In continuation of report of WORKING GROUP ON SECURING
CARD PRESENT TRANSACTIONS, submitted to RBI on 31/05/2011, RBI, DPSS has
started to roll out security measures for ‘Card Present Transactions’.
RBI, DPSS has issued a notification on
22/09/2011, and laid down 3 tasks , for adoption by the various players, in the
Cards Industry.
The Press Release can be accessed @ RBI 22 Sept
Broadly the points are :
- Introduce additional security features for CP (Card Present) transactions. It has been observed, that the reported frauds for CP (Card Present) transactions too are on the rise. This is especially for Credit Cards, which are not yet protected by PIN (Personal Identification Number)
- One of the options, before RBI was to adopt e Aadhaar-based biometric authentication as a second factor of authentication for card present transactions. This option would be reviewed towards the end of December, 2012, to assess the need for a complete switch over to EMV Chip and PIN Technology for card based transactions.
- (Unique Key per terminal- UKPT or Derived Unique Key per transaction- DUKPT/ Terminal line encryption- TLE) to be live by September 30, 2013. UKPT is a data encryption tool, adapted world-wide in the Cards industry.
i.
UKPT is a method of generating new keys for use in the DES
algorithm from an initial key called a generating or derivation key. This
method uses a unique key for every encryption operation and is identified for
the decryptor by a serial number combined with an encryption cycle counter,
enabling the decryptor to calculate the current key.
- Enablement of all POS terminals
to accept debit card transactions with PIN by June 30, 2013
- Issuers to be ready from technical perspective to
issue EMV Cards by June 30,2013
- For international transactions, EMV
Chip Card and PIN to be issued to customers who have evidenced at least
one purchase using their debit/credit card in a foreign location.
EMV stands for Europay, MasterCard and VISA
card standard. It is a global standard based on joint effort by Europay,
Mastercard and Visa. Hence, the name EMV.
Europay has been absorbed by Mastercard, in
2002.
EMV cards can be contact based or contactless
based.
The main advantages of EMV Contact or EMV
Contactless Cards are :
01) EMV Cards are more
secure, than normal cards that rely on data encoded in a magnetic stripe on the
back of the card.
02) The EMV card features a
micro-processing chip that stores cardholder data securely, helping reduce the
number of fraudulent transactions resulting from counterfeit, lost and stolen
cards
03) A transaction-unique
digital seal or signature in the chip proves its authenticity in an offline
environment and prevents criminals from using fraudulent payment cards. It is
almost impossible to replicate an EMV based card.
04) Can be used to secure
online payment transactions and protect cardholders, merchants and issuers
against fraud through a transaction-unique online cryptogram. This is an
important security feature, as the numbers of online transactions are
increasing day by day
05) Stores considerably
more information than magnetic stripe cards
The latest trend in EMV
cards are dual based i.e the same card can be utilized for ‘Contact’ as well as
‘Contactless’ transactions.