Tuesday, April 17, 2007

Migration from Magnetic Stripe to Smart Cards - Part 2

The Existing Magnetic Stripe Process

Cards are produced in batches and it is the responsibility of the host system to assemble all data for a given batch of cards. A batch might be generated as a result of the normal replacement cycle (two or three years) or possibly to replace those cards that have been reported lost or stolen during the day. The host system produces the data in a series of records, one record per cardholder. The data is known as a Personalization Data File.

Each record of the Personalization Data File comprises a number of modules. These normally include:
  • Data to be embossed onto the card.
  • Data to be encoded onto the magnetic stripe of the card.
  • Data to be printed on a “paper carrier.” This carrier is used to hold the card, while in its delivery envelope, and is printed, for example, with the cardholder’s name and address.
  • Data for an ID photograph
Most of the information for these modules are held in the cardholder database.
Some items in the magnetic stripe module need to be generated using a security module.

These include a PIN Verification Value (PVV), or equivalent,
and a Card Verification Value (CVV).

Both these items are derived using a cryptographic process that involves the use of secret keys.

The data is the file is not normally encrypted.

The PIN mailer for a card is normally produced in a separate establishment from the cards themselves, often as a separate output from the issuer host system. This separation of PIN mailer and finished card is normally an essential part of the card issuance process. Often, PIN mailers are not posted until the cardholder acknowledges receipt of the card.

With the arrival of the smart card, the issuer needs to produce an extra “module” of data, which is intended to be programmed into the chip itself. Of course, there will be many items of information in this chip data, which are common to the magnetic stripe and the embossing data. Examples of this are a Primary Account Number (PAN) and the cardholder name. However, there are some new items that are specific to smart cards.

Some examples are:-

Upper consecutive offline limit:

This is a value held by the card that determines its spending limit. After this limit has been exceeded, the card forces the transaction to be completed online. This is part of the inherent risk management features of a chip card.

Signature of static card data:

This is a value calculated using a public key cryptographic algorithm at the time the card data is generated. It can be validated by each terminal accepting the card and is used to give some confidence that the card is genuine.

Issuer certificate:

This data is set up by the issuer in conjunction with the card association to which the issuer belongs (Visa or MasterCard). It is placed onto every card issued and contains the public key of the issuer. It is used by the terminal as part of the process to validate the signature in the second item in this list.

Unique Derived Keys (UDKs):

These are DES keys, unique to each card, which are placed on the chip and used as part of the transaction validation process. Basically, the transaction details are passed to the card, which uses the UDK to generate a cryptogram (similar to a MAC) that is passed back to the issuer for validation. Using this technique, the issuer can be sure that the transaction was handled by a valid card.

The various credit and debit specifications define in excess of 40 such data items, which need to be generated and placed on smart cards. It is the issuer’s responsibility to generate these items, something that existing card systems were never designed to handle.

INFO:
The advent of chip cards has meant that for the first time, some of the data passing from issuer to personalizer is now secret and must only be sent in encrypted form. The UDKs previously described are an example of such secret data.

Monday, April 16, 2007

Migration from Magnetic Stripe to Smart Cards - Part 1

We need to follow the following steps for migration to Smart Cards

1.Enhancements to the card issuing process
2. Enhancements to the card personalization process
3. Enhancements to the systems that handle card transactions


Enhancements to the Card Issuing Process

Existing systems were developed, often many years ago,
to handle the types of data needed for magnetic stripe cards.

Smart cards require considerably more data to be generated,
including cryptographic keys for the cards themselves.

In most instances, changing existing systems represents a major investment of resources.

Enhancements to the Card Personalization Process

Banks generally personalize their cards in one of two ways:
either using an in-house facility or using an external personalization bureau.

The choice is usually based on the size of the cardholder base,
because setting up an in-house facility is an expensive exercise


Enhancements to the Systems that Handle Card Transactions

Systems are in place today for handling a number of magnetic-stripe-based transactions,
such as ATM cash dispensing,
Online card and PIN verification, and
Offline bulk transaction processing.

By using smart cards, there is a need to extend these systems
to handle the transaction verification mechanism used in smart debit and credit cards,
or in the case of electronic purse schemes, like Visa Cash,
to handle the secure loading of e-cash onto the card.

Sunday, April 15, 2007

Payment Processing Network

The Payment Processing Network

Here’s a breakdown of the participants and elements involved in processing payments:

Acquiring bank: In the online payment processing world, an acquiring bank provides Internet merchant accounts. A merchant must open an Internet merchant account with an acquiring bank to enable online credit card authorization and payment processing. Examples of acquiring banks include Merchant eSolutions and most major banks.

Authorization: The process by which a customer’s credit card is verified as active and that they have the credit available to make a transaction. In the online payment processing world, an authorization also verifies that the billing information the customer has provided matches up with the information on record with their credit card company.

Credit card association: A financial institution that provides credit card services that are branded and distributed by customer issuing banks. Examples include Visa® and MasterCard®

Customer: The holder of the payment instrument—such as a credit card, debit card, or electronic check.

Customer issuing bank: A financial institution that provides a customer with a credit card or other payment instrument. Examples include Citibank and Suntrust. During a purchase, the customer issuing bank verifies that the payment information submitted to the merchant is valid and that the customer has the funds or credit limit to make the proposed purchase.

Internet merchant account: A special account with an acquiring bank that allows the merchant to accept credit cards over the Internet. The merchant typically pays a processing fee for each transaction processed, also known as the discount rate. A merchant applies for an Internet merchant account in a process similar to applying for a commercial loan. The fees charged by the acquiring bank will vary.

Merchant: Someone who owns a company that sells products or services.

Payment gateway: A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments. The service is usually operated by a third-party provider such as VeriSign.

Processor: A large data center that processes credit card transactions and settles funds to merchants. The processor is connected to a merchant’s site on behalf of an acquiring bank via a payment gateway.

Settlement: The process by which transactions with authorization codes are sent to the processor for payment to the merchant. Settlement is a sort of electronic bookkeeping procedure that causes all funds from captured transactions to be routed to the merchant’s acquiring bank for deposit