homesite mapcontact search
Newsroom   
Careers   
Solutions     
Products & Services    
Support    
Whitepapers     
Case Studies    
Alliances     
Sales     
Offices     

Articles
Reaching EMV enlightenment

By Paul Meadowcroft, head of transaction security at Thales e-Security


The pace of the EMV smart card rollout in Europe is quickening. Very soon the first chip and PIN trial in the UK will be completed and other countries are also well advanced. While individual banks may or may not meet the 2005 European EMV deadline, the general consensus is that the majority of banks will have migrated in time. Indeed Visa has asserted that 75% of European banks are on schedule for the January 1st, 2005 deadline.

The inexorable smart card rollout is gathering speed at an astonishing rate. Recent figures from Visa show that by the end of this year they will have issued 120 million EMV cards. This compares with the 57 million Visa had issued by June 2003. So while some banks may be holding off temporarily from issuing smart cards before the EMV deadline, it seems that the smart card tide is definitely coming in.

Managing the rollout through a single association

One of the most beneficial steps that various European nations have taken has been to coordinate the rollout through established associations or those specifically set up to manage the rollout. Organisations such as APACs in the UK and GIE CB in France have taken overall responsibility for managing their nationwide implementations. Such an approach ensures that various local idiosyncrasies can be addressed, ensuring that the EMV migration is shaped to meet national needs. It also allows the banks to work together towards a common, standardised goal and not be left in the situation where a single bank has to justify the business case and persuade the retailers alone.

For retailers, especially those with multiple location environments such as supermarkets, the rationale behind EMV may not be initially apparent. Multiple location retailers spend vast sums of money refitting their stores on a rolling basis with new point of sale terminals. Typically these have a lifespan of up to ten years and until very recently many retailers will not have considered updating their terminals to be EMV smart card compliant. It is for this reason that in weighing up the chicken or the egg situation in whether to introduce smart cards first or to ensure EMV terminals are rolled out beforehand, it is the latter that has taken priority. With EMV smart cards costing between $1 and $3 each – compared to the 13 cents cost of a magnetic stripe card – there is an obvious business rationale from a bank’s point of view for taking this course of action.

The business benefits of EMV

The main argument for introducing PIN transactions is that it is a proven system for combating fraud. When combined with a smart card, the possibility of fraudulent transactions taking place in an ordinary retail environment are very small. However, as banks in Europe have begun to realise, there are other significant business case arguments for migrating to EMV.

For example, France introduced PIN transactions over ten years ago and has already reduced the levels of fraud considerably – for example the level of counterfeit fraud has fallen by 90%. Therefore the savings from the EMV migration are not as significant as in non-PIN countries such as the UK. For this reason, French banks are introducing electronic purse and loyalty schemes with their smart card deployment. Furthermore, it is not just banks that are seeing non-fraud related business case advantages from introducing EMV. In the UK, supermarket chain Tesco, has realised that EMV terminals will mean that its stores will print out 13,000 less miles of till receipts each year. Astonishingly this will save Tesco an estimated £500,000 per annum, which was not considered when they were compiling the original business case.

Banks are also considering multiple applications as they are proven way of adding value to the customer and increasing customer retention.

The advantages of a phased rollout

EMV migration does not have to be a single-phase event. Indeed, many banks have realised that in the short term the amount of change that is necessary to migrate to EMV can by quite limited and focussed. Assuming the host system is not too old, it is possible to just bolt on new software that will handle EMV transactions – the older the system, the less likely it is that it will be able to handle an EMV migration.

As the EMV migration is an ideal opportunity to review the state of the host systems, it may be that a migrating bank does decide to opt for the long-term fix. However, at the same time the bank would be able to introduce the new infrastructure that is required for multiple application smart card systems. Interestingly these too can be introduced in both a short and long-term manner whereby smart cards are sent out without any multiple applications pre-loaded but with the functionality there to enable the bank to add these at a later date. For example, in an initial rollout a bank may only wish to give a loyalty scheme to its most lucrative customers. Later on, a bank decides to roll this out further, customers can be given the option of having a loyalty scheme added to their cards. Also the EMV risk management parameters on the cards that governs the level at which a transaction needs to authenticated on-line, could also be altered whilst a customer is carrying out a point of sale or ATM transaction.

Adopt regional and national standards from the outset

Recently GlobalPlatform proposed a common standard for personalising the cards that has now been ratified by EMVco, the body responsible for the EMV specifications. Not only will this make it far easier for banks to switch between different competing EMV compliant cards, but also it should stimulate commoditisation within the marketplace, boosting competition.

Going hand in hand with this is the opportunity for banks to choose which model of data preparation and personalisation they would like to adopt. These are the same three options that existed under the traditional magnetic stripe system – prepare and personalise the cards in house, outsource the whole process to a card bureau or keep the data preparation in house and outsource the personalisation. However, unlike the magnetic card process, with EMV the preparation process involves embedding the Unique Derived Keys (UDKs) onto the card. If a bureau is used, they will have to be given the master encryption keys to be able to do this.

While there is no suggestion that the bureaux are in any way insecure, correct security best practice requires as few people as possible have access to the master keys. This therefore means that the advice given by most EMV consultants is that at the very least the data preparation process and key management should be kept in-house. The prepared file can then be sent to the bureau, which then completes the personalisation process. This has the added advantage of allowing the bank to change between competing bureaux in a competitive environment.

It should be noted that many European banks have chosen to use a bureau during the pilot phase of their EMV rollout. Most of these issuers intend to bring the data preparation back in-house once the trials are complete.

At the moment no single vendor is able to offer a complete EMV migration package. However, there are examples of vendors working together to provide solutions to banks.

Look to what the future offers now

Along the road towards EMV migration, there are several other advances that are in the pipeline. The first is smart card based e-Commerce and internet banking transactions. This enhances the SSL security used today by adding strong authentication using a stand-alone smart card reader and PIN pad, meaning that the user is able to avoid the security dangers posed by Trojan horses and computer hacks. This is possible because the smart card itself generates a random single-use passcode, which is displayed by the reader and then typed in during the user authentication process. The bank's payment validation system can then authenticate this value when the transaction is received from the merchant acquiring system. Even if someone intercepted this transaction, the code cannot be used for further transactions as the smart card would generate a fresh code for the next transaction. Furthermore the expense of this system is probably less than $10 a reader as the cryptographic key processing is carried out by the card and the reader itself is "dumb".

One other advance is contactless cards which are already being used on several transport systems and MasterCard have also pioneered a trial system called PayPass in Orlando, Florida. This allows for low value transactions to be made by a radio frequency authentication by the smart card. While this has not been combined with a chip and PIN solution, the potential exists, providing maximum usability with minimal risk to the customer.

Therefore, from the experiences and results of the latest EMV rollouts, the future of the EMV cards looks promising with banks and cardholders alike immediately benefiting from a reduction in fraud. Furthermore, with the deployment of multi-application smart cards where loyalty and electronic purse can be added to the same card, customers will encompass this new medium as a generic method of payment and authentication for everyday life, enhancing the return on the initial investment made by the banks.
Articles
           © Thales 2007         Legal Notice