EMV certification levels

Protection at the software level involves the use of a whole range of mechanisms – the terminal device password, the terminal device operator password, and so on.

If the terminal is multi-functional, i.e. it serves several applications, their safe operation and storage in the terminal memory can also be organized at different levels. In principle, this task is often solved at the software level: applications are located in memory in such a way that the encryption keys used by one application are not available from other applications running in the same terminal. However, another security technology – the use of so – called SAM modules – has become most popular due to its high reliability. Outwardly, the SAM slot resembles a SIM slot in an ordinary mobile phone, and the SAM module itself is nothing more than a chip that can store the application’s encryption keys (and sometimes even perform cryptographic procedures independently, i.e. in fact act as a cryptographic device). The more SAM slots a terminal has, the more independent payment systems it can interact with. In practice, the number of SAM slots in the terminal can reach eight, but most often their number does not exceed four.
The main manufacturers of terminal equipment are the following companies: Hypercom, Ingenico, Ven’fone, Thales e-Transactions Ltd., Schlumberger, Intellect Da Sistemi, Lipman, Keycorp. The list of manufacturers of transaction terminals is constantly updated with new names. However, it is not easy to find a niche in the market: it is not enough to present a ready-made sample of the device, but it is equally important to provide customers (banks, processing companies, system integrators) with powerful and convenient software development tools. Otherwise, the transaction terminal turns out to be a “thing in itself”, unsuitable for creating applications on the ground.

In order to be used within the payment system (primarily in international payment systems such as Visa and MasterCard), today’s terminal designed for servicing international payment cards with a microprocessor must pass the certification procedure in this payment system. For example, an EMVCo organization created specifically for this purpose is designed to check transaction terminals for compliance with EMV specifications, and certification in this organization is two-level. The first level (Level 1) is the compliance of the terminal’s Electromechanical characteristics, its logical interface, and data transfer Protocol with the requirements set out in the first part of the EMV specifications. The second level (Level 2) is software certification (compliance with the requirements for debit and credit applications set out in the rest of the EMV specifications).

An important characteristic of the terminal is the “price-quality” ratio, and perhaps the main one is its price in absolute monetary terms.
as an example of a transaction terminal, consider the k23 terminal manufactured by the Australian company Keycorp.

K23 Terminal

The k23 terminal allows you to accept all types of credit, debit and local cards for service, both with a magnetic stripe and with a chip. It consists of a remote PIN keyboard, which is transmitted to the customer if necessary, and a communication module, which also includes a thermal printer for printing receipts and reports, which is installed on the cashier’s/operator’s Desk permanently. This constructive solution not only ensures the confidentiality of entering the PIN code, but also allows the customer to make a payment without actually “letting the card out of their hands”.

The terminal is equipped with card readers with a magnetic stripe and a chip. The device has EMV Level 1&2 certification, as well as Visa RED, so it can be used both in local schemes and for payments within international payment systems.
The terminal is powered by a 16-bit processor; the standard memory capacity is 4 MB of Flash and 1 MB of SRAM, which allows you to load large applications into the device.
Receipts and various reports can be printed using a thermal printer (printing speed is 15 lines per second).

The built-in modem supports data exchange rates up to 14400 bit / s, as well as data compression and error correction mechanisms, which is important for the Russian market, characterized by low quality landline telephone lines. Optionally, the terminal can be supplied with a GSM/GPRS modem, which allows it to be used as a mobile device in service points where a fixed telephone line is either absent or characterized by very low signal quality.
The market for transaction terminals is relatively conservative. Perhaps over the past decade, all the changes that have occurred on it are providing reception and maintenance of cards with a chip, updating the operating systems for loading various independent applications, increasing the terminal memory by 2-4 times for basic configurations and 5-10 times for maximum ones. This, of course, is not in any way comparable to the dramatic changes in the personal computer markets, where at the same time there was a transition from the 386 processor to the Pentium/7th generation computers. Nevertheless, we can expect a big surge in the development of the terminal market, so we are afraid to predict the future of this industry for more than 5-10 years ahead.

At the moment, the issue of EMV certification of payment terminals from different manufacturers comes to the fore. Another important issue is the availability of a PIN keyboard in the payment terminal configuration: let’s assume that in the future, any transaction will require the presentation of a PIN code.
Apparently, over time, terminals connected to the Internet will appear, and then begin to predominate. Information about transactions made using such a terminal can be sent directly not only to the acquiring Bank, but also to the issuing Bank, whose Internet address can be recorded on the card chip, as well as to the payment guarantors (settlement Bank, etc.), bypassing the multi-stage path through various processing centers. This will significantly simplify and speed up clearing calculations. A variety of such an Internet terminal will be a personal computer with access to the world wide web and a connected device that combines a PIN keyboard, a magnetic stripe reader and microchips (such devices are already available on the market, and their number will grow).
In addition, over time, the variety of “terminal” software and hardware platforms that characterize the current market for POS-terminal equipment may be significantly displaced. If this excessive diversity is eliminated (even if not completely), i.e. a single hardware (and therefore software) platform will appear, then terminal software developers will be able to create applications that will work the same way on any terminal that supports this platform.
Such unification, however, can only occur under the pressure of one of the largest players in the modern information technology market: in this case, the world of POS-terminal equipment may suffer approximately the same fate as 10-15 years ago the world of personal computers, where Intel processors and their analogues almost completely replaced the products of competitors (by the way, the impetus for the arrival of such a major player may be the connection of terminals to the Internet).

The Bank’s processing center

Processing center-definition, structure, functions of its components the processing center (PC) of a Bank in application to the business of plastic cards is a complete system that represents a complex of interconnected software and hardware solutions, organizational procedures and personnel, ensuring the life cycle of banking products based on plastic cards.

Structure of the processing center

The structure of a processing center is determined by the set of business and technological procedures it performs and usually includes a front office, back office, personalization service (personalization Bureau), as well as auxiliary subsystems – for example, a system of secure document flow between participants of an intrabank payment system.

Functions of the processing center’s front office

The processing center’s front office performs the following functions:
transaction capture and device management – primary processing of communication and transaction traffic generated by terminal network devices; conversion of application Protocol families (SPDH, VISA-II, APACS, etc. for POS terminals, Diebold, NDC+, etc. for ATMs) to the internal message format of the front office system (usually based on ISO extensions); implementation of scenarios for interaction with the client based on the capabilities of devices and protocols used for device management (a set of screens and printed forms, a “transition tree” between States, etc.).
transaction routing (switching) – determining the network or processor (financial institution) that serves this transaction, and sending the transaction to the appropriate network (processor) interface or authorization module;
calculation of online commissions-calculation of Commission fees included in the transaction amount; authorization – making a decision to allow or reject a transaction based on checking a set of parameters: the card status available for authorization of the client’s balance, the status of the issuing financial institution in the limit control system, etc.;
risk management-analysis of authorization traffic in order to minimize the Bank’s financial losses from fraudulent transactions on customer cards (fraud monitoring systems*(155)) and unscrupulous issuers (limit control system for financial institutions participating in the payment system). Often the implementation of this subsystem implies close integration with the functionality implemented on the system’s back-office host;
interfaces for working with banks, processing companies and payment networks-providing online transactional interaction with settlement participants with the conversion of requests into application Protocol formats supported by these participants;
real-time monitoring of devices and interfaces-this function allows the processing center staff to get information about the communication and technical status of devices and interfaces, track diagnosed malfunctions, the availability of money and supplies in ATMs, plan service operations and collection, as well as interact with additional functionality of devices (for example, loading electronic logs, balancing terminals, etc.).

Functions of the processing center’s back office

The back office functions are usually as follows: card lifecycle management – entering and maintaining up-to-date information about cards, accounts, and limits in the processing center’s database;
accounting of customer transactions-reflection in the database of information about transactions performed by the customer (changes in limits, accrual of interest and commissions, etc.); processing incoming clearing files of payment systems; maintaining a transaction history file; in some cases, accounting for transactions with plastic cards in accordance with accounting rules and creating transaction files for the banking system;
clearing-consolidation of transaction data based on the results of a business day for the implementation of settlement procedures between participants of the payment system (banks, retail chain companies, etc.), settlement Bank, preparation of clearing files;
maintaining contracts and settlements with merchants – based on data received at the close of the business day, consolidation of transactions in the context of the product range served, calculation of commissions and formation of payment orders for the transfer of compensation to trade and service enterprises;
preparing reports-generating reports for contractors based on the results of the business day (transaction amounts, commissions) in the context of issuance and acquiring;
claim work – support of the arbitration cycle in accordance with the rules of payment systems. Generation and processing of claim cycle files (chargeback, representation, etc.).

Personalization service features

The personalization subsystem performs the following functions:

card personalization-creating files with data for issuing cards (embossing files) based on information from the process center database);
accounting for card blanks;
pin envelope printing-generating card PIN codes according to the key information and algorithms used, and printing PIN envelopes.

Auxiliary subsystems

The processing center’s auxiliary subsystems are not directly involved in the transaction lifecycle, but they are often an integral part of the processing center’s hardware and software complex. These include, for example:
secure document management subsystem for notarized data exchange with payment system counterparties (Bank branches, agent banks, etc.);
a subsystem for automated reporting distribution (for example, sending reports on the results of a business day to trade and service enterprises over the Internet or via a Fax server).
automated data processing stations (input and recognition of data from orders for making cards, slips, etc.);
interfaces with remote service channels (SMS banking, Internet banking, etc.)
print server of the system for generating statements for cardholders.

Choosing a processing scheme

There are three ways a financial institution can work with plastic cards.

Full-featured proprietary processing

The Bank has a clear strategy focused on the development of retail business and the issue of a significant number of plastic cards. The Bank has a geographically extensive structure with a large number of serviced peripherals. The Bank plans to provide its cardholders with a set of unique products, services and services that cannot be implemented using a third-party processor or are associated with large additional costs. The volume of Bank operations with plastic cards provides revenues sufficient to maintain the technical infrastructure of its own processing center, as well as to equip it with qualified personnel.

Third party processing (Third Party)

For quite a long time, there has been a trend in the world for financial institutions to transfer non-core activities to specialized companies. A classic example of such outsourcing is the business of third – party processors (such as First Data, TSYS, Global Payments Inc., Euronet Worldwide, etc., in Russia – CJSC “United credit card Company” – DCS). The advantage of this organizational and technological scheme is the ability to immediately start issuing, as well as a significant reduction in the investment component of the project (as a rule, the Bank only needs to purchase back-office SOFTWARE, but processors such as DCS provide outsourcing and back-office functions – the Bank gets remote access to the database of its cards and can start working almost without investment). The disadvantage of this scheme is the lack of product flexibility, since the implementation of new and non-standard products and services required by customers is based on the profitability of the processor’s business.

Combined processing

Often, a Bank starts working with plastic by issuing its local product, which is accepted in the devices of this Bank only. As the business grows, it becomes necessary to issue products from Russian or international payment systems (for example, for management and HR clients). And here the Bank faces the problem of additional financial costs, because in order for the Bank’s processing to meet all the requirements of payment systems, a fairly large investment is required modernization of the existing organizational and technological system and certification of processing, which usually do not pay off on small volumes of issue. In this case, the best option is combined processing, when local products are processed by their own PC, and the processing of payment system products is outsourced to certified third-party processors. In this case, the Bank is able to immediately start issuing the necessary products with minimal modifications to the existing technology, avoiding large one-time costs.