Card payment security standards
In response to changing patterns of fraud, and in particular to some very large-scale frauds in the last couple of years, US acquirers and processors have proposed that card details be encrypted close to the card, and only decrypted in the secure environment of the scheme gateways.
Others have derided this 'End to End Encryption' as a 'steel door on a grass hut'. In this article published in Payments Cards and Mobile I suggest that E2EE could play a role,
but the critical thing is to develop a road-map which allows the European and US approaches to converge - it is not in anyone's interests for the two to develop separately. This document is password protected; please contact me for the password. |
Year review 2009
Each year I take a sideways look at the world of card payments, based purely on projects and companies I have been involved with in the last year. Here as usual are a few thoughts as we move into 2010. |
UNIFI / ISO 20022 for cards
Most people involved in cards standards have heard of ISO 20022, but few know in detail what it is or how it would be applied to card payments.
"UNIFI for cards" seeks to explain the role of the new standard and just how it could be applied in the card payments world. It concludes that adopting UNIFI
would bring real benefits, but it will take many years and requires active support from governments. This document is password protected; please contact me for the password. |
SEPA Cards standardisation
During 2008 the European Payments Council has issued two consultation documents on SEPA Cards Framework standardisation. Nonetheless the view in the market is that
SEPA for cards has lost momentum, and there is virtually no retailer support for what should be a very important standardisation process, affecting potentially all non-cash retail payments in the real and
virtual worlds.
This paper, an edited version of which was published in European Card Review in December 08, reviews the processes adopted by the EPC and concludes that a fresh approach is
urgently needed, based on an assessment of needs rather than a merging of existing solutions to the problems of the 1990s. This document is password protected; please contact me for the password. |
Contactless cards
2008 saw the launch of contactless bank cards in the UK and this is rapidly becoming the largest deployment in Europe, and soon the second-largest in the world.
My paper "Contactless cards in Europe" explores the significance of this development and the way it differs from deployments in other parts of the world.
This document is password protected; please contact me for the password. |
Smart Card Management Systems
As more sectors, from Government and corporates to banks and transport companies, make use of smart cards, they all face the need for systems to manage their cards and card applications. However, their needs are often surprisingly different, and this
can cause problems for multi-application card issuers. I have (in Dec 08) updated my overview and survey of Smart Card Management System vendors and systems, focusing on the features each supports that are relevant to more than one sector. This document is password protected; please contact me for the password. |
Prepaid cards
There are now over 100 prepaid card schemes in the UK, although many of them are too small to be profitable, while others are restricted to use in a single retailer or small group of retailers.
In this paper I review the UK market for prepaid cards and conclude that it must be
viewed as a collection of much smaller markets with very different requirements and characteristics. This document is password protected; please contact me for the password. |
ISO 19092: Security framework for biometrics in financial services
With
much talk of the need to protect customers' identities and
improve the security of databases, the publication of a new
version of ISO 19092 in January 2008 seemed timely. Experience
of FIPS201, new multi-application card products and card
management systems all offer new insights and solutions. Sadly
the "standard" consists mostly of descriptions of existing
techniques and issues; only one chapter really sets out a
minimum standard and this appears to be based on a service
model in which the bank does not manage its own card
applications. The biometrics and banking industries do not
appear to be able to align their objectives - what can we do
to help? |
SEPA
The
combined effects of the Single Euro Payment Area (being
promoted by the European Central Bank and European Payments
Council) and the Payment Services Directive recently approved
by the European Parliament will have massive effects in the
short term for those providing Direct Debit or Credit Transfer
services in euro, but also in the medium term (2009-10) for
all payments in the EU, including card payments. I have
been running workshop sessions for banks and card schemes on
these impacts and have produced a set of FAQs for a switch
software company: see www.postilion.com/SEPA/Postilion/faq.pdf |
Multi-application cards
Although virtually all the payment cards
issued in Europe carry only one EMV application, in Asia there
is much more enthusiasm for multi-application cards, and even
for allowing non-bank applications on the card.
Other sectors seem better able to make use of
multi-application cards: the telecoms industry in particular
makes heavy use of program file downloads to Java-based SIM
cards. My
book “Multi-application Card Technology and Applications”
(Cambridge University Press, June 2007)
describes some of the issues and strategies required. I believe strongly that every card issuing organisation should have a road-map or strategy in relation to multi-application cards. Even though their issuing plans may be some years away, there are steps that can be taken now to make the transition easier, and card applications that can be implemented with very little difficulty. |
Phishing
Banks and bank customers suffer a rapidly rising flood of "phishing" emails, often very authentic in wording and appearance, hence difficult to distinguish from real communications from the bank. There are two main components to the solution: education and technology. I have worked with the Institue for Prospective Technological Studies (part of the EU's Joint Research Centre)
to define ways of educating consumers to make them more "streetwise" in cyberspace, while on the technology side both cryptographic authentication and smart cards form part of my core technology set. It is worth noting that many banks have been working only on customer-to-bank authentication and have underestimated the need for bank-to-customer authentication in order to maintain both cryptographic integrity and customer confidence in the channel. |
EMV issues
Banks in nearly every country have started planning their migration to EMV chip cards, and in some cases they are well advanced. However, they all face some issues, and I have run workshops and written papers on topics including:
These papers are password-protected: please contact me for the passwords that will enable you to read these files. |
