News & Views - Savantor

What next for Payment Cards?

Monday, 03 July 2006

Following the introduction of Chip & PIN in the UK there are still some enhancements to the EMV card system that need to be deployed. The card terminals are approved by the card schemes and support features yet to be implemented in the card design. Additionally, new algorithms will need to replace the existing hashing and encryption operations once agreed by the card schemes. This is a longer term strategy that will require enhancement of both terminal firmware and card masks and needs to be co-ordinated with the next generation of merchant terminals.

In the interim, card issuers can exploit the terminal capabilities to introduce Dynamic Data Authentication to counter the existing threat of authentication replay susceptibility in Static Data Authentication cards. Prudent issuers will consider requesting encrypted PIN entry to minimise the risk of PIN compromise also.

However the biggest risk remains, namely that of "fallback" fraud.  Essentially the problem centres on the ease with which magnetic stripe data can be copied to form a cloned card. It only requires the PIN to be disclosed for fraudulent transactions to be submitted via international ATM networks such as in the recent Lloyds TSB attacks.

There is no effective safeguard against bogus terminals that could be used to harvest card & PIN data currently. Terminal authentication could be combined with card authentication to deliver mutual authentication before the cardholder is prompted for the PIN. Since this mechanism would be dependent on secret terminal keys, no cryptographic channel can be established for fraudulent terminals to elicit any cardholder recognisable data prior to PIN entry.

Cardholder education will be needed so that covert cameras cannot record the hand movements during PIN entry. Similarly PIN entry must be shielded against bystander observation.

Even if cardholder authentication is extended to include biometric methods, PIN entry must still be supported for contingency situations and where compatibility with older terminal networks must be provided.

Offline approved transactions result in a transaction certificate that the issuer should verify. If this check fails a chargeback may be raised against the acquirer/merchant retailer. Ultimately, the only way to counter the risk of "Yes-card fraud" is to approve only online transactions or use one-time authentication codes as in the "Chip-card Authentication Program" models.

Finally, the impact of hybrid cards such as contactless and RFID must be considered where the Bank PIN should not be used for non-payment applications. (Source: Bob van Gaalen, 1st August 2006)

Savantor Services

Savantor Services

Savantor services are tailored to Client needs based on our core service areas

Specialist Resourcing Payments Strategy Platform Transition Operational Efficiency
Savantor Services

Job Opportunities

Consulting and contracting roles in the payments, mobile and banking arena within the UK and across Europe

View more
Savantor Services

Savantor Views

Find out more from our Savantor brochures, MarketEye back copies and Industry opinion

Collateral Market Eye News & Views Sign Up to receive MarketEye

Client Quotes

Complex Cards Business Transformation

"This was a major business transformation that required us to build an excellent team made up of internal bank specialists, supported by external card business, technical and operations expertise. Savantor provided specialists from the local market and with international experience to fill a variety of important roles. The Savantor resourcing team are professional, reliable and good people to work with."

Ricardo Gomez, Director - Operations & Technology - WiZink Bank - Spain

Complex Multi-Country Migration

"This complex migration, undertaken simultaneously in Spain and Portugal, has been a complete success. Savantor has provided us with excellent support for over 3 years, both in the original business transformation programme and now this double migration. We value their open and honest approach to business, and of course the expertise that they bring."

Ricardo Gomez, Director, Operations & Technology - WiZink Bank – Spain & Portugal

New Payments Initiative

"In moving our new initiative into reality, we required specialist payments knowledge and forward thinking in the retail sector. Savantor supplied this and provided very effective guidance throughout. We enjoyed working with them."

Sophie High, Head of Innovation Delivery - Cancer Research UK

Acquirer Transformation

"We needed a programme manager for a complex transformation who also brought a broad understanding to help stakeholders through the change. We have been delighted with the delivery and outcomes from this engagement with Savantor."

Michael Liquornik, Executive Vice President - Neovia Financial - UK

Platform Selection & RFP Management

"OP-Pohjola Group has used Savantor in both acquiring and issuing for platform/service provider research, RFI/RFP processes and subsequent contract negotiations. Savantor's approach and commitment have always been very professional and transparent. They have been of great help for the company in providing us important insights and background information beyond vendors sales speeches."

Kai Lindstrom, Head of Acquiring - OP-Services Ltd - Finland

Acquirer Specialist Support

"OP-Pohjola Group has used Savantors help in numerous different specialist projects differing from risk assessment to management tool creation to transaction analysis. We have been very satisfied by the quality of the service provided by Savantor's experts."

Kai Lindstrom, Head of Acquiring - OP-Services Ltd - Finland

Payments Workshop Material

"Savantor helped ACI build a payments onboarding workshop for new technical staff in ACI EMEA. Their extensive experience took our outline and built a great starting presentation of industry facts that we have now customised further into a half day session that is used for all new joiners. Our Americas and APAC regions have also taken the material and customised it for their regions. A great job by Savantor has meant new joiners to ACI hit the ground running."

Richard Sanders, Principal Solution Consultant - ACI - Worldwide EMEA

Moneris Solutions

"Savantor did an outstanding job of the review and I received nothing but positive feedback on the interaction with our management team."

Jeff Guthri, COO - Moneris Solutions - Canada

Clients - Request Support

Send us a support request and one of our specialists will be in contact to assist you.

Consultants – Upload your CV

Register your CV with us and gain access to a range of job opportunities through our online job search portal.