homesite mapcontact search
Newsroom   
Careers   
Solutions     
Products & Services    
Support    
Whitepapers     
Case Studies    
Alliances     
Sales     
Offices     

Articles
The enviable advantage of following in the EMV footsteps of Europe

By Paul Meadowcroft, head of transaction security at Thales e-Security


Although the European EMV migration is entering its final phase of mass smart card rollout, other regions of the world are only at the earliest stages of EMV adoption. Closest, both in terms of geography and deadline, is the Middle East which is scheduled to complete its own EMV migration by January 1, 2006. However, this actually puts the Middle East in an enviable position of strength where banks can learn lessons from the European EMV migration. Crucially, the Middle Eastern banks are also able to take advantage of the latest technologies and standards that were not available when their European counterparts set off down this road.

Managing the rollout through a single association

When examining successful strategies to adopt from the European experience, one of the most beneficial is the management of the rollout through an industry association. These were either specifically set up for the task or already existed such as APACS in the UK and GEI CB in France, both of which have taken overall responsibility for managing their nationwide implementations. By following suit, Middle Eastern nations will ensure that various idiosyncrasies can be addressed, ensuring that the EMV migration is shaped to meet national needs.

For retailers, especially those with multiple location environments such as supermarkets, the rationale behind EMV may not initially be apparent. Ensuring that this sector is involved in discussions at an early stage is one of the biggest lessons the Middle East can learn.

Multiple location retailers spend vast sums of money refitting their stores on a rolling basis with new point of sale terminals. Typically these have a lifespan of less than ten years and until very recently retailers will not have considered updating their terminals to be EMV smart card compliant. It is for this reason that in weighing up the chicken or the egg situation in whether to introduce smart cards first or to ensure EMV terminals are rolled out beforehand, it is the latter that has taken priority. With EMV smart cards costing between $1 and $3 each – compared to the 13 cents cost of a magnetic stripe card – there is an obvious business rationale from a bank’s point of view for taking this course of action.

Although across Europe there has been a $168 million incentive scheme for retailers to migrate over to smart card terminals, it is the use of a pilot phase that is possibly more beneficial. In the UK, a major pilot implementation took place in Northampton. This involved major card issuers such as Barclaycard, MasterCard, American Express, HSBC, Egg, Switch and Visa as well as around 1,000 retailers. The results of this trial have been crucial for the £1.1 billion chip and PIN EMV rollout that is underway in the UK.

Implementing a pilot phase has a number of benefits. First and foremost it reassures the banks and retailers that the costly migration will work and it allows any problems to be ironed out. However it also kick-starts the cultural change that is needed among the public if people are not familiar with using chip and PIN – while EMV migration does not have to involve the use of chip and PIN, it is undoubtedly an ideal opportunity to introduce it.

The business benefits of EMV

The main argument for introducing PIN transactions is that it is a proven system for combating fraud. When combined with a smart card, the possibility of fraudulent transactions taking place in an ordinary retail environment are very small. However, as banks in Europe have begun to realise, there are other significant business case arguments for migrating to EMV.

For example, France introduced PIN transactions over ten years ago and has already reduced the levels of fraud considerably – the level of counterfeit fraud has fallen by 90%. Therefore the savings from the EMV migration are not as significant as in non-PIN countries such as the UK. For this reason, French banks are introducing electronic purse and loyalty schemes with their smart card deployment. Furthermore, it is not just banks that are seeing non-fraud related business case advantages from introducing EMV. In the UK, supermarket chain Tesco, has realised that EMV terminals will mean that its stores will print out 13,000 less miles of till receipts each year. Astonishingly this will save Tesco an estimated £500,000 per annum which was not considered when they were compiling the original business case.

Banks are also considering multiple applications as they are a proven way of adding value to the customer and increasing customer retention. The fact that common standards for multi applications - such as GlobalPlatform and Multos - are only beginning to emerge means that being behind Europe in its migration will work to the advantage of the Middle East. It will also allow Middle Eastern banks to research proven examples of the multiple applications in action. By the end of this year GlobalPlatform predicts that the amount of multi application cards in the marketplace will have doubled to 40 million.

The advantages of a phased rollout

The experience in Europe has also shown that EMV migration does not have to be a single-phase event. Indeed, many banks have realised that in the short term the amount of change that is necessary to migrate to EMV can be quite limited and focussed. Assuming the host system is not too old, it is possible to just bolt on new software that will handle EMV transactions, the older the system, the less likely it is that it will be able to handle an EMV migration. The software can then translate these into details that resemble a magnetic stripe transaction that can then be authenticated in the normal way by the host system.

As the EMV migration is an ideal opportunity to review the state of the host systems, it may be that a migrating bank does decide to opt for the long-term fix. This would require the replacement of the entire host system. However, at the same time the bank would be able to introduce the new infrastructure that is required for multiple application smart card systems. Interestingly these too can be introduced in both a short and long-term manner. Smart cards are issued without any multiple applications pre-loaded but with the functionality there to enable the bank to add these at a later date. For example, in an initial rollout a bank may only wish to give a loyalty scheme to its most lucrative customers. Later on, a bank decides to roll this out further, customers can be given the option of having a loyalty scheme added to their cards. Also the EMV risk management parameters on the cards that govern the level at which a transaction needs to authenticated on-line, can also be altered whilst a customer is carrying out a point of sale or ATM transaction.

Adopt regional and national standards from the outset

The 2006 Middle East deadline will mean that banks in the region can take advantage of the emerging EMV card personalisation specifications. At the moment there are many competing proprietary cards that banks can choose to purchase. Each of these has to be personalised in a different way.

Recently GlobalPlatform proposed a common standard for personalising the cards that has now been ratified by EMVco, the body responsible for the EMV specifications. Not only will this make it far easier for banks to switch between different competing EMV compliant cards, but also it should stimulate commoditisation within the marketplace, boosting competition. Such a scheme must be issuer-led and while this was not an option for European banks when they set out on the EMV migration path, it is one that the Middle East can seize upon now.

Going hand in hand with this is the opportunity for Middle East banks to choose which model of data preparation and personalisation they would like to adopt. These are the same three options that existed under the traditional magnetic stripe system – prepare and personalise the cards in house, outsource the whole process to a card bureau or keep the data preparation in house and outsource the personalisation. However, unlike the magnetic stripe card process, with EMV the preparation process involves embedding the Unique Derived Keys (UDKs) onto the card. If a bureau is used, they will have to be given the master encryption keys to be able to do this.

While there is no suggestion that the bureaux are in any way insecure, correct security best practice requires as few people as possible to have access to the master keys. This therefore means that the advice given by most EMV consultants is that at the very least the data preparation process and key management should be kept in-house. The prepared file can then be sent to the bureau which then completes the personalisation process. This has the added advantage of allowing the bank to change between competing bureaux in a competitive environment without compromising security.

It should be noted that many European banks have chosen to use a bureau during the pilot phase of their EMV rollout. Most of these issuers intend to bring the data preparation back in-house once the trials are complete.

The Middle East will also be able to benefit from one further advantage that was not available to Europe. By the time the Middle East begins to fully embark on the road to EMV, the region’s banks will be able to choose from a range of proven suppliers who have already assisted many European banks migrate to EMV. This is no small advantage as a complete EMV migration can involve changing 12 or more separate parts of the infrastructure such as the host system, the card issuance system and of course the cards themselves.

At the moment no single vendor is able to offer a complete EMV migration package. However, there are several examples of vendors repeatedly working together for individual banks. The creation of these ad hoc partnerships means that Middle Eastern banks will be able to select a range of proven suppliers who have experience of working together to provide the complete package. In a task as complex and costly as EMV migration, this will prove to be a massive benefit.

Look to what the future offers now

Along the road towards EMV migration, there are several other advances that are in the pipeline that Middle Eastern banks should consider now. The first is smart card based e-Commerce and internet banking transactions. This replaces the less secure Password based systems used today and uses a stand-alone smart card reader and PIN pad, meaning that the user is able to avoid the security dangers posed by Trojan horses and computer hacks. This is possible because the smart card itself generates a random single-use passcode which is displayed by the reader and then typed in during the authentication process. The bank's authentication system then calculates what this code will be and validates it. Even if someone intercepted this transaction, the code cannot be used for further transactions as the smart card would generate a fresh code for the next transaction. Furthermore the expense of this system is probably less than $15 a reader as the cryptographic key processing is carried out by the card and the reader itself is "dumb".

By learning from the knowledge already gained in Europe and benefiting from the use of experienced vendors, Middle Eastern banks will find themselves in an extremely strong position. This will lead to not only a successful but also an immensely cost effective EMV migration saving the banks considerable sums of money. Importantly, their customers will also benefit from a far more secure and diverse service.

For more information on how to complete a successful EMV migration, please download the free independent EMV migration guide from Thales e-Security at http://www.thales-esecurity.com/productsservices/P3.shtml.

 




Articles
           © Thales 2007         Legal Notice