Development of payment cards technologies

A payment card can be viewed from various points of view: as a product offered by the Issuer to the holder (for example, as a Bank product), as a technical product of the card manufacturer, or even as a work of applied art.

However, this consideration of cards from different points of view is very conditional, since all aspects of cards are closely interrelated. A card issued by a Bank could be considered as a remote access tool to the Bank account, allowing any transactions to be made on the account. This is true for most Bank cards, but many of them are issued within the framework of payment systems, which makes it necessary to follow certain rules both when issuing and using cards.

As we already wrote at the beginning of the book, according to one version, the prototype of modern payment cards were cardboard cards that appeared several decades ago in the United States, which were accepted to pay for gasoline at private gas stations. These cards were not yet either Bank or plastic, their purpose was to confirm the creditworthiness of the owner outside the Bank (presentation of the card by the customer allowed to get fuel on credit). The client’s identification data was printed on the cards. The comparative simplicity of such a card not only allowed the idea to be implemented relatively quickly, but also caused the appearance of the first fakes, which, if not undermined confidence in the new payment method, then prompted to take care of improving its security.
The development of technology in the direction of improving the security of the card as a payment instrument led to the replacement of cardboard with plastic (which made the card more durable) and the use of barcodes. The barcode was used to encode identification information that had previously been printed in the usual way. Card acceptance points were equipped with barcode scanners. When performing the operation, the barcode was read and decoded, which made it possible to identify the cardholder.

Of course, it was more difficult to fake a barcode than a plain text. Over time, the use of barcodes has greatly expanded, in particular, they have been used to identify goods, which has made graphic printers available for drawing them on the card and, as a result, has led to the appearance of fake cards with a barcode. Although barcodes do not provide sufficient security, they are still used as a means of identification. The barcode itself is sometimes covered with a black protective stripe to prevent it from being read, which allows it to be read only by special scanners. However, such scanners are too expensive to consider such technology as acceptable for wide distribution.
Another way to improve the security of payment cards has been the use of a magnetic stripe, on which it is possible to place in encoded form enough information to identify the cardholder. Cards with a magnetic stripe, which appeared in the 60s of the XX century, and to this day remain the main type of payment cards.
80-ies appeared chip cards that carry the embedded microchip (chip). It is obvious that a chip that can store (if necessary, in a protected form) much more information than a magnetic stripe, and execute certain commands, could become a tool that significantly increased the efficiency and security of using cards. It is also quite reasonable to say that the overall intelligence of the process of performing a card operation (transaction) has increased, and this is the reason for another name for chip cards – smart cards (“smart” or “smart” cards).

Even the above small digression into the history of payment card technology allows us to note that the driving force behind the development of technology is the desire to improve the security and efficiency of transactions.

International standards and requirements of payment systems

Technologies for working with magnetic and chip cards are based on international standards. Compliance with the standards has provided the most important property for a successful business of mutual card acceptance (in the specifications for payment system products – interoperability). This property, obvious at first glance, still requires explanation. The fact is that the cards themselves, the technology for performing operations with them, and their processing are clearly defined within each payment system (in the form of specifications and guidelines in generally recognized and experienced payment systems, and in the form of rules for accepting cards in relatively “young” payment systems). To accept cards in the network of a single payment system, following the standards might not be necessary, but since every point of card acceptance, whether it is a store or a Bank branch, is interested in working under the same or at least similar rules, the technologies of different payment systems should at least be compatible. Compatibility is achieved by following standards.

There are a number of international standards that define almost all the properties of cards, starting from the physical properties of plastic, the size of the card and ending with the content of information placed on the card in one way or another, among which we should mention ISO 7810 “Identification cards-physical characteristics”, ISO 7811 “Identification cards-recording methods”, ISO 7812 “Identification cards-numbering system and procedure for registering Issuer IDs” (5 parts), ISO 7813 – “Identification cards – cards for financial transactions”, ISO 4909 ” Bank cards – content of the 3rd track of the magnetic stripe”, ISO 7816 ” Identification cards. Cards with a chip with contacts” (6 parts). There is also a Russian standard GOST R 50809 “Numbering and metrological support of identification cards for financial settlements”.

Cards must have the following geometric parameters: width-85.595 + 0.125 mm, height-53.975 + 0.055 mm, thickness-0.76 + 0.08 mm, radius of the circle in the corners-3.18 mm.
On the front side of payment cards, the logo of the financial institution and the trademarks of the payment system are printed. In addition, the card usually has a hologram with a certain payment system symbol, and there may also be a special element visible only in ultraviolet rays. On the front side of the chip card is a chip, its location is strictly defined by the standard (ISO 7816-1).

On the back of the card there is a magnetic stripe (the place of which is also strictly defined by the standard), a signature panel, and the Bank’s printed text.

The solution for card miniaturization presented by Visa Europe is interesting from a marketing point of view. The new type of EMV mini – card – Visa Mini, despite its smallness, meets all EMV standards. The surface of the Visa Mini card is only 57% of the size of a normal Bank card. The card can be used to pay for goods and services through regular payment terminals of retail outlets, the card is not serviced by ATMs.

A similar type of card in MasterCard is called a SideCard.

Card personalization

in the process of preparing for release, the card undergoes personalization ( personification) – graphic, physical, and electrical. Graphic personalization is sometimes understood as printing the logo of the issuing financial institution on the card, but more often-printing personal information about the holder using special printers. In some payment systems, it is allowed to place a photo of the holder in a certain field (usually on the back of the card). To implement this personalization, a white rectangular field is left in the production of card blanks. Before issuing the card, the photo of the future holder is scanned and a special graphic printer is used to place the image with the photo in the field mentioned.

Physical personalization is used to card personal data: card number, name and surname, validity term (possibly in the form of two dates – the beginning and end of the action, perhaps in the form of a single date – the end of the action), and sometimes some additional information (e.g., name of company in which the holder).
4 digits are used to indicate dates: 2 – for the month, 2-for the year (for example, 01/03 means January 2003). the card starts On the first day of the month of the year and ends on the last day of the month of the year.
The payment card number consists of a sequence of digits, usually from 13 to 19, most often-in Bank card payment systems, the card number begins with 6 digits, indicating the BIN (Bank identification number). The card number ends with a check digit, which is calculated based on the previous digits using a simple algorithm (called the Luhn algorithm).
Physical personalization is performed by embossing (stamping). Embossed symbols are convex, and are colored with special paint (usually silver, black, or gold). Embossment plays an important role: it is necessary not only for visual identification of personal data about the holder by the person performing the operation from the receiving point (for example, by the cashier), but also for transferring personal data from the card to the primary document, called a slip (in the case of voice authorization of the card operation). The slip along with the card is placed in a special rolling machine called an imprinter. After rolling, the embossed symbols are transferred to the slip.

Some cards, usually called electronic cards, can only be accepted in electronic devices (ATMs, cash registers, payment terminals) in accordance with the rules. It is in this connection that such cards are embossed in a special way – the so – called indenting, in which the characters are not convex, but as when printing on a typewriter on a sheet of paper-almost flat. The imprinter is not able to transfer the text indented on the card to the slip, which makes it impossible to perform the operation without using electronic devices. Sometimes, instead of indenting, the same data is printed using a graphic printer.

During electrical personalization, a magnetic stripe is encoded or information is recorded in the chip. The magnetic stripe contains 3 tracks, but in practice, either one second track is used, or two – the first and second.
in accordance with ISO 7813, the following data is recorded on the first track: card number, first and last name of the holder, card expiration date, service code (the maximum length of the record is 89 characters); on the second track-card number, expiration date, service code (up to 40 characters in total)*(35). The service code is a three-digit code that defines the types of operations allowed for this card, for example: the first digit 1 is an international card, the second digit 2 – operations require authorization from the Issuer, and the third digit 0 – confirmation of the holder using a pin.

In addition to the values defined in the standard, some other codes can be written on the magnetic stripe, such as PVV (PIN Verification Value) or CVC (Card Verification Code). The second track contains the card number, card expiration date, and service code ( up to 40 characters in total), which are digits that define the types of operations allowed for this card.
The first two tracks contain the full set of identification data. In accordance with the ISO 4909 standard, the third track was supposed to contain data about card usage (such as the amount), available for authorization, and the number of available attempts to submit a pin. However, if the data from the first two tracks is read by modern devices for receiving cards, the third track, reserved by the authors of the standard for future use, has not been used due to the vulnerability of data on it from falsification.
Physical and electrical personalization is usually performed on special equipment-an embosser.

All stages of preparing cards for release are directly related to security. There are many security features on the card: microtext as an element of card design, holograms, symbols visible in UV rays, and special embossable symbols. The first step in preparing cards for release is to order them. If we are talking about cards of a payment system, the latter provides the Issuer with a list of certified manufacturers. These manufacturers are constantly monitored by representatives of payment systems.
Delivery and storage of cards, control at all stages of personalization are also important components of the complex of activities of issuers ‘ security services.

After the card is issued to the holder, it is linked to a certain Bank account (often called a card account). At any time, the card has a certain payment limit. Any transaction made with the card reduces the payment limit by the amount of the transaction. Depending on the card account mode, the payment limit increases when the card account is topped up or the debt is repaid, or when a new period begins, such as a month.

Magnetic stripe cards and technology

Before performing an operation with a payment card, authorization is performed – obtaining permission for the operation. When using traditional technology, the minimum required data for authorization of an operation is the card number, expiration date, and amount of the operation. Authorization on behalf of the card acceptance point is requested by the acquiring Bank. The response to the authorization request given by the Issuer is either a positive authorization code or a refusal message (possibly along with a command to withdraw the card). In case of a positive response to the authorization request, the actual operation with the card is performed. The result is a primary document: either a fully completed and signed slip, or a receipt for an electronic cash register or payment terminal (POS), or ATM.

The main type of authorization is online authorization, which requires the cashier to contact the authorization center:
In local payment systems, all transactions are of the on us type. In interregional international payment systems, usually only a small part of the transactions accepted by the acquirer are local. The transaction authorization system usually has a three-level hierarchical structure.
In a regional payment system, the operation is initiated at the receiving point, and the request is accepted by the regional processing center. If the operation is not local, the request is sent over the telecommunications network to the head processing center. If the card is issued by a Bank serviced by this center, it gives authorization. If the card is issued by a Bank serviced by another regional processing center, the request is sent there.
In the international payment system operation is also initiated on the lower level of hierarchy. The request is generated at the receiving point and passed to the acquirer. The acquirer sends the request to the system via its communication gateway (a special communication server). The acquirer’s gateway communicates with the gateway that serves the Issuer. The response to the authorization request is moved in reverse order.