Tag Archives: EMV

Target revives its EMV migration plan

 

Way back in 2003, Target started to deploy EMV Card technology. However, it had to abandon its attempt to provide more security to its shoppers, as appropriate support was not received from payment card and the banking industry.

Target already uses the EMV technology at its Canadian stores and has seen a massive drop of credit card fraud by 72 percent.

Now again, Target which was the target of a massive data breach in late 2013, has begun the process of implementing secure EMV cards at all of its stores.

The solution is set to accelerate the deployment of chip-enabled technologies in stores and in Target’s proprietary REDcards by early 2015. The deployment would translate into a USD 100 million investment.

As of now, 300 Target stores in the United States (all in California) are already been equipped with EMV or “Chip and PIN” technology. The plan is roll out the EMV technology across the entire Target Chain by the end of 2014, and would have them in operation by January 2015.

The major benefit of standalone cards like Target’s REDcards is that hackers would not be much interested as the stolen credentials can be used only at the standalone network.

 

Advertisements

Digital Tokens – The new Holy grail of eTransactions

 

As the number of eTransactions keeps increasing in our daily financial world, the number of criminals trying to access the customers’ finances is also on the increase.

Yes, there have numerous tools released by Payment Giants to reduce the instances of fraudulent transactions. It is like a cat and mouse race, and when the tips favor the criminals, the shoppers might reduce their eTransactions.

The challenge for Payment Giants is the varied messaging systems, which at times do not talk to each other. Yes, diversity is good, as in case a messaging system is compromised, the risks will be restricted to that messaging system only.

The other part of the coin is oligopoly, which is preferred over Monopoly.

To raise the security barrier for eTransactions, the three major Card issuers i.e Visa, MasterCard and American Express have joined hands.

They have proposed Digital Tokens for online and mobile transactions. The broad guidelines have been finalized, and they are calling on other industry players to support their proposed framework for the new standard, which would be a Global Standard.

The main supporting argument is that the Digital Tokens would make life simpler and safer for customers shopping on a mobile phone, tablet or PC.

The proposed framework would see issuers, merchants and digital wallet providers able to request a token so that when an account holder initiates an online or mobile transaction, the token – and not the traditional card account number – would be used to process, authorize, clear and settle the payment.

The tokens can be customized basing on customer risk preferences i.e tokens could be restricted in how they are used with a specific merchant, device, transaction or category of transactions.

The new framework will be built around existing industry standards to keep the investment to a minimum and also ensure consistency around the world.

 

 

 

Over the coming weeks, the framework will also be presented to other partners and independent industry bodies, such as The Clearing House, PCI Security Standards Council and EMVCo, to align and further advance the standard.

This industry wise collaboration is similar to collaborations for the adoption of Magnetic Stripe, EMV or NFC

Security and Risk Mitigation Measures for Electronic Payment Transactions in the Indian ePayment ecosystem.

As Indian citizens rapidly move up the value chain of ePayments, the crooks also have started to follow them. On an average, the Indian media reports 2- 5 news articles, wherein Indian Bank customers have lost money due to breaches in electronic payment channels.

As the electronic payment channels have multiple entry points, securing all of them is an impossible task. These weaknesses are exploited by criminals and hackers to cause havoc with your monies.

In India, Reserve Bank of India is continuously releasing guidelines to enhance the safety of ePayments.

The best part of the guidelines is that all the players (All Scheduled Commercial Banks including RRBs / Urban Co-operative Banks / State Co-operative Banks / District Central Co-operative Banks/Authorised Card Payment Networks) in the electronic payment eco-system are expected to adhere to the guidelines in a reasonable period of time.

To further safeguard ePayments in India, Reserve Bank of India vide its Notification No RBI/2012-13/424 DPSS (CO) PD No.1462/02.14.003 / 2012-13 dt.28/02/2013, has announced the following   security and risk control measures as detailed here under:

 

  1. Securing Card Payment Transactions:

01) By default all new debit and credit cards should be enabled only for domestic use. On specific customer request, cards can be enabled for international use too. Such cards enabling international usage will have to be essentially EMV Chip and Pin enabled. (By June 30, 2013)

02)Issuing banks should convert all existing MagStripe cards to EMV Chip card for all customers who have used their cards internationally at least once (for/through e- commerce/ATM/POS) (By June 30, 2013)

03)All the active Magstripe international cards issued by banks should have threshold limit for international usage. The threshold should be determined by the banks based on the risk profile of the customer and accepted by the customer (By June 30, 2013). Till such time this process is completed an omnibus threshold limit (say, not exceeding USD 500) as determined by each bank may be put in place for all debit cards and all credit cards that have not been used for international transactions in the past.

04)Banks should ensure that the terminals installed at the merchants for capturing card payments (including the double swipe terminals used) should be certified for PCI-DSS (Payment Card IndustryData Security Standards) and PA-DSS (Payment Applications -Data Security Standards) (By June 30, 2013).

05)Bank should frame rules based on the transaction pattern of the usage of cards by the customers in coordination with the authorized card payment networks for arresting fraud. This would act as a fraud prevention measure (By June 30, 2013).

06)Banks should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquirers, processors / aggregators and large merchants (By June 30, 2013).

07)Real time fraud monitoring system to be implemented at the earliest.

08)Banks should provide easier methods (like SMS) for the customer to block his card and get a confirmation to that effect after blocking the card.

09)Customers should have an option for additional factor of authentication for cards issued in India and used internationally (transactions acquired by banks located abroad).

10) Real time call referral rules should be framed in co-ordination with the card payment networks

 

B. Securing Electronic Payment Transactions

01) Customer induced options may be provided for fixing a cap on the value / mode of transactions/beneficiaries. In the event of customer wanting to exceed the cap, an additional authorization may be insisted upon.

02)  Limit on the number of beneficiaries that may be added in a day per account could be considered.

03)  A system of alert may be introduced when a beneficiary is added.

04) Banks may put in place mechanism for velocity check on the number of transactions effected per day/ per beneficiary and any suspicious operations should be subjected to alert within the bank and to the customer.

 

05) Introduction of additional factor of authentication (preferably dynamic in nature) for such payment transactions should be considered.

06) Digital signature for large value payments for all customers, to start with for RTGS transactions, is another safety option.

07) Capturing of Internet Protocol (IP) address as an additional validation check should be considered.

08) Banks accepting sub-members should ensure that the security measures put in place by the sub members are on par with the standards followed by them so as to ensure the safety and mitigate the reputation risk.

09) Banks may explore the feasibility of implementing new technologies like adaptive authentication, etc. for fraud detection.

 

The deadline for Banks to adopt the above is June 30, 2013. As the above were discussed with the stakeholders over the last few months, the adoption should not be painful.

Yes, investment in technology and manpower will be required to quickly safeguard Indian Bank customers from electronic payment risks. The safer the ePayments are, the more people will shift their payment modes to ePayments channel.

Payment by your fingertip – the biometrics way

The search for a safe and easy payment system, for Card Present Transactions (CNP) has motivated a French supermarket chain to be part of a trial involving payments by scanning fingerprints instead of a PIN for credit cards payments.

The major players are Banks – Banque Accord, BNP Paribas, Crédit Agricole and Crédit Mutuel Arkéa, IT Firm – Natural Security, POS Giant – Ingenico and French retailers – Auchan, Leroy Merlin and certain associated retailers in Angoulême (close to Bordeaux, South West of France) and Villeneuve d’Ascq (close to Lille, North of France).

The sample size is 1500 and the testing period is 6 months. Both the variants of Biometrics i.e digital Fingerprint scanning (Bordeaux site) and finger vein patters (Lille site) are being tested. This is the first time that both the variants are being tested in parallel live situations.

The Biometrics are stored on the Credit Card and for authentication purpose, the communication happens between the contactless credit card and fingerprint reader, without passing through a centralized biometric database.

This UNIQUE feature thereby ensures the customer’s privacy and makes the system theft proof.

The process is as under:

01) Bank customers first visit a branch to register their biometrics data on to their credit card.

02)The payment card stores a payment application (EMV) as well as the biometric data used for authentication.

03)An individual charger in a case is provided to each customer, for their card. This facilitates communication between the plastic and the payments terminal.

04)Once the customers finish their shopping at the participating outlets, they can pay by placing their fingers on biometric readers. Care should be taken that the card is within one and a half meters of the terminal so it can be left in the user’s pocket or bag.

05)An exchange of data takes place between the credit card and the fingerprint reader as the customer places his hand on the scanner. No additional PIN is required, nor the Card be physically displayed.

06)The system also protects user privacy, as the data and applications used for authentication are stored on a personal device (eg smart card, SD card) and remain solely under the user’s control. This limits the risk of data misuse and theft

 

The system will continue to be tested for six months at the French supermarket before going public.

The new payment method combines a smart payment card, biometrics and mid-range contactless communication.

The solution is being deployed in stores, for real-life testing.  The objective of the trial is threefold:

01) To validate the various technical aspects of the project such as biometric Match-on-Card and mid-range contactless technologies

02)To gauge the reactions of consumers, retailers and banks

03)To evaluate support processes such as the data enrollment.

 

The trial will also aim to validate EMV transactions carried out by consumers, with cards issued by several banks.

 

Re-dissemination by Prashant N. Banker by daytime, Blogger by night.

Sample newsitem