The Successful Road to Smart Cards
Jim Davis, managing director at Thales e-Transactions, argues that although some countries and regions are ahead of others in the drive to adopt EMV, there is still a long way to go to achieve the desired results. The process can be improved only through better education as well as increased participation from the retailing community.
The major card associations, including MasterCard and Visa, have set dates by which regions around the world must have completed migration to EMV cards (e.g. the deadline for the Middle East is January 2006). Beyond these dates liability for fraudulent transactions will lie with magnetic stripe card issuers or acquirers, if it can be shown that the use of smart card technology would have prevented fraud.
The count-down to EMV compliance has started and there will be a rush as the deadline looms nearer, squeezing the amount of time technology vendors can devote to each issuer, predicts Davis’ colleague, Ian Maddocks, who has been involved with Visa and MasterCard in the development of their EMV solutions. He claims better service and more comprehensive support may be available to the early adopters. Issuers need to bear in mind that the date appropriate to their region is not the starting gun for migration – it is the date by which the whole of their card base and its supporting infrastructure should be EMV compliant. Testing and any pilot scheme should be completed well before this date.
The development of the smart card may well turn out to be one of the most fundamental changes yet seen by the global payments industry. EMV seeks to ensure that cards, terminals and other systems will successfully interact, for debit and credit applications at least, wherever they are in the world. The smart card works by storing information securely for use during a transaction and by performing checks and processes using its internal microprocessor. Much larger memory capacity enables it to hold multiple applications, for example, an ‘anchor’ debit card application, plus a number of others which do not have to be financial. According to Davis, early movers in the market have shown that smart cards reduce losses due to fraud while generating new revenues and differentiation. For all card issuers, he says the question is not “should we migrate to smart cards” but “when should we migrate to smart cards?”
There are, anyway, compelling differentiation and fraud prevention reasons why all issuers should consider moving quickly. American Express found that new customers in the US and UK were attracted by the promise of extra security and the novelty value of EMV smart cards. Early adopter market advantage is therefore a reality.
As a card issuer, there are many challenges that need to be considered when moving to EMV. A smart card must be programmed with an operating system (often called a mask) before it can be loaded with applications, in much the same way as a PC needs Windows or Linux before it can run applications and have any utility for users. Then, when an application such as Visa’s VSDC (Visa smart debit credit), MasterCard’s M/Chip or JCB’s J/Smart is loaded onto a smart card, together with unique data that personalises the application to an authorised cardholder, the card can interact with payment terminals to perform secure transactions.
One further major advantage is that smart cards can be securely updated or re-programmed in the field. An issuer can update risk management parameters contained within an EMV banking application remotely during an online transaction at a terminal.
Some types of multi-application cards support the download of new applications and the deletion of old ones remotely at dedicated terminals or over the Internet. The winners in the move to smart cards are likely to be those issuers who most successfully exploit such flexibility to offer the most compelling proposition at the lowest cost, Davis points out.
A multi-application smart card, in addition to providing debit or credit functionality, might also work as a store chain loyalty card, a library card, a gymnasium membership card – the possibilities are very broad. Indeed, some industry commentators have suggested that there is no technical reason why a single smart card should not securely carry all the personal information in the average person’s wallet including, in some countries, driving licence and social entitlement details.
There is no doubt that the relative simplicity of a single application card provides the easiest and fastest route to EMV issuing, with all the benefits of brand visibility, leadership and market penetration that rapid deployment will generate for early adopters, according to Davis.
But it is unlikely to be as cost-effective as a multi-application card. The more useful applications a single card holds, the more indispensable it becomes. The higher the perceived value, the less likely the customer is to switch to an alternative card, even though it may offer a lower interest rate. An issuer that opens its card to applications from third-party providers not only spreads card deployment and management costs but also generates further income streams through its rental of card ‘real-estate’.
Card price is primarily determined by the memory size. Multi-application cards require larger memory – typically 16K or above to store the additional information. Proprietary, single application cards use less memory – typically in the range 2-4K- and are therefore cheaper.
There are over 20 vendors of smart cards globally. Most have single application as well as multi-application platforms with memory capacities ranging from 2 to 64 Kbytes. Many offer data preparation and card personalisation services to support their proprietary schemes.
Magnetic stripe card issuance and management is supported by tried and tested legacy back-office systems. So, one challenge for issuers looking to migrate to EMV smart cards is how to provide similar automated support facilities for the new card technology, Davis points out. Single application smart cards are significantly more complex and therefore demanding of support systems than magnetic stripe cards.
This is one reason why upgrading or modifying existing support systems to handle smart cards is thought by some experts to not be cost-effective. Multi-application smart cards present back-office support systems with an even more complex support task. The route preferred by most issuers, particularly those moving to multiple-application cards, is therefore to concentrate smart card issuance and management support in a separate, dedicated solution that interfaces to the legacy back office issuing and acquiring systems.
Smart card management systems (SCMS) manage cards and applications
throughout their entire life cycle, before and after issue to customers. They enable the loading, blocking or deleting of applications at any time, and make new card-based services instantly available via the Internet or private network. SCMS also store details of every smart card issued, making the replacement of lost or stolen cards both fast and simple. The same information can also be used to create a comprehensive database of cardholders and their application preferences. Some SCMS support the setting and changing of application parameters during issuance and in the field, including EMV risk parameters.
Despite only being concerned with the process flow between terminal and smart card, the EMV specification has implications for retail bank host systems, and for ATM and point of sales (PoS) systems. Hosts may need to be upgraded to process online or batch transactions from devices using message protocols enhanced from their magnetic stripe equivalents. Network interfaces will need enhancement to transmit EMV data when transactions are switched out to issuer banks for authorisation. Online authorisation capabilities will also require upgrading.
With online EMV transactions, issuers may be required to receive extra chip-related data in the online message and reply to the acquirer, and therefore to the device, with additional response data. This includes authentication using the authorisation request cryptogram (ARQC) and authorisation response cryptogram (ARPC) in a process known as on-line mutual authentication (OMA). The issuer’s host needs to be enhanced to provide this processing, which it does in conjunction with the host security module and secret keys encrypted ultimately by local master keys maintained by the HSM.
EMV allows issuers to use scripts to modify data elements such as the PIN or risk parameters on a smart card during online transactions. Since this is a sensitive process, these scripts must be secured with the use of cryptography, again involving the use of an HSM. As scripts are now being generated by the online host processor, this demands much closer integration with card management systems than is the case with magnetic stripe cards.
The majority of ATM and EFTPoS terminals in current use only perform magnetic stripe based transactions, even though some support smart card functions but would require a software upgrade. Others support smart cards, but typically older versions of the EMV specification and will require upgrading.
A small number of ATM networks have been performing chip-based transactions for some years. Use of the magnetic stripe is still anticipated – although in the future it will mainly be used to establish the correct orientation for the card, except of course for magnetic stripe transactions when a non-chip card is used.
ATMs typically need a substantial software upgrade to cope with EMV cards. Many of the leading ATM manufacturers have already released type approved software but to date there are few deployments. The slow take-up is partly due to such software only recently becoming available, and partly due to the enhancements needed at host systems to accommodate the new application protocols. Hardware upgrades are also required on some ATMs. The size of the upgrade is very dependent on the particular style of ATM but varies from a simple change to the card reader to a full upgrade of the ATM processor.
For stand-alone dial-up EFTPoS terminals already incorporating chip card readers, EMV acceptance is simply a matter of upgrading the resident software application. Acquirer banks or processors usually own such terminals, which makes upgrades the responsibility of those organisations and not the retailer.
Such a software upgrade can often be made remotely over the terminal network. However, this will also require an enhanced transaction protocol between terminal and host, necessitating an upgrade at the host also. As the protocols involved tend to be simpler than those used with ATMs, such host enhancements are not normally a major obstacle to EFTPoS smart card acceptance.
Those stand-alone EFTPoS terminals that do not currently accept smart cards require either a hardware upgrade or replacement. The upgrade route may seem the most cost effective but the owner must be aware that there are performance considerations to be taken into account. For example an old generation product that has been upgraded may result in lengthy chip transaction times due to increased processing requirements. This will only get worse in the future with the introduction of longer keys for increased security.
Consequently, the short-term cost advantages of hardware upgrades must be balanced against the impact on customer satisfaction (longer waiting times at the checkout). The ideal solution is to replace the entire estate with the latest generation products but this can be costly. For those markets that are migrating to PIN customer verification (such as the UK) the situation is even more complex. Upgrades will have to consider not only chip but also PIN acceptance.
The situation is complicated somewhat by a second category of retail EFTPoS terminals. Many large multi-lane retailers like supermarkets and department stores use integrated EPoS devices that combine payment and checkout functionality. Upgrades will require significant programming efforts to integrate the software applications that handle bar code scanning, inventory and other functions with the EMV payment transaction process. As retailers themselves own these devices, upgrades will be their responsibility. In general, however, retailers are viewing the shift to EMV positively. There will, for example, be simpler point-of-sale procedures with less reliance on paper signatures, reduced potential for fraud, faster checkout times, higher floor limits, and more scope for unattended terminals through the use of offline PIN.