IMPORTANCE OF PAPER JOURNAL IN ATM OPERATION IN NIGERIA
It is on record today that modern day ATM has two kind of journal for capturing the transaction details – the electronic journal and the traditional paper journal. The electronic journal is the latest addition which makes the ATM information easy to manage. You read the information remotely even if it is an offsite ATM. The convenience this has created in ATM administration and dispute resolution is so enormous that most deployers has almost forgotten the importance and need in keeping the traditional paper journal.
The details on the journal are key and comprehensive to the ATM administration and operation. It keeps track of access to the sensitive part of the machine, cash analysis, fault reporting etc. It is so sensitive that the CBN guideline recently released mandated all deployers of ATM to ensure that any ATM commissioned for operation must have the full complement of the journal (ejournal and traditional paper journal).
It is worthy of note to mention here too that experience has shown that the details on the ejournal can be manipulated and the figures re-presented for fraudulent intention which creates a serious challenge for dispute resolution and arbitration. This becomes more complicated when one considers the fact that the journal is always considered as the last arbiter in ATM dispute resolution and arbitration.
It is our opinion that Banks and all independent ATM Deployers should always and at all times ensure that the traditional paper journal is carefully retrieved from the ATM and stored away in a safe and conducive place, where it will be referenced always during dispute.
Central Bank of Nigeria ATM Operation Standard and Guideline recently released this year 2010 emphasized the need and usefulness of ATM paper journal in dispute resolution and arbitration. This is not taking the fact that ejournal is also important in ATM operation but there should not be complete reliance on it especially at Arbitration level.
It is also important to say here that the deployers should ensure that the quality of papers used is such that the print will last for a long time, considering that some transactions can be disputed after 2 or even 5yrs, infact the customer wants his money at any time.
There should be dual control on the access to the journal from the retrieving of the journal from the ATM to the storing base to ensure that no part of it is lost. This is key to giving credibility to the role the journal is playing in dispute resolution.
Considering our business environment in Nigeria, where we have all manner of card faudsters, it is has become very clear now more than ever before that the Banks and the independent deployers should take conscious effort to ensure that their Traditional Paper Journal is up to date and running at all times.
Thursday, June 24, 2010
Tuesday, June 15, 2010
RETRACT OPTION IN ATM IN NIGERIA AND ASSOCIATED RISK
RETRACT OPTION IN ATM IN NIGERIA AND ASSOCIATED RISK
It is common knowledge that there are different brand of ATMs in operation in the Nigeria Market as at today. They include NCR, TRITON, Wincor etc. All the Banks in the country including the independent deployers are servicing the Nigeria market from these ranges of ATMs from Europe, America and Asia.
The availability of these ATMs around us has made cash withdrawal easier and simpler for the customers of the banks who hitherto queue up in the banking halls of Banks with their tally numbers waiting for their turn to withdraw Cash. They also made withdrawal of cash possible at odd hours of the day when banking halls are closed to business. ATM also encouraged the Cardholders to carry less of cash thereby running away from all sort of attacks from criminals. It increases the speed of transaction and also saves time.
ATM also came with its own issues to the cardholders and the bank which included, ATM not releasing cash to the cardholders after debiting the account of the customer, releasing less than what the cardholder requested and debiting the customer for the full amount (partial dispense), outright denial of service even at pressing times, outright fraud using the ATM, incessant Cash jam, frustrated customers from the listed issues, retraction of cash etc.
Beyond all the issues listed, we want to talk about the RETRACTION of cash by the ATM after the customer has failed to pick up the cash after the set period. This is a functionality that was build into the ATM by the developers to help the cardholder in situations he/she could not pick up the cash after the set period such that the ATM sucks back the cash and logs it in the journal which will be used by the bank or issuer to reverse the fund back to the customer’s account. This functionality operates almost the way in all the brand of ATMs in the Nigeria as at today.
It is common knowledge that while the ATM is dispensing Cash to the cardholder, it has the capability of counting and giving the cash analysis on the ATM journal for the purpose of dispute resolution and cash reconciliation. It is worthy of note too, that when the ATM is retracting cash, it has no such capability of counting and logging in the cash analysis of the amount sucked back, even when it bundle rejects or retracts the story is the same. The only information given on the journal as at today is that the cash was retracted.
In the light of the above, it is very possible for a fraudulent Cardholder, to request for N20,000 and when the machine presents the N20,000, he/she pick N10,000 (or any other amount but not the full amount) carefully and allow the machine to retract the balance after the set period. The same customer can log the complaint for the total reimbursement of the N20,000 which we know most Nigerian banks will pay hinging their approval on the journal position which will simply read ‘cash retracted’. Even when the bank does not want to pay, on the face of it, the customer’s position appears very superior and he/she can win it if he/she takes up to any regulator for adjudication.
Even when the bank or deployers reconciles the ATM cash (say on daily basis), the difference will be thrown out but how can the bank or deployer pin it down to the customer in question considering the traffic that hits the ATM in a day and the number of genuine reversals that would have taken place in the same ATM. Compounding the issues is also the fact that both the retracted and rejected cash are dropped in the same cassette even though there is a separation in the cassette.
We feel strongly that this is a major concern the ATM developers must look into considering the Nigeria business environment. We can now appreciate why some banks in Nigeria decided to disable the retract option of their ATMs to run away from the associated risk of this functionality.
OUR RECOMMENDATION:
The ATM developers should build the ATM in such a manner that it should have the capability of counting and logging in the cash analysis on the journal the way it does when it is dispensing cash.
It is common knowledge that there are different brand of ATMs in operation in the Nigeria Market as at today. They include NCR, TRITON, Wincor etc. All the Banks in the country including the independent deployers are servicing the Nigeria market from these ranges of ATMs from Europe, America and Asia.
The availability of these ATMs around us has made cash withdrawal easier and simpler for the customers of the banks who hitherto queue up in the banking halls of Banks with their tally numbers waiting for their turn to withdraw Cash. They also made withdrawal of cash possible at odd hours of the day when banking halls are closed to business. ATM also encouraged the Cardholders to carry less of cash thereby running away from all sort of attacks from criminals. It increases the speed of transaction and also saves time.
ATM also came with its own issues to the cardholders and the bank which included, ATM not releasing cash to the cardholders after debiting the account of the customer, releasing less than what the cardholder requested and debiting the customer for the full amount (partial dispense), outright denial of service even at pressing times, outright fraud using the ATM, incessant Cash jam, frustrated customers from the listed issues, retraction of cash etc.
Beyond all the issues listed, we want to talk about the RETRACTION of cash by the ATM after the customer has failed to pick up the cash after the set period. This is a functionality that was build into the ATM by the developers to help the cardholder in situations he/she could not pick up the cash after the set period such that the ATM sucks back the cash and logs it in the journal which will be used by the bank or issuer to reverse the fund back to the customer’s account. This functionality operates almost the way in all the brand of ATMs in the Nigeria as at today.
It is common knowledge that while the ATM is dispensing Cash to the cardholder, it has the capability of counting and giving the cash analysis on the ATM journal for the purpose of dispute resolution and cash reconciliation. It is worthy of note too, that when the ATM is retracting cash, it has no such capability of counting and logging in the cash analysis of the amount sucked back, even when it bundle rejects or retracts the story is the same. The only information given on the journal as at today is that the cash was retracted.
In the light of the above, it is very possible for a fraudulent Cardholder, to request for N20,000 and when the machine presents the N20,000, he/she pick N10,000 (or any other amount but not the full amount) carefully and allow the machine to retract the balance after the set period. The same customer can log the complaint for the total reimbursement of the N20,000 which we know most Nigerian banks will pay hinging their approval on the journal position which will simply read ‘cash retracted’. Even when the bank does not want to pay, on the face of it, the customer’s position appears very superior and he/she can win it if he/she takes up to any regulator for adjudication.
Even when the bank or deployers reconciles the ATM cash (say on daily basis), the difference will be thrown out but how can the bank or deployer pin it down to the customer in question considering the traffic that hits the ATM in a day and the number of genuine reversals that would have taken place in the same ATM. Compounding the issues is also the fact that both the retracted and rejected cash are dropped in the same cassette even though there is a separation in the cassette.
We feel strongly that this is a major concern the ATM developers must look into considering the Nigeria business environment. We can now appreciate why some banks in Nigeria decided to disable the retract option of their ATMs to run away from the associated risk of this functionality.
OUR RECOMMENDATION:
The ATM developers should build the ATM in such a manner that it should have the capability of counting and logging in the cash analysis on the journal the way it does when it is dispensing cash.
Friday, June 11, 2010
ASSOCIATED RISK WITH E-BANKING IN NIGERIA AND SWITCHING OF TRANSACTION FOR BANKS
· LIQUIDITY RISK: This risk arises when the acquiring bank does not have enough funds to pay the beneficiaries even when their account has been credited with expected value. The issuing bank will only credit the acquiring bank after the settlement and that is the time when the fund will be available to acquiring bank. The settlement cycle in Nigeria puts the acquiring bank at risk whether it is T+1 or T+2 (transaction day + additional one day or two days as the case may be).
· DEFAULT RISK: This risk arises when the issuing bank is unable to meet her obligation (out of clearing) and the acquiring banks have given values to the beneficiaries.
· INTEREST RISK: The acquiring banks suffer interest risk as a result of the time lag between payment date and settlement date. This becomes more burdensome on the acquiring banks on holidays and the weekends.
· TRANSACTION/SWITCH RISK: Host to Host switching which allows transaction to impart on the Core banking Software (CBS) directly without passing through the bank FEP. This circumvention of the FEP creates transaction risk. This is important considering the fact that there is no clear separation between naira account and foreign currency accounts on these platforms.
· LEGAL RISK: There is no legal frame work in place to deal with issues arising from e-payment especially in time of dispute or conflict between the stakeholders. The E-banking guideline of CBN does not in any way address any of the risk issues associated with e-banking in Nigeria to the extent that it can tenable in court.
· IN HOUSE ABUSE: There is also possibility that the internal staff of the body corporate and related agencies benefiting from these e-banking operations initiating unauthorized transactions which will expose all the stakeholders considering the volume that will be involved.
SUGGESTED MITIGANTS:
· All participating banks to pledge a Treasury bill to provide cover for all Switched transaction under the e-payment scheme.
· The Value date for transactions should be the same with settlement date to ensure that the acquiring bank does not give value first before settlement. Batch Cut-off must be agreed by all stakeholders to ensure that the transactions date and settlement date are the same.
· The body corporate and related agencies benefiting from e-banking should be made to provide an indemnity/guarantee for transactions being initiated by authorized staff.
· The body corporate and related agencies should provide a notification to their Bankers before initiating transactions so that the banks Treasury Department will make provision for the settlement.
· All the banks agreeing that settlement should be through RTGS as against the NIBBS currently used now. Where NIBBS will be used then, the processing of the transactions should be such that the acquiring banks get value first before the customers.
· All interested Switching companies must have an FEP in place to avoid any form of HOST-to HOST switching. This will ensure that the banks filter the transactions properly before it hits the Core Banking Software (CBS).
· CBN putting up the legal frame work to drive e-Banking in Nigeria.
· LIQUIDITY RISK: This risk arises when the acquiring bank does not have enough funds to pay the beneficiaries even when their account has been credited with expected value. The issuing bank will only credit the acquiring bank after the settlement and that is the time when the fund will be available to acquiring bank. The settlement cycle in Nigeria puts the acquiring bank at risk whether it is T+1 or T+2 (transaction day + additional one day or two days as the case may be).
· DEFAULT RISK: This risk arises when the issuing bank is unable to meet her obligation (out of clearing) and the acquiring banks have given values to the beneficiaries.
· INTEREST RISK: The acquiring banks suffer interest risk as a result of the time lag between payment date and settlement date. This becomes more burdensome on the acquiring banks on holidays and the weekends.
· TRANSACTION/SWITCH RISK: Host to Host switching which allows transaction to impart on the Core banking Software (CBS) directly without passing through the bank FEP. This circumvention of the FEP creates transaction risk. This is important considering the fact that there is no clear separation between naira account and foreign currency accounts on these platforms.
· LEGAL RISK: There is no legal frame work in place to deal with issues arising from e-payment especially in time of dispute or conflict between the stakeholders. The E-banking guideline of CBN does not in any way address any of the risk issues associated with e-banking in Nigeria to the extent that it can tenable in court.
· IN HOUSE ABUSE: There is also possibility that the internal staff of the body corporate and related agencies benefiting from these e-banking operations initiating unauthorized transactions which will expose all the stakeholders considering the volume that will be involved.
SUGGESTED MITIGANTS:
· All participating banks to pledge a Treasury bill to provide cover for all Switched transaction under the e-payment scheme.
· The Value date for transactions should be the same with settlement date to ensure that the acquiring bank does not give value first before settlement. Batch Cut-off must be agreed by all stakeholders to ensure that the transactions date and settlement date are the same.
· The body corporate and related agencies benefiting from e-banking should be made to provide an indemnity/guarantee for transactions being initiated by authorized staff.
· The body corporate and related agencies should provide a notification to their Bankers before initiating transactions so that the banks Treasury Department will make provision for the settlement.
· All the banks agreeing that settlement should be through RTGS as against the NIBBS currently used now. Where NIBBS will be used then, the processing of the transactions should be such that the acquiring banks get value first before the customers.
· All interested Switching companies must have an FEP in place to avoid any form of HOST-to HOST switching. This will ensure that the banks filter the transactions properly before it hits the Core Banking Software (CBS).
· CBN putting up the legal frame work to drive e-Banking in Nigeria.
NEED FOR URGENT SECOND LEVEL AUTHENTICATION IN CARD BUSINESS TRANSACTION IN NIGERIA
In the recent time, there has been serious wave of card and ATM fraud that has swept across the nation in different dimension and shapes. The reasons are many and vary coupled with our business environment. The continued use of Magnetic Stripe in Nigeria has not helped matters because the security around it is far less than desired.
Other reasons for the wide spread card fraud includes but not limited to:
Lack of Awareness
Ignorance on the side of some of the card users
Security issues associated with magnetic stripe.
Poor professionalism on the issuance of the card product
Lack of requisite skill by the switching company.
It is important to state here that Magnetic Stripe has encouraged some common e-business frauds like card cloning/skimming, phishing, shoulder surfing etc which is almost eroding the confidence of the card holders and the entire banking public.
The ATMIA Security Conference in London exposed some of the flaws associated with our current magnetic stripe in Nigeria and set the road map for the more secured and globally accepted CHIP+PIN EMV compliant cards.
WAY FORWARD
The implementation of CHIP+PIN card is the way forward as the control flaws in Magnetic stripe and coupled with risk associated with our business environment is quite enormous and no stop gap measure now can offer any relief.
The implementation of the CHIP+PIN card must be very robust and futuristic as any control lapse will leave us in the hands of intelligent and more powerful cartel coming as fraudsters.
Having reviewed all the option open to us and considering the future of e-banking in Nigeria, we recommend that the bank should adopt:
· Biometrics as second level authentication for ATM and POS.
· TOKEN as second level authentication for WEB transactions.
Our recommendation is premised on the following:
COMPETITIVE EDGE: Second level authentication will give our card the needed security to survive in Nigeria market. It will become a marketing tip for banks as our card will be more secured than that of our competitors in other African countries. The informed banking public will find good reason to drop other banks cards for ours and the patronage of our secured ATM will hit its peak.
ENHANCED SECURITY: Globally biometrics offers the best form of security for card authentication and it is a known fact that common card frauds like cloning/skimming, phishing or shoulder surfing etc will completely be eliminated. Finger Print or Vein has become adaptable for the recently manufactured ATMs like the ones in our country and offers a more robust security that will be almost be impossible to crack. Presently, Japan has achieved 80% compliance from the ATM of Banks on BIOMETRICS as second level authentication for their cards.
INCREASED BUSINESS: If we successfully implement this second level authentication, we will be the first in Africa and Nigeria cardholders will benefit immensely from it. Our idea is that with the successful implementation of the strong second level authentication, the daily limit of the cardholders using secured ATMs all over the country will be enhanced. This will increase the traffic on our ATMs and in effect increase our retail income and importantly restore the confidence of our card holders. It is also important to add that the Nigerian banks with increasing number of ATMs and a secured Platform, will take the leadership position and begin to determine the market.
REDUCTION OF OUR CARD BUSINESS RISK: Our Card Business risk will be reduced to the minimum as there is no way any customer will repudiate any transaction consummated on our secured platform and in effect our associated business risk in card transaction would have been eliminated. This will in effect improve our position with international ratings agents and more genuine customers locally and internationally will take us very serious.
FRAUD REDUCTION: Biometrics will be set on our card (the Chip has memory to the biometrics) and this will authenticate the transactions immediately accepting it or declining as the case may be. This will drastically reduce if not eliminate card related fraud while restoring the needed confidence to our card holders.
In the recent time, there has been serious wave of card and ATM fraud that has swept across the nation in different dimension and shapes. The reasons are many and vary coupled with our business environment. The continued use of Magnetic Stripe in Nigeria has not helped matters because the security around it is far less than desired.
Other reasons for the wide spread card fraud includes but not limited to:
Lack of Awareness
Ignorance on the side of some of the card users
Security issues associated with magnetic stripe.
Poor professionalism on the issuance of the card product
Lack of requisite skill by the switching company.
It is important to state here that Magnetic Stripe has encouraged some common e-business frauds like card cloning/skimming, phishing, shoulder surfing etc which is almost eroding the confidence of the card holders and the entire banking public.
The ATMIA Security Conference in London exposed some of the flaws associated with our current magnetic stripe in Nigeria and set the road map for the more secured and globally accepted CHIP+PIN EMV compliant cards.
WAY FORWARD
The implementation of CHIP+PIN card is the way forward as the control flaws in Magnetic stripe and coupled with risk associated with our business environment is quite enormous and no stop gap measure now can offer any relief.
The implementation of the CHIP+PIN card must be very robust and futuristic as any control lapse will leave us in the hands of intelligent and more powerful cartel coming as fraudsters.
Having reviewed all the option open to us and considering the future of e-banking in Nigeria, we recommend that the bank should adopt:
· Biometrics as second level authentication for ATM and POS.
· TOKEN as second level authentication for WEB transactions.
Our recommendation is premised on the following:
COMPETITIVE EDGE: Second level authentication will give our card the needed security to survive in Nigeria market. It will become a marketing tip for banks as our card will be more secured than that of our competitors in other African countries. The informed banking public will find good reason to drop other banks cards for ours and the patronage of our secured ATM will hit its peak.
ENHANCED SECURITY: Globally biometrics offers the best form of security for card authentication and it is a known fact that common card frauds like cloning/skimming, phishing or shoulder surfing etc will completely be eliminated. Finger Print or Vein has become adaptable for the recently manufactured ATMs like the ones in our country and offers a more robust security that will be almost be impossible to crack. Presently, Japan has achieved 80% compliance from the ATM of Banks on BIOMETRICS as second level authentication for their cards.
INCREASED BUSINESS: If we successfully implement this second level authentication, we will be the first in Africa and Nigeria cardholders will benefit immensely from it. Our idea is that with the successful implementation of the strong second level authentication, the daily limit of the cardholders using secured ATMs all over the country will be enhanced. This will increase the traffic on our ATMs and in effect increase our retail income and importantly restore the confidence of our card holders. It is also important to add that the Nigerian banks with increasing number of ATMs and a secured Platform, will take the leadership position and begin to determine the market.
REDUCTION OF OUR CARD BUSINESS RISK: Our Card Business risk will be reduced to the minimum as there is no way any customer will repudiate any transaction consummated on our secured platform and in effect our associated business risk in card transaction would have been eliminated. This will in effect improve our position with international ratings agents and more genuine customers locally and internationally will take us very serious.
FRAUD REDUCTION: Biometrics will be set on our card (the Chip has memory to the biometrics) and this will authenticate the transactions immediately accepting it or declining as the case may be. This will drastically reduce if not eliminate card related fraud while restoring the needed confidence to our card holders.
EMV/Chip Cards – What is it?
Payment systems standard for integrated chip cards and devices; developed by Europay, MasterCard and Visa to ensure interoperability.
Defines minimum functionality for debit and credit payment applications to ensure correct operation and interoperability– Some mandatory requirements and a wide range of optional features and Characteristics. Basis for chip migration by payment schemes in markets around the world.
Supported Mechanisms
· Static data authentication (SDA)
· Dynamic data authentication (DDA)
· Combined DDA and application cryptogram generation (CDA)
Basics of SDA
· Performed by terminal
· Confirms legitimacy of critical ICC-resident static data
· Detects unauthorized alteration of data after personalization
Settings and process of SDA
· Public key of CA is stored in each terminal
· Public key of issuer bank is certified by CA and stored on ICC
· Static application data are signed by issuer bank and stored on ICC
Security of SDA
· Based on secrecy of private RSA keys
· Counterfeiting/duplication not solved
DDA: Dynamic Data Authentication
Basics of DDA
· Performed by terminal & card (ICC with coprocessor required)
· Confirms legitimacy of critical ICC-resident/generated data and data received from terminal.
· Detects counterfeited/duplicated cards
Settings and process of DDA
· Similar as for SDA
· New unique ICC RSA key pair is stored on each card
· ICC private key is securely stored (cannot leave the card)
· ICC public key is signed & stored together with static application data
· Terminal sends random challenge to be signed by ICC private key
Security of DDA
· Based on secrecy of private RSA keys
· The chip card must be able to protect ICC private key
CDA: Combined DDA and Application Cryptogram (AC) Generation
Basics of CDA
Performed by terminal & card in parallel with card action analysis.
Settings and process of CDA
· Similar as for DDA
· Random challenge is a part of request for AC
· Signed AC contains this random challenge
Security of CDA
· Extra security for AC
· Advantage if secure communication between terminal and ICC cannot be guaranteed.
Automatic Risk Management
Protects against offline undetectable threats
Decides if transaction should be:
approved offline, declined offline, or transmitted online
· Terminal risk management
· Floor limit checking
· Random transaction selection
· Velocity checking
Terminal & card action analysis
· T: reject transaction offline
· C: reject offline
· T: transaction should go online
· C: go online _ reject offline
· T: transaction might be completed offline
· C: go online _ reject offline _ approve offline
EMV Offline Data Authentication
The goal is offline detection of fake (altered/duplicated) cards
Based on asymmetric cryptography (namely on RSA)
RSA public key must be always 3 or 216 − 1
Existence of a certification authority (CA) is required
Integrity of transmitted public keys must be secured
Each EMV terminal must contain actual CA public key
Basic Terminology
· Merchant, payee
· Cardholder, customer, payer, or simply user
· Card issuer, cardholder’s bank, or simply bank
· Fraud, a deception made for a personal gain
· All parties should be protected against the fraud
· Unauthorized and illegal use of a credit card to purchase property
· ICC, an acronym for integrated circuit(s) card
Payment systems standard for integrated chip cards and devices; developed by Europay, MasterCard and Visa to ensure interoperability.
Defines minimum functionality for debit and credit payment applications to ensure correct operation and interoperability– Some mandatory requirements and a wide range of optional features and Characteristics. Basis for chip migration by payment schemes in markets around the world.
Supported Mechanisms
· Static data authentication (SDA)
· Dynamic data authentication (DDA)
· Combined DDA and application cryptogram generation (CDA)
Basics of SDA
· Performed by terminal
· Confirms legitimacy of critical ICC-resident static data
· Detects unauthorized alteration of data after personalization
Settings and process of SDA
· Public key of CA is stored in each terminal
· Public key of issuer bank is certified by CA and stored on ICC
· Static application data are signed by issuer bank and stored on ICC
Security of SDA
· Based on secrecy of private RSA keys
· Counterfeiting/duplication not solved
DDA: Dynamic Data Authentication
Basics of DDA
· Performed by terminal & card (ICC with coprocessor required)
· Confirms legitimacy of critical ICC-resident/generated data and data received from terminal.
· Detects counterfeited/duplicated cards
Settings and process of DDA
· Similar as for SDA
· New unique ICC RSA key pair is stored on each card
· ICC private key is securely stored (cannot leave the card)
· ICC public key is signed & stored together with static application data
· Terminal sends random challenge to be signed by ICC private key
Security of DDA
· Based on secrecy of private RSA keys
· The chip card must be able to protect ICC private key
CDA: Combined DDA and Application Cryptogram (AC) Generation
Basics of CDA
Performed by terminal & card in parallel with card action analysis.
Settings and process of CDA
· Similar as for DDA
· Random challenge is a part of request for AC
· Signed AC contains this random challenge
Security of CDA
· Extra security for AC
· Advantage if secure communication between terminal and ICC cannot be guaranteed.
Automatic Risk Management
Protects against offline undetectable threats
Decides if transaction should be:
approved offline, declined offline, or transmitted online
· Terminal risk management
· Floor limit checking
· Random transaction selection
· Velocity checking
Terminal & card action analysis
· T: reject transaction offline
· C: reject offline
· T: transaction should go online
· C: go online _ reject offline
· T: transaction might be completed offline
· C: go online _ reject offline _ approve offline
EMV Offline Data Authentication
The goal is offline detection of fake (altered/duplicated) cards
Based on asymmetric cryptography (namely on RSA)
RSA public key must be always 3 or 216 − 1
Existence of a certification authority (CA) is required
Integrity of transmitted public keys must be secured
Each EMV terminal must contain actual CA public key
Basic Terminology
· Merchant, payee
· Cardholder, customer, payer, or simply user
· Card issuer, cardholder’s bank, or simply bank
· Fraud, a deception made for a personal gain
· All parties should be protected against the fraud
· Unauthorized and illegal use of a credit card to purchase property
· ICC, an acronym for integrated circuit(s) card
Subscribe to:
Posts (Atom)