News & Views - Savantor

What next for Payment Cards?

Monday, 03 July 2006

Following the introduction of Chip & PIN in the UK there are still some enhancements to the EMV card system that need to be deployed. The card terminals are approved by the card schemes and support features yet to be implemented in the card design. Additionally, new algorithms will need to replace the existing hashing and encryption operations once agreed by the card schemes. This is a longer term strategy that will require enhancement of both terminal firmware and card masks and needs to be co-ordinated with the next generation of merchant terminals.

In the interim, card issuers can exploit the terminal capabilities to introduce Dynamic Data Authentication to counter the existing threat of authentication replay susceptibility in Static Data Authentication cards. Prudent issuers will consider requesting encrypted PIN entry to minimise the risk of PIN compromise also.

However the biggest risk remains, namely that of "fallback" fraud.  Essentially the problem centres on the ease with which magnetic stripe data can be copied to form a cloned card. It only requires the PIN to be disclosed for fraudulent transactions to be submitted via international ATM networks such as in the recent Lloyds TSB attacks.

There is no effective safeguard against bogus terminals that could be used to harvest card & PIN data currently. Terminal authentication could be combined with card authentication to deliver mutual authentication before the cardholder is prompted for the PIN. Since this mechanism would be dependent on secret terminal keys, no cryptographic channel can be established for fraudulent terminals to elicit any cardholder recognisable data prior to PIN entry.

Cardholder education will be needed so that covert cameras cannot record the hand movements during PIN entry. Similarly PIN entry must be shielded against bystander observation.

Even if cardholder authentication is extended to include biometric methods, PIN entry must still be supported for contingency situations and where compatibility with older terminal networks must be provided.

Offline approved transactions result in a transaction certificate that the issuer should verify. If this check fails a chargeback may be raised against the acquirer/merchant retailer. Ultimately, the only way to counter the risk of "Yes-card fraud" is to approve only online transactions or use one-time authentication codes as in the "Chip-card Authentication Program" models.

Finally, the impact of hybrid cards such as contactless and RFID must be considered where the Bank PIN should not be used for non-payment applications. (Source: Bob van Gaalen, 1st August 2006)

Savantor Services

Savantor Services

Savantor services are tailored to Client needs based on our core service areas

Specialist Resourcing Payments Strategy Platform Transition Operational Efficiency
Savantor Services

Job Opportunities

Consulting and contracting roles in the payments, mobile and banking arena within the UK and across Europe

View more
Savantor Services

Savantor Views

Find out more from our Savantor brochures, MarketEye back copies and Industry opinion

Collateral Market Eye News & Views Sign Up to receive MarketEye

Client Quotes

Interchange Review

"Savantor did a superb job in confirming what we believed was an area of weakness. The detail we now have will enable us to agree internally what we need to do to improve structure, control and income. Nationwide management were very impressed with the quality of the Savantor team."

Adam Slater, Senior Manager - Banking - Nationwide Building Society - UK

Expert Witness

"After searching extensively for the required industry expert in a complex litigation, Savantor was identified to have the necessary industry knowledge and expertise on a range of complex issues. Savantor provided clear advice and was able to quickly hone in on the key issues, but most importantly, generating pragmatic winnable answers."

Gavin Ingram, General Counsel & VP Strategic Planning - Global Blue - Asia Pacific

Complex Multi-Country Migration

"This complex migration, undertaken simultaneously in Spain and Portugal, has been a complete success. Savantor has provided us with excellent support for over 3 years, both in the original business transformation programme and now this double migration. We value their open and honest approach to business, and of course the expertise that they bring."

Ricardo Gomez, Director, Operations & Technology - WiZink Bank – Spain & Portugal

Business and Platform Strategy

"Savantor successfully advised Rabobank during preparing of the platform migration for cards. Savantor demonstrated thorough knowledge of business processes and market players combined with a practical approach."

Evert Fekkes, Business Information Manager - Rabobank - Nederland

Acquirer Risk Assessment

"The expertise provided by Savantor has greatly helped us evaluate our risk position and to take the right steps in managing our future risks. Strong, disciplined planning and an ongoing willingness to work closely with our staff played an enormous part in making this a very successful well-delivered project which will greatly help us in achieving our business goals."

Mark Healy, Chief Risk Officer - NEOVIA Financial - UK

Collections Transformation

"Savantor did an absolutely superb job for us on the Collections programme. The professionalism, hard work, courtesy and tenacity of their experts is a credit both to the individuals and to Savantor."

Peter O'Dea, Senior Manager - Collections Department - Permanent tsb bank - Ireland

New Payments Initiative

"In moving our new initiative into reality, we required specialist payments knowledge and forward thinking in the retail sector. Savantor supplied this and provided very effective guidance throughout. We enjoyed working with them."

Sophie High, Head of Innovation Delivery - Cancer Research UK

Credit Card Launch

"Savantor's knowledge and experience were the key differentiators in selecting them and they contributed greatly to the success of the product launch and the effectiveness of the ongoing operational service."

Toine Schepers, Operations Director - Primeline - The Netherlands

Clients - Request Support

Send us a support request and one of our specialists will be in contact to assist you.

Consultants – Upload your CV

Register your CV with us and gain access to a range of job opportunities through our online job search portal.