News & Views - Savantor

What next for Payment Cards?

Monday, 03 July 2006

Following the introduction of Chip & PIN in the UK there are still some enhancements to the EMV card system that need to be deployed. The card terminals are approved by the card schemes and support features yet to be implemented in the card design. Additionally, new algorithms will need to replace the existing hashing and encryption operations once agreed by the card schemes. This is a longer term strategy that will require enhancement of both terminal firmware and card masks and needs to be co-ordinated with the next generation of merchant terminals.

In the interim, card issuers can exploit the terminal capabilities to introduce Dynamic Data Authentication to counter the existing threat of authentication replay susceptibility in Static Data Authentication cards. Prudent issuers will consider requesting encrypted PIN entry to minimise the risk of PIN compromise also.

However the biggest risk remains, namely that of "fallback" fraud.  Essentially the problem centres on the ease with which magnetic stripe data can be copied to form a cloned card. It only requires the PIN to be disclosed for fraudulent transactions to be submitted via international ATM networks such as in the recent Lloyds TSB attacks.

There is no effective safeguard against bogus terminals that could be used to harvest card & PIN data currently. Terminal authentication could be combined with card authentication to deliver mutual authentication before the cardholder is prompted for the PIN. Since this mechanism would be dependent on secret terminal keys, no cryptographic channel can be established for fraudulent terminals to elicit any cardholder recognisable data prior to PIN entry.

Cardholder education will be needed so that covert cameras cannot record the hand movements during PIN entry. Similarly PIN entry must be shielded against bystander observation.

Even if cardholder authentication is extended to include biometric methods, PIN entry must still be supported for contingency situations and where compatibility with older terminal networks must be provided.

Offline approved transactions result in a transaction certificate that the issuer should verify. If this check fails a chargeback may be raised against the acquirer/merchant retailer. Ultimately, the only way to counter the risk of "Yes-card fraud" is to approve only online transactions or use one-time authentication codes as in the "Chip-card Authentication Program" models.

Finally, the impact of hybrid cards such as contactless and RFID must be considered where the Bank PIN should not be used for non-payment applications. (Source: Bob van Gaalen, 1st August 2006)

Savantor Services

Savantor Services

Savantor services are tailored to Client needs based on our core service areas

Specialist Resourcing Payments Strategy Platform Transition Operational Efficiency
Savantor Services

Job Opportunities

Consulting and contracting roles in the payments, mobile and banking arena within the UK and across Europe

View more
Savantor Services

Savantor Views

Find out more from our Savantor brochures, MarketEye back copies and Industry opinion

Collateral Market Eye News & Views Sign Up to receive MarketEye

Client Quotes

Complex Cards Business Transformation

"This was a major business transformation that required us to build an excellent team made up of internal bank specialists, supported by external card business, technical and operations expertise. Savantor provided specialists from the local market and with international experience to fill a variety of important roles. The Savantor resourcing team are professional, reliable and good people to work with."

Ricardo Gomez, Director - Operations & Technology - WiZink Bank - Spain

Payments Workshop Material

"Savantor helped ACI build a payments onboarding workshop for new technical staff in ACI EMEA. Their extensive experience took our outline and built a great starting presentation of industry facts that we have now customised further into a half day session that is used for all new joiners. Our Americas and APAC regions have also taken the material and customised it for their regions. A great job by Savantor has meant new joiners to ACI hit the ground running."

Richard Sanders, Principal Solution Consultant - ACI - Worldwide EMEA

Commercial Card Migration

"Execution at its best. We're delighted that this project has been truly outstanding and received an award from 'The Banker'. Savantor provided crucial expertise that helped us keep all our promises in terms of delivery. The scheduling, planning and control regime throughout was excellent."

Chris Mason, Director - Commercial Cards EMEA - Citi - UK

Market Insights

"Savantor did a good job in helping us understand the dynamics of a key growth area for Trionis. Savantor's ability to listen and their degree of commitment have always impressed me. They have been of great help in providing us important market insights and I would not hesitate to work with them again in future."

Ernst Verbeek, Managing Director - Trionis - Belgium

Card Processing Migration

"Disciplined methodology and effective teamwork, guided by Savantor's migration expertise and operational knowledge, were the hallmarks that led to the resounding success of this project, enabling us to maintain and develop our business capability."

Robert Lambert, Head of Cards Strategy - Permanent tsb bank - Ireland

Payment Specialists

"Working close with Savantor's professionals over the years in the payment arena. I appreciate the skills and knowledge these guys have and will surely engage with them when opportunities arise. The current engagement with Savantor is full to satisfaction and beyond."

Idsert Walta, Head of Banking Categories - Nordea - Scandinavia

Acquirer Risk Assessment

"The expertise provided by Savantor has greatly helped us evaluate our risk position and to take the right steps in managing our future risks. Strong, disciplined planning and an ongoing willingness to work closely with our staff played an enormous part in making this a very successful well-delivered project which will greatly help us in achieving our business goals."

Mark Healy, Chief Risk Officer - NEOVIA Financial - UK

Acquiring market insight and strategy review

"Savantor brought an independent perspective and valuable insight that enabled Rabobank to ratify options for delivery and future growth and make informed business decisions in support of our target business model. Having used Savantor on a number of strategic projects, we have no hesitation in recommending their services to others."

Evert R Fekkes, SVP Payment & Savings Services - Rabobank - Nederland

Clients - Request Support

Send us a support request and one of our specialists will be in contact to assist you.

Consultants – Upload your CV

Register your CV with us and gain access to a range of job opportunities through our online job search portal.