From Pen to PIN. Pago Electrónico :: e-Payment

From Pen to PIN


Fecha Sábado, septiembre 21 @ 18:33:34
Tema Pago Electrónico :: e-Payment

The move to Personal Identification Numbers for retail purchases and what it means for consumers, retailers and banks
A Giant Leap?

In February 2002, APACS (the Association for Payment Clearing Services), which represents the UK banks for payments, announced the timetable for the UK’s migration to the use of PIN as the standard method of confirming the identity of the cardholder (‘cardholder verification’) when debit or credit cards are used for retail purchases. In cooperation with the retail community, the migration will commence in early 2003 with a trial in the Northampton area and will be followed by a national rollout which is planned to complete during 2005.

The UK represents one of the world’s most sophisticated card payments markets, with cards first being introduced in the 1960s. UK card purchases have traditionally relied on paper signature checking to verify the cardholder’s identity, but experience shows that these checks are often cursory, sometimes non-existent and provide no more than minimal protection against stolen cards being used for purchases. The only practical, reliable method of ‘cardholder verification’ currently available is PIN.

Behind this move is the continuing rise in UK card fraud. In 2001, the total reached £410m, a 25% annual increase reflecting the continuing acceleration of fraud losses. This trend has attracted government attention, not least because the ease with which card details can be copied (‘skimmed’ to make duplicate cards or used in telephone or internet transactions) or can be fabricated to make counterfeit cards has made card fraud an easy target for organised crime. Government pressure apart, the prospect of further rises in card fraud losses makes the move to technologies that will eliminate a large proportion of this fraud now more viable in terms of a business case. The estimated overall cost of £1.1bn starts to look like a good investment, and if the experience of other markets where PIN at PoS has been introduced is repeated, this will be justified – in France, the introduction of PIN (without the other benefits of smartcard migration) cut PoS fraud from lost and stolen cards by 80%.

Many fraud countermeasures have, and continue to be introduced. These have included the wider use of ‘hot card files’, updated daily and stored in point-of-sale (PoS) terminals and more selective and targeted on-line authorisation, where the transaction details are sent to the card issuer for checking. However, the most fundamental anti-fraud programme was started in the mid-1990s, when the banks embarked on a trial of credit and debit smartcards with embedded computer chips.

These carry a smartcard application based on the new global EMV standard for payment smartcards, named after Europay, MasterCard and VISA, who jointly developed the standard. EMV smartcards can prove, when used in a compatible PoS terminal, that the card is genuine. The trial was a success and mass-issuance of smartcards began in the late 1990s. Phase 2 now starts – enhancing the technology to prove, in addition to the card being genuine, that the customer is the rightful card owner.

How Does It Do That?

The smartcard works by storing information securely for use during a transaction to perform checks and processes using its internal microprocessor. One such item is the cardholder’s PIN and the secure way it is stored in the smartcard means it can never be revealed, although it can be changed (more on this below). The ability of the smartcard to process data represents a fundamental change in the way PoS transactions are conducted, since card issuers are now able to take an active role in deciding the outcome of a transaction – including the decision on whether the transaction will be sent on-line for authorisation – by having their smartcards carry out pre-determined actions using information both stored in the card and provided by the PoS terminal at the time of the transaction.

EMV smartcards can, in conjunction with the PoS terminal, check that:

- the organisation that issued the card is bona fide and has been certified by the card scheme whose brand (e.g. VISA) appears on the card

- the smartcard is genuine, because it contains secret keys that could only have been placed there by the card issuer

- the data stored in the smartcard has not been tampered with.

This is achieved using a technique called ‘Public Key Cryptography’, in which related pairs of Public and Private Keys are used to create and then recover other keys or data from digital certificates or digital signatures stored in the card. The hierarchy of trust that is established to implement the ‘Public Key Infrastructure’ (PKI) with the card scheme at its top ensures authentication of all parties involved in the transaction and ultimately of the smartcard itself. In addition, every time a transaction using the card is sent on-line for authorisation, separate cryptographic checks are used to provide mutual authentication between the card and the card issuer.

To prove the identity of the cardholder during a purchase, the retailer enters the purchase amount or it is calculated by the till as usual. The cardholder then confirms the transaction by punching their PIN into a ‘PIN Pad’ with a calculatorlike keyboard which is shielded from view and either built into the terminal or connected by a cable. The terminal securely sends the PIN entered by the cardholder to the card where it is compared, within the smartcard itself, to the stored PIN. If correct, the purchase proceeds; if not, the cardholder may have another chance to enter their PIN but, just like at a cash machine, three wrong PINs will lock the card which will then need to be ‘unlocked’ before it can be used for purchases again. The stored PIN is never revealed to the outside world during this process.

Using EMV smartcards therefore, two factors which decide the result of a transaction can be determined locally, without contacting the card issuer: are both card and cardholder genuine?

Confusion for Consumers?

Most consumers who use credit or debit cards for purchases also use a card at cash machines (ATMs), where PIN is already the standard for verifying cardholder identity. The ATM card they use is often the same debit card they could use to make purchases (e.g. Switch, Delta) and therefore the PIN associated with that card is familiar to them. However, many consumers hold more than one card (the average is 2.75 cards per adult) of different types and/or issued by different organisations: credit cards, debit cards and charge cards issued by their personal bank, their employer’s bank or a third party (e.g. Goldfish). Often the cardholder will not know or will not have been issued with a PIN for cards other than their ATM card, so the issues for consumers will arise less from the mechanics of using a PIN at the point-of-sale than from keeping track of the PINs for all their cards.

The industry is addressing this by enabling cardholders, from Day 1, to change their PINs at ATMs, allowing them to set the same PIN for all their cards if they wish. Discussions are continuing to ensure this works in practice – how, for example, to provide this service at all ATMs, not just those operated by the card’s issuer (some issuers do not operate any ATMs…).

Customer service procedures are also needed to support cardholders who have lockedout their cards, accidentally or from genuinely forgetting their PIN. If they remember the PIN, their card can be unlocked, but if they cannot recall or never knew the PIN, it must be readvised or a new PIN issued, and then the card used in a special ATM transaction to perform the unlock.

The Retailer Perspective

Overall, the outlook for the retail community is positive, in spite of the inevitable teething troubles and a migration period of at least three years. A consensus among retailers, banks and consumer groups will be necessary to ensure a consistent customer message and experience and to manage the transition period, when some cardholders will certainly forget or not know their PIN.

For PINs to be used, all pointofsale equipment, owned by banks or retailers, needs to be upgraded or replaced to introduce PIN pads. While the benefits for the banks are clear, there are also significant retailer benefits. These are widespread – for example: simpler pointofsale procedures because assistants will no longer be required to make decisions based on paper signatures, reduced liability for fraud since the presence of card and cardholder can be proven, faster checkout times (particularly important for supermarkets and the promise of higher floor limits resulting from the reduced fraud risk and therefore fewer transactions needing on-line authorisation by the card issuer. Another key area where PIN will benefit retailers is enabling the wider use of unattended terminals, where previously there was no means of verifying cardholder identity – opportunities for card acceptance at unmanned petrol stations, vending, car parks and many other sectors will develop.

What the Banks Must Do

Banks in the cards business play a card issuer and/or a transaction acquirer role, having relationships with cardholders and retailers respectively. Another acquirer group are the operators of ATMs, although most of these are also card issuers. The processes for issuing cards and the underlying security processes will undergo significant change, as will the cards themselves, leading to the eventual replacement of the entire UK cardbase, including existing smartcards.

Other than pointofsale upgrades, the introduction of PIN for purchases will not have major impact on systems that are now in place for processing retail transactions providing these are already upgraded to smartcard capability, nor will existing ATM transactions be affected.

Another area where major change will be required is in the provision of PIN Management Services (PMS) for changing and unlocking PINs. PMS will be delivered through the ATM network and will use new, specially designed transaction types. Card issuers, networks (e.g. LINK) and ATM operators will need to introduce PMS to ensure that the introduction of PIN for purchases is successful, gains cardholder acceptance and will continue to operate with minimum disruption and cardholder confusion.

Este artículo proviene de Kalysis Community
https://kalysis.com/content

El URL de esta nota es:
https://kalysis.com/content/article.php?sid=104

English Translation