News

Risk assessment for EMV cards

The requirements of the IPU relate primarily to off-line monitoring, other monitoring options are not mandatory at the moment. In this regard, the bank should develop its own risk management policy in the PS and choose the monitoring system that corresponds to the adopted policy, and not just implement the most functional technical solution at the moment. In addition, it is necessary to achieve an acceptable balance between the following indicators: * making inadequate decisions to restrict transactions for non-fraudulent transactions; *...

read more

The bank’s risks related to fraud of EMV technologies

To determine the impact of fraudulent transactions in the bank’s PS on the bank’s business, it is necessary to assess the following risks: * financial. The result of fraudulent transactions is most often the financial losses of the bank or its customers. In the latter case, it is necessary to take into account the risk of losing the client if he ceases to trust the services provided by the bank; * reputational. The reputation of the bank may be damaged if the services provided by it are (or seem) unsafe, and the protective...

read more

EMV Card Security Policy

A bank card is a type of payment card as a non-cash payment instrument intended for individuals, including authorized legal entities, to perform transactions with funds held by the issuing bank. If an attacker obtains the card itself, its data or details, fakes it, then he has the opportunity to perform fraudulent transactions with a bank account, the means of access to which is this card. Fraudulent transaction (from the point of view of the bank, and not criminal law), we will give the following definition. A fraudulent transaction is an...

read more

Cardholder verification method

Fraudulent transactions on counterfeit microprocessor cards are carried out using a magnetic stripe or using its details (MO / TO, Internet). Due to the fact that fraudulent transactions are performed using a magnetic stripe, the cardholder verification method defined by the issuer in the Cardholder verification method Type does not matter. Verification of the holder takes place according to service code – 201 (IPC, normal authorization, normal verification). It turns out that the reduction of fraud on counterfeit cards with IPC is not...

read more

Combating illegal use of EMV cards

Stolen (lost, not received) microprocessor cards (lost, stolen, NRI) The microprocessor card is also a powerful tool in the fight against such type of fraud as stolen (lost, not received) cards. Using the Chip&PIN approach, adopted today in the UK and considered by international payment systems as the most preferred method of cardholder authentication, allows you to significantly reduce these types of fraud. The DDA/CDA + PIN Offline method is the most reliable of all known methods of protection against card fraud. It is important to note...

read more

Modification of DDA/CDA transactions

Here are the simplest examples of possible data modification. If the terminal in the GENERATE AC command has requested a cryptogram TC, and the card in the person of the bank chip decides to process the transaction online or reject it offline, then the emulator chip changes the unprotected cryptogram information data in such a way that the card responds to the terminal with a cryptogram TC. Thus, the transaction is approved despite the fact that by the issuer’s decision it must either be rejected or transferred to the issuer for...

read more

Clone EMV card protection

Clone DDA/CDA card protection Service code 2xx. In our right hand we have a card with only a magnetic stripe, to which information is transferred from the magnetic stripe of the card located in the left hand. We are trying to use the card in a hybrid terminal that accepts microprocessor cards and magnetic stripe cards. The terminal must check the value of the service code on the magnetic strip, and if it is equal to 2XX, it must require the transaction to be performed using the chip. The terminal should not allow magnetic stripe operations if...

read more

Security analysis of operations on EMV cards

Properties of the microprocessor card, allowing to increase the security of operations The most important property of a microprocessor card (MPC) is the support of cryptographic functions by the operating system of the card. The use of these functions by the card application can significantly improve the security of payment transactions. The tasks solved by the IPC application to improve the security of plastic card transactions are listed below. 1. The most important basic task solved by the card application using cryptographic methods is to...

read more

Security of EMV transactions

To implement the CAP method, the client must have a microprocessor card with an EMV application, as well as a special card reader capable of initiating the generation of an OTP password and displaying its value consisting of 8 digits on the reader’s display (sometimes the reader and the card are combined in one physical device). Such a reader can cost several euros (10-15 euros, depending on the manufacturer and the volume of the purchased batch of devices). In addition to the additional costs of providing cardholders with readers,...

read more

Encoding data method for EMV Software

The ANSI/ISO/IEC 7811 standard is a specification for encoding information on an identification card using stamping or magnetic stripe techniques. This specification consists of five parts: relief embossing (writing method);magnetic stripe (recording method);the location of the characters when embossed on the ID-1 card;location of read-only magnetic tracks (tracks 1 and 2);the location of the tracks available for reading/writing (track 3). EMV Software Relief embossing allows you to form symbols raised above the plane of the card body. The...

read more