EMV Card Security Policy

A bank card is a type of payment card as a non-cash payment instrument intended for individuals, including authorized legal entities, to perform transactions with funds held by the issuing bank. If an attacker obtains the card itself, its data or details, fakes it, then he has the opportunity to perform fraudulent transactions with a bank account, the means of access to which is this card. Fraudulent transaction (from the point of view of the bank, and not criminal law), we will give the following definition.
A fraudulent transaction is an operation using a bank card or its details that has not been initiated or confirmed by its holder. Classification of types of fraud:
lost and stolen cards;
* non-received cards (never-received-issue – NRI);
* fake cards (counterfeit cards);
• the card is not present (card not present);
* unauthorized use of the cardholder’s personal data and account information (Card ID theft – application fraud, account take-over);
* other types of fraud (miscellaneous).
The main ways of compromising a bank card (magnetic stripe data, details, PIN code) are:
* skimming – unauthorized reading and saving of data from the magnetic stripe of the card;
* phishing – obtaining information from the cardholder about the card details and (or) PIN code by deception (sending emails, links to fraudulent websites, etc.)•
* installing special technical means on terminal devices or near them in order to fix the PIN code entered by the cardholder;
* spying on card details and (or) PIN code by an attacker;
* improper storage and processing of transaction information in violation of the established rules of the IPU, PCI DSS (payment card industry data security standard);
* disclosure of information by bank employees.

The Visa International Payment System (hereinafter referred to as the IPU) reports losses of banks from fraud in its system in 2005 at $2.2 billion, in the second quarter of 2006 — $196 million. In the second quarter of 2006, acquisition losses amounted to $539,065, and issue losses amounted to $329,867.
Frost&Sullivan estimates that losses from bank card fraud could reach $15.5 billion by 2009. In addition, Visa estimates that $100 of direct losses as a result of fraud entail $200 of additional indirect losses (document requests, claim work, employee costs, software, etc.).

The constant increase in the number of bank card transactions is also accompanied by an increase in the volume of fraudulent transactions and an increase in financial losses. This makes it necessary to apply an integrated approach to ensuring the security of the bank card payment system to protect against fraud.

To counter fraud, it is not enough to apply a good technological solution, it is necessary to organize and coordinate the work of the Ministry of Internal Affairs, banks, law enforcement agencies accordingly, and raise the awareness of cardholders about various types of fraud. The Bank, for its part, should be guided by the following basic principles:
* availability of an information security policy and a clearly formulated risk management strategy in the PS;
* availability of a team of qualified specialists for the investigation and suppression of fraud;
* application of modern technological solutions.
VISA and MasterCard MPS have adopted transaction monitoring standards to ensure fraud-related risk control:
• Visa regional operation regulations (May 2007);
• MasterCard security rules and procedures (January 2006).

These standards provide for the control of authorization and clearing transactions. However, the requirements do not oblige to carry out checks in real time. In fact, it is necessary to prepare reports in a special format at the end of the day or at other specified time intervals, make the necessary decisions and notify other participants of the IPU about the facts of fraud. Special programs have been created to ensure the safety of MPS.
• FRS (Fraud Reporting System). The program allows you to track information about fraudulent transactions, identify sources of fraud and reduce the risks of participating banks (both issuers and acquirers) MPS VISA.
• RIS (Risk Identification Service). This is a risk identification service that warns the acquiring bank about suspicious or fraudulent activity of the outlet it serves.
• NMAS (National Merchant Alert Service). The National Service for Notification of Disabled retail outlets provides acquirers with access to information about retail outlets that have been caught in fraudulent activity by other VISA MPS participants.
• SAFE (System to Avoid Fraud Effectively). The program allows you to track information about fraudulent transactions, identify sources of fraud and reduce the risks of participating banks (both issuers and acquirers) MTS MasterCard.
• RAMP (Risk Assessment Management Program). The program is designed to check participants for compliance with the requirements and recommendations of the payment system for secure transaction processing and risk control. The program includes mandatory and additional checks of participants by the staff of the Ministry of Internal Affairs.
• MATCH (Member Alert to Control High-Risk). This is a notification system for members of the payment system for risk management in trading enterprises. Acquiring banks use the system to access a database of fraudulent or compromised outlets and their owners.

To develop increased requirements for the security of payment card data, a special Payment Card Industry Security Standards Council was created, which included American Express, Discover Financial Services, JCB, MasterCard Worldwide, Visa International. The PCI DSS vl.1 standard defines security requirements for the protection of information related to a payment card and should be used when the card number is stored, processed or transmitted. The standard establishes requirements for the following six categories:
* building and ensuring network security;
* protection of cardholder data;
* providing a vulnerability management program;
* implementation of strict access control mechanisms;
* regular monitoring and testing of networks;
* ensuring information security policy.

In total , twelve basic requirements are defined for all categories:
* install and maintain the firewall configuration;
* do not use passwords and other security settings defined by default providers;
* protect stored information;
* encrypt transmitted cardholder data via open channels;
* use and regularly update antivirus software;
* develop and maintain secure systems and applications;
* restrict access to data based on the principle of necessary knowledge;
* assign a unique identifier to each subject of access to information;
* restrict physical access to cardholder data;
* monitor access to network resources and cardholder data;
* regularly test security systems and processes;
* maintain an information security policy.
Currently, this standard is mandatory for processing centers, in the future its requirements will apply to all participants of payment systems.