Security Issues and Risk mitigation measures related to Card Present (CP) transactions – Indian

In continuation of report of WORKING GROUP ON SECURING CARD PRESENT TRANSACTIONS, submitted to RBI on 31/05/2011, RBI, DPSS has started to roll out security measures for ‘Card Present Transactions’.

RBI, DPSS has issued a notification on 22/09/2011, and laid down 3 tasks , for adoption by the various players, in the Cards Industry.

The Press Release can be accessed @ RBI 22 Sept

Broadly the points are :

1. Introduce additional security features for CP (Card Present) transactions. It has been observed, that the reported frauds for CP (Card Present) transactions too are on the rise. This is especially for Credit Cards, which are not yet protected by PIN (Personal Identification Number)
2. One of the options, before RBI  was to adopt e  Aadhaar-based biometric authentication as a second factor of authentication for card present transactions. This option would be reviewed towards the end of December, 2012, to assess the need for a complete switch over to EMV Chip and PIN Technology for card based transactions.
3. (Unique Key per terminal- UKPT or Derived Unique Key per transaction- DUKPT/ Terminal line encryption- TLE) to be live by September 30, 2013. UKPT is a data encryption tool, adapted world-wide in the Cards industry.

                                                              i.      UKPT is a method of generating new keys for use in the DES algorithm from an initial key called a generating or derivation key. This method uses a unique key for every encryption operation and is identified for the decryptor by a serial number combined with an encryption cycle counter, enabling the decryptor to calculate the current key.

4. Enablement of all POS terminals to accept debit card transactions with PIN by June 30, 2013
5. Issuers to be  ready from technical perspective to issue EMV Cards by June 30,2013
6. For international transactions, EMV Chip Card and PIN to be issued to customers who have evidenced at least one purchase using their debit/credit card in a foreign location.

EMV stands for Europay, MasterCard and VISA card standard. It is a global standard based on joint effort by Europay, Mastercard and Visa. Hence, the name EMV.

Europay has been absorbed by Mastercard, in 2002.

EMV cards can be contact based or contactless based.

The main advantages of EMV Contact or EMV Contactless Cards are :

01)  EMV Cards are more secure, than normal cards that rely on data encoded in a magnetic stripe on the back of the card.

02)  The EMV card features a micro-processing chip that stores cardholder data securely, helping reduce the number of fraudulent transactions resulting from counterfeit, lost and stolen cards

03)  A transaction-unique digital seal or signature in the chip proves its authenticity in an offline environment and prevents criminals from using fraudulent payment cards. It is almost impossible to replicate an EMV based card.

04)  Can be used to secure online payment transactions and protect cardholders, merchants and issuers against fraud through a transaction-unique online cryptogram. This is an important security feature, as the numbers of online transactions are increasing day by day

05)  Stores considerably more information than magnetic stripe cards

  The latest trend in EMV cards are dual based i.e the same card can be utilized for ‘Contact’ as well as ‘Contactless’ transactions.