Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
After completing the card authentication procedure, you must make sure that the card is presented for payment by its authorized holder (the person to whom the issuer handed over his card for use). Today, the most reliable way to solve this problem is to verify the cardholder by checking his PIN-code. There are reports that some banks have launched pilot projects on the use of biometric methods of cardholder authentication - see section 1.6.
Experts have an ambivalent attitude to the advisability of using a PIN code in POS terminals when using cards with a magnetic stripe. On the one hand, among the data of a card with a magnetic stripe, the PIN code is the only secret that is not available to fraudsters, since it is not stored on the card. Therefore, the use of a PIN code is the most reliable means of ensuring the security of transactions carried out using magnetic stripe cards. On the other hand, many experts rightly believe that there are many ways to compromise PIN-codes in POS-terminals, including peeping, installing false terminals, whose tasks include recording card details and PIN-codes values.
In the case of using an IPC without a magnetic stripe, the situation changes radically. In this case, knowledge of the value of the PIN-code and other card details available to the terminal does not allow the fraudster to produce a fake card, which can be used to make a successful operation. However, in today's transitional situation, when almost all microprocessor bank cards of the leading payment systems are hybrid, the massive use of PIN verification may cause an increase in cases of its compromise and subsequent use in terminals that accept only magnetic stripe cards, or in hybrid ATMs that allow the regime fallback to the magnetic stripe.
The experience of migration to the Chip & PIN technology of UK banks dispelled the doubts of experts. Great Britain has demonstrated to the world that a friendly and prompt migration of all banks in the country to Chip & PIN technology can significantly reduce the size of fraud. The effect is achieved due to a sharp reduction in the amount of fraud on lost, stolen and unreceived cards, significantly overlapping the growth of fraudulent cards at ATMs. The increase in ATM fraud is associated with an increase in the number of PIN-codes being compromised due to their more frequent use in transactions. This is described in more detail in section 6.6.1.4.
When using the IPC, there are two ways to verify the PIN: by the card itself offline, and by the card issuer when processing the transaction in real time.
Obviously, the first method has many advantages. The main one is that offline verification of the PIN code allows you to reliably verify the cardholder in the case of offline transactions. It should also be recognized that, in general, the security of processing a PIN block in this case is higher than when it is verified by the issuer, since the risks of compromising the PIN code at the stages of its processing at the host of the servicing bank and in the process of transmission to the issuer are excluded.
At the same time, offline processing of a transaction places additional demands on the terminal. Despite the fact that in this case unprotected transfer of the PIN-code to the card is allowed, some issuers (albeit a minority) require encryption of the PIN-block (sometimes this is required by the legislation of a particular country). Section 3.13 already described how this is done using the public key of the card and the RSA algorithm.
Support for the RSA algorithm by ATM cryptographic modules is still exotic. Therefore, PIN card verification is still not used for these devices. This may change in the near term, though, as banks' interest in applications requiring RSA support on ATMs grows. One example of such an application is the transfer of new master keys to ATMs (today this function is performed by security officers who are forced to go to the ATM to install / change the device's master key).
PIN privacy is important in a hybrid card acceptance network environment where smart cards and magnetic stripe cards are accepted. If only the technology of microprocessor cards is used for processing transactions (that is, when the acceptance of cards with a magnetic stripe is excluded), only knowledge of the PIN code does not give anything to the fraudster. To commit fraud, in addition to knowing the PIN-code, you must have the IPC itself.
International payment systems actively recommend issuers to use offline PIN verification as the main method of cardholder verification. In particular, they are gradually starting to introduce a liability shift, called Chip & PIN Liability Shift, across the regions.
To formulate it, we introduce the following definitions. We will call the microprocessor card Chip & PIN-KapToft for some operation on this card if the PIN Offline verification method (regardless of the method of transferring the PIN-code to the card - in a secure or unprotected form) is the highest priority for this operation in the CVM List of the card.
Then the Chip & PIN Liability Shift is formulated as follows: if Chip & PIN-KapTa is used in a terminal that does not support the PIN Offline method for the transaction being performed, then all responsibility for “lost / stolen / not received cards” fraud is transferred to the serving bank.
Note that the terminal can provide offline PIN verification for a specific transaction, supporting the card's PIN verification method. For example, the card and terminal support the Plaintext PIN Offline method. In this case, there will be no shift in responsibility. However, if the terminal serves a card that uses the Enciphered PIN Offline method, and the terminal does not support this verification method, a liability shift will take place.
By the way, when the terminal passes the Approval Level 2 certification to support the PIN Offline method, it is required to simultaneously support both methods of PIN verification - Enciphered PIN Offline and Plaintext PIN Offline. In other words, in theory, either the terminal supports both methods, or neither.
As a result, the order of arrangement of the cardholder verification rules recommended by the payment systems in the CVM List when performing an operation using a DDA / CDA card in a POS terminal is as follows:
Note that a card that supports offline authentication and PIN Offline is indeed a well-protected payment tool that can deal with almost all known types of card fraud.
Experts have an ambivalent attitude to the advisability of using a PIN code in POS terminals when using cards with a magnetic stripe. On the one hand, among the data of a card with a magnetic stripe, the PIN code is the only secret that is not available to fraudsters, since it is not stored on the card. Therefore, the use of a PIN code is the most reliable means of ensuring the security of transactions carried out using magnetic stripe cards. On the other hand, many experts rightly believe that there are many ways to compromise PIN-codes in POS-terminals, including peeping, installing false terminals, whose tasks include recording card details and PIN-codes values.
In the case of using an IPC without a magnetic stripe, the situation changes radically. In this case, knowledge of the value of the PIN-code and other card details available to the terminal does not allow the fraudster to produce a fake card, which can be used to make a successful operation. However, in today's transitional situation, when almost all microprocessor bank cards of the leading payment systems are hybrid, the massive use of PIN verification may cause an increase in cases of its compromise and subsequent use in terminals that accept only magnetic stripe cards, or in hybrid ATMs that allow the regime fallback to the magnetic stripe.
The experience of migration to the Chip & PIN technology of UK banks dispelled the doubts of experts. Great Britain has demonstrated to the world that a friendly and prompt migration of all banks in the country to Chip & PIN technology can significantly reduce the size of fraud. The effect is achieved due to a sharp reduction in the amount of fraud on lost, stolen and unreceived cards, significantly overlapping the growth of fraudulent cards at ATMs. The increase in ATM fraud is associated with an increase in the number of PIN-codes being compromised due to their more frequent use in transactions. This is described in more detail in section 6.6.1.4.
When using the IPC, there are two ways to verify the PIN: by the card itself offline, and by the card issuer when processing the transaction in real time.
Obviously, the first method has many advantages. The main one is that offline verification of the PIN code allows you to reliably verify the cardholder in the case of offline transactions. It should also be recognized that, in general, the security of processing a PIN block in this case is higher than when it is verified by the issuer, since the risks of compromising the PIN code at the stages of its processing at the host of the servicing bank and in the process of transmission to the issuer are excluded.
At the same time, offline processing of a transaction places additional demands on the terminal. Despite the fact that in this case unprotected transfer of the PIN-code to the card is allowed, some issuers (albeit a minority) require encryption of the PIN-block (sometimes this is required by the legislation of a particular country). Section 3.13 already described how this is done using the public key of the card and the RSA algorithm.
Support for the RSA algorithm by ATM cryptographic modules is still exotic. Therefore, PIN card verification is still not used for these devices. This may change in the near term, though, as banks' interest in applications requiring RSA support on ATMs grows. One example of such an application is the transfer of new master keys to ATMs (today this function is performed by security officers who are forced to go to the ATM to install / change the device's master key).
PIN privacy is important in a hybrid card acceptance network environment where smart cards and magnetic stripe cards are accepted. If only the technology of microprocessor cards is used for processing transactions (that is, when the acceptance of cards with a magnetic stripe is excluded), only knowledge of the PIN code does not give anything to the fraudster. To commit fraud, in addition to knowing the PIN-code, you must have the IPC itself.
International payment systems actively recommend issuers to use offline PIN verification as the main method of cardholder verification. In particular, they are gradually starting to introduce a liability shift, called Chip & PIN Liability Shift, across the regions.
To formulate it, we introduce the following definitions. We will call the microprocessor card Chip & PIN-KapToft for some operation on this card if the PIN Offline verification method (regardless of the method of transferring the PIN-code to the card - in a secure or unprotected form) is the highest priority for this operation in the CVM List of the card.
Then the Chip & PIN Liability Shift is formulated as follows: if Chip & PIN-KapTa is used in a terminal that does not support the PIN Offline method for the transaction being performed, then all responsibility for “lost / stolen / not received cards” fraud is transferred to the serving bank.
Note that the terminal can provide offline PIN verification for a specific transaction, supporting the card's PIN verification method. For example, the card and terminal support the Plaintext PIN Offline method. In this case, there will be no shift in responsibility. However, if the terminal serves a card that uses the Enciphered PIN Offline method, and the terminal does not support this verification method, a liability shift will take place.
By the way, when the terminal passes the Approval Level 2 certification to support the PIN Offline method, it is required to simultaneously support both methods of PIN verification - Enciphered PIN Offline and Plaintext PIN Offline. In other words, in theory, either the terminal supports both methods, or neither.
As a result, the order of arrangement of the cardholder verification rules recommended by the payment systems in the CVM List when performing an operation using a DDA / CDA card in a POS terminal is as follows:
- 1. Enciphered Offline PIN;
- 2. Plaintext Offline PIN;
- 3. Online PIN;
- 4. Signature;
- 5. No CVM.
Note that a card that supports offline authentication and PIN Offline is indeed a well-protected payment tool that can deal with almost all known types of card fraud.
