Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
Today, most POS terminals have approximately the same characteristics and performance indicators. A modern terminal is a device with a 32-bit RISC processor, RAM from 512 KB to 2 MB and more, Flash memory from 1 MB in size. Applications and even terminal operating systems are written in high-level language and loaded into the terminal's Flash memory. Application parameters are stored in RAM, which is supplied with a battery in case of power failure of the terminal.
Cryptographic operations are performed in an HSM module, which can be located either inside a separate device called a PIN-PAD, or inside a terminal (an option to combine a PIN-PAD with a terminal).
A modern POS terminal has either a combined reader capable of reading information from a magnetic stripe of a card and exchanging data with a hybrid card chip, or two readers. In the second case, one reader is used to read the magnetic stripe data of the card, and the other is used to work with the microprocessor of the card.
Almost all terminal suppliers declare that their terminals support telecommunication protocols X.Z / X.28, SDLC, ТСР / IP / Ethernet, GSM / GPRS, Wi-Fi (IEEE 802.11).
Due to the fact that POS terminals have approximately the same characteristics and performance indicators, the following factors influence the choice of the terminal:
In addition, depending on the capabilities of the terminal and the type of terminal application, it may support the commands:
Let's conditionally divide all POS terminals into two classes: terminals that work only in online mode (online only terminals), directing any operation for authorization to the issuer, and all other terminals (offline capable terminals).
Today, most of the terminals, with the exception of ATMs, ADM / CAT1- and CAT2-terminals, support the ability to perform transactions in offline mode, that is, they belong to the second class of terminals. The offline mode of operation implies that the terminal supports offline card authentication methods (SDA and DDA support is required, the CDA method is recommended and becomes mandatory in offline MasterCard terminals from January 1, 2011), the terminal performs risk management procedures (checking the Terminal Floor Limit value, stop -lists, procedures Random Transaction Selection, Velocity Checking), storage and subsequent upload to the host of the serving data bank for offline transactions.
Online-only terminals may not support all of the above features. The experience of many countries shows that the cost of such a terminal is lower than the cost of an offline capable-terminal (according to Spain, by an average of 30 euros). Therefore, some banks, especially in countries with inexpensive communications, have chosen to use online only terminals. The use of terminals of this class is not prohibited by payment systems, although it contradicts the desire of some issuers everywhere to switch to the offline method of servicing their cards.
It's also worth noting that online transactions are generally safer than offline ones. In particular, it is impossible to use cloned cards in online only terminals.
The service bank should strive to ensure that its terminals simultaneously support all types of offline card authentication, thereby providing the issuer with the ability to use any authentication method on its card. In this case, the issuer has the opportunity to choose the most effective authentication method for each of its card products, without worrying about possible problems with accepting his cards in the terminal network of the payment system.
All offline chip terminals today must support SDA and DDA methods. Therefore, talking about the versatility of the terminal in terms of supporting card authentication methods comes down to the terminal's support for the CDA method. In terms of price, the DDA-capable terminal and the CDA-capable terminal are equivalent. Therefore, for a servicing bank, the cost of migration to terminals supporting CDA is mainly determined by the bank's costs of upgrading the terminal software and, possibly (depending on the depth of the terminal application modernization), certification of the connection of the upgraded terminal in payment systems.
From 2011, all offline capable terminals put into operation in the MasterCard system will have to support the CDA method. It should be expected that in the next few years, almost all chip terminals that allow offline authorization mode will be able to support the CDA method.
It has already been said that from the point of view of payment systems, the PIN Offline cardholder verification method is the most preferable. In this regard, payment systems are gradually but persistently introducing rules aimed at ensuring that terminals that support the reception of IPCs are equipped with PIN-PAD devices necessary for entering a PIN code.
In addition to the aforementioned Chip & PIN Liability Shift, payment systems made the following decisions regarding the need to verify the PIN:
In conclusion, we note that in order to combat cloned cards at POS terminals, it is necessary to maintain stop lists. As previously explained, it is not possible to block a properly crafted cloned card. Therefore, stop lists are the only way to deal with such cards.
Cryptographic operations are performed in an HSM module, which can be located either inside a separate device called a PIN-PAD, or inside a terminal (an option to combine a PIN-PAD with a terminal).
A modern POS terminal has either a combined reader capable of reading information from a magnetic stripe of a card and exchanging data with a hybrid card chip, or two readers. In the second case, one reader is used to read the magnetic stripe data of the card, and the other is used to work with the microprocessor of the card.
Almost all terminal suppliers declare that their terminals support telecommunication protocols X.Z / X.28, SDLC, ТСР / IP / Ethernet, GSM / GPRS, Wi-Fi (IEEE 802.11).
Due to the fact that POS terminals have approximately the same characteristics and performance indicators, the following factors influence the choice of the terminal:
- the cost of the terminal and terminal ownership;
- terms of delivery of terminals;
- conditions for escorting terminals in Russia;
- functionality of the application (in particular, support for protocols for working with the host);
- availability of EMVCo certificates for Type Approval Level 1 and Type Approval Level 2;
- availability of a certificate for compliance with PCI PED (PIN Entry Device) requirements if the terminal supports PIN-code verification.
In addition, depending on the capabilities of the terminal and the type of terminal application, it may support the commands:
- VERIFY for offline PIN-code verification;
- GET CHALLENGE when the terminal supports the cardholder verification method Enciphered PIN Offline;
- INTERNAL AUTHENTICATE when the terminal supports the DDA card authentication method;
- EXTERNAL AUTHENTICATE when authenticating the issuer using this command, as is done, for example, in the VSDC application;
- GENERATE AC (with bit 6 of parameter P1 equal to 1) when the terminal supports the CDA card authentication method and direct selection of this card authentication method.
Let's conditionally divide all POS terminals into two classes: terminals that work only in online mode (online only terminals), directing any operation for authorization to the issuer, and all other terminals (offline capable terminals).
Today, most of the terminals, with the exception of ATMs, ADM / CAT1- and CAT2-terminals, support the ability to perform transactions in offline mode, that is, they belong to the second class of terminals. The offline mode of operation implies that the terminal supports offline card authentication methods (SDA and DDA support is required, the CDA method is recommended and becomes mandatory in offline MasterCard terminals from January 1, 2011), the terminal performs risk management procedures (checking the Terminal Floor Limit value, stop -lists, procedures Random Transaction Selection, Velocity Checking), storage and subsequent upload to the host of the serving data bank for offline transactions.
Online-only terminals may not support all of the above features. The experience of many countries shows that the cost of such a terminal is lower than the cost of an offline capable-terminal (according to Spain, by an average of 30 euros). Therefore, some banks, especially in countries with inexpensive communications, have chosen to use online only terminals. The use of terminals of this class is not prohibited by payment systems, although it contradicts the desire of some issuers everywhere to switch to the offline method of servicing their cards.
It's also worth noting that online transactions are generally safer than offline ones. In particular, it is impossible to use cloned cards in online only terminals.
The service bank should strive to ensure that its terminals simultaneously support all types of offline card authentication, thereby providing the issuer with the ability to use any authentication method on its card. In this case, the issuer has the opportunity to choose the most effective authentication method for each of its card products, without worrying about possible problems with accepting his cards in the terminal network of the payment system.
All offline chip terminals today must support SDA and DDA methods. Therefore, talking about the versatility of the terminal in terms of supporting card authentication methods comes down to the terminal's support for the CDA method. In terms of price, the DDA-capable terminal and the CDA-capable terminal are equivalent. Therefore, for a servicing bank, the cost of migration to terminals supporting CDA is mainly determined by the bank's costs of upgrading the terminal software and, possibly (depending on the depth of the terminal application modernization), certification of the connection of the upgraded terminal in payment systems.
From 2011, all offline capable terminals put into operation in the MasterCard system will have to support the CDA method. It should be expected that in the next few years, almost all chip terminals that allow offline authorization mode will be able to support the CDA method.
It has already been said that from the point of view of payment systems, the PIN Offline cardholder verification method is the most preferable. In this regard, payment systems are gradually but persistently introducing rules aimed at ensuring that terminals that support the reception of IPCs are equipped with PIN-PAD devices necessary for entering a PIN code.
In addition to the aforementioned Chip & PIN Liability Shift, payment systems made the following decisions regarding the need to verify the PIN:
- from January 1, 2008 in the VISA CEMEA region all new online capable terminals must support PIN Offline, and online only terminals must support PIN Online if they do not support PIN Offline;
- Effective January 1, 2011, all new hybrid terminals in MasterCard worldwide must support PIN Offline.
In conclusion, we note that in order to combat cloned cards at POS terminals, it is necessary to maintain stop lists. As previously explained, it is not possible to block a properly crafted cloned card. Therefore, stop lists are the only way to deal with such cards.
