Prepaid cards
There are now over 100 prepaid card schemes in the UK, although many of them are too small to be profitable, while others are restricted to use in a single retailer or small group of retailers.
In this paper I review the UK market for prepaid cards and conclude that it must be
viewed as a collection of much smaller markets with very different requirements and characteristics. This document is password protected; please contact me for the password. |
ISO 19092: Security framework for biometrics in financial services
With
much talk of the need to protect customers' identities and
improve the security of databases, the publication of a new
version of ISO 19092 in January 2008 seemed timely. Experience
of FIPS201, new multi-application card products and card
management systems all offer new insights and solutions. Sadly
the "standard" consists mostly of descriptions of existing
techniques and issues; only one chapter really sets out a
minimum standard and this appears to be based on a service
model in which the bank does not manage its own card
applications. The biometrics and banking industries do not
appear to be able to align their objectives - what can we do
to help? |
Year review 2007
Each year I take a sideways look at the world of card payments, based purely on projects and companies I have been involved with in the last year. Here as usual are a few thoughts as we move into 2008. |
SEPA
The
combined effects of the Single Euro Payment Area (being
promoted by the European Central Bank and European Payments
Council) and the Payment Services Directive recently approved
by the European Parliament will have massive effects in the
short term for those providing Direct Debit or Credit Transfer
services in euro, but also in the medium term (2009-10) for
all payments in the EU, including card payments. I have
been running workshop sessions for banks and card schemes on
these impacts and have produced a set of FAQs for a switch
software company: see www.postilion.com/SEPA/Postilion/faq.pdf |
Smart Card Management Systems
As more sectors, from Government and corporates to banks and transport companies, make use of smart cards, they all face the need for systems to manage their cards and card applications. However, their needs are often surprisingly different, and this
can cause problems for multi-application card issuers. I have recently completed an overview and survey of Smart Card Management System vendors and systems, focusing on the features each supports that are relevant to more than one sector. This document is password protected; please contact me for the password. |
Contactless cards
Banks are falling over each other in the rush to issue contactless payment cards during 2007. But this is not new technology: wireless tags have been around for fifty years, while banks’ previous forays into electronic purses did not leave happy memories. So why will things be different this time? This paper explores some
of the issues and solutions that are intended to mark out 2007
as the Year of the Contactless Card. This document is password protected; please contact me for the password. |
PCI Security Standards
Many retailers, processors and suppliers have been perplexed and suprised by the introduction of new standards for security, and have struggled to meet the conditions. In an article originally published in 'e-Finance and Payments Law and Policy' I explain the issues, benefits and status of PCI in Europe. |
Multi-application cards
Although virtually all the payment cards issued in Europe carry only one EMV application, in Asia there is much more enthusiasm for multi-application cards, and even for allowing non-bank applications on the card (see “East-West Contrasts”, published in European Card Review in July 2005).
Other sectors seem better able to make use of
multi-application cards: the telecoms industry in particular
makes heavy use of program file downloads to Java-based SIM
cards. My
book “Multi-application Card Technology and Applications”
(Cambridge University Press, June 2007)
describes some of the issues and strategies required. I believe strongly that every card issuing organisation should have a road-map or strategy in relation to multi-application cards. Even though their issuing plans may be some years away, there are steps that can be taken now to make the transition easier, and card applications that can be implemented with very little difficulty. |
Phishing
Banks and bank customers suffer a rapidly rising flood of "phishing" emails, often very authentic in wording and appearance, hence difficult to distinguish from real communications from the bank. There are two main components to the solution: education and technology. I have worked with the Institue for Prospective Technological Studies (part of the EU's Joint Research Centre)
to define ways of educating consumers to make them more "streetwise" in cyberspace, while on the technology side both cryptographic authentication and smart cards form part of my core technology set. It is worth noting that many banks have been working only on customer-to-bank authentication and have underestimated the need for bank-to-customer authentication in order to maintain both cryptographic integrity and customer confidence in the channel. |
EMV issues
Banks in nearly every country have started planning their migration to EMV chip cards, and in some cases they are well advanced. However, they all face some issues, and I have run workshops and written papers on topics including:
These papers are password-protected: please contact me for the passwords that will enable you to read these files. |
EMV certification and type approval
Every card, terminal and system used for EMV transactions must go through several layers of type approval, integration and interoperability testing. The whole process is complex and is felt by many of its users to be slow and cumbersome. I have been working with several banks and interested players to try to improve the balance between efficiency, testing effectiveness and ease of use in this process. |
Chip and PIN
The UK
was one of the first countries in the world to roll out EMV payment cards with offline PIN verification. From 2002 to 2005 I was the Technical and Operations Director of the Chip and PIN Programme, an independent organisation answerable to a Steering Committee consisting of equal numbers of banks and retailers. In that capacity I was responsible not only for producing UK-specific recommendations and guidelines for chip and PIN use, but also for resolving any technical and operational issues.
See www.chipandpin.co.uk for further details. |
Adding Value to EMV
Although some banks (mostly in the USA)
still dispute the business case for the move to EMV, careful
modelling now shows a strong case for issuers in many
countries immediately, and in the remaining countries once the
first wave has migrated. Fraud savings are not the only
source of benefits: there are direct operational savings and
risk management gains also. For acquirers and merchants,
however, the case is much less compelling, and depends on
either a firm belief in the added-value opportunities or an
incentive programme funded by issuers. This programme
can take many forms, and I have modelled several of these in
order to recommend programmes best adapted to different
national markets.
There are many ways in which
banks can enhance their fraud and risk management using EMV; I
have advised several banks on this topic and many of my
views are captured in a paper by ACI: "Dynamic
Risk Management with EMV Data"
.
There
are also many opportunities open to issuers, acquirers and
processors to provide added value services using the EMV
infrastructure.
See "Extracting Maximum Value" (November 2001) |
