning to investigate the need for a single, flexible authentication platform, which would eliminate the current need for separate platforms for each transaction channel.

“A centralised platform will have significantly lower total cost of ownership and streamline management procedures, maintaining a secure audit trail of transactions and aiding the provision of new services. Such a platform requires a centralised identity management system, however, to provide the appropriate level of identity authentication. The platform can authenticate all trust schemes though, so a bank can apply levels of authentication in accordance with its risk management policies,” explains Meadowcroft.

The advantages of the EMV scheme are clear in terms of increased security, reduction of fraud and boosting consumer confidence. However, to optimise the benefit, financial institutions must invest in technology. The processes for in-branch issuance of smart cards, the upgrading of ATM and POS networks, unconnected smart card readers and central authentication platforms, do not come cheap, but these are essential investments for financial organisations.

The investments will pay off in terms of the value-add services, such as loyalty and reward packages that EMV enables. As Level Four’s Mehta points out, “Banks in the Middle East are in a good position to leverage their trusted relationships with large customer populations, allowing the use of smart cards in innovative ways. As customer service is becoming a key differentiator, the delivery of new services will play a significant role for Middle Eastern financial institutions.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code