People still continue to insert a card at ATMs, despite the fact that contactless service has advantages over the usual method. I will try to briefly tell the story of the issue.
In 2017, we started implementing NFC on ATMs. Back then, we had a large fleet of ATMs where you couldn't attach a card. It was decided to support the unity of user habits, and we started equipping our ATM fleet with NFC modules. That is, we did not install new ATMs and gradually replace the old ones with them as depreciation progressed, but took almost all existing models and added NFC to them.
From the very first days, it became clear that user habits take a long time to break and we will gradually lose the desire to insert a map for many years to come.
If you can make contactless payments in a store or cafe, you can also be served at an ATM. In our case, you need to start the session by attaching a card or device (the corresponding hint is on the ATM on the user's waiting screen) and entering the pin code, and then the main screen will open, where the context for the current bank client will be displayed. Here is an example:
This screen displays typical operations that the client frequently performs: this includes withdrawing the usual amounts of cash, paying for kindergarten or a loan, and so on. Improving the ATM interface is quite an interesting story, and I know that this was important a few years ago. We are constantly introducing new features to the interface, anticipating customer requests. Moreover, it can be such small details as reducing steps within operations. It's not immediately obvious, but it significantly improves the user experience.
Currently, for contactless service, the card must be attached to the ATM twice: the first time during authorization, and the second time - when confirming the operation.
If the client logged in but left before performing the transaction, a third party will not be able to perform any action with their accounts. To confirm the operation, you need to attach the card or gadget again.
We have the widest network of ATMs in Russia — about 71 thousand devices, 95 % of which are equipped with NFC.
All new cards issued by bank are contactless.
Yes. If you have issued a separate certificate for your NFC chip (i.e. linked the card and the NFC chip) and can pay for it in the store — the same applies to the ATM. You don't need to take the card with you at all: all operations, including cash withdrawals and deposits at ATMs, can be done using your smartphone.
Yes.
From the point of view of ATM software, NFC authentication is no different from card insertion authentication. Architecturally, for an ATM, a card reader is a "black box" that provides authentication data. When modifying ATMs and creating new ones, we extend the card reader's capabilities. In a simplified way, this can be described as connecting another input device with a small integration device. In other words, the card reader gets the same data as when reading the card chip. All operations that require a PIN code when you insert the card also require a PIN code when you attach it.
The first bank cards were simply "rolled" by imprinters, so they have three-dimensional digits of the number. This payment system still acts as a backup in some stores in the United States in case of a power outage. It is similar to writing a bank check from a checkbook, which was once very common in the West, but almost did not take root in the USSR and Russia. The level of security was ensured by monitoring contracts with the bank and the police.
The next stage of evolution is the magnetic stripe of the card, which essentially contains a fairly simple method of protection. Until now, there are terminals and ATMs in the world that read only the magnetic stripe. By the way, it can be read as a skimmer, but more about this later.
After the stripe, the chips came (this is what the bank card is authorized through now). Approximately similar chips you see on SIM cards. This is a full-fledged computer without a clock generator (it comes with power from the motherboard). The main function of the chip is to contain internal storage, where the certificate is located, allowing you to generate one-time keys. When you attach or insert a card at ATMs, you are working with the chip, not the magnetic stripe.
Fraudsters can install a reader next to the card reader. Bank uses anti-skimming equipment, which is designed to take into account various scenarios used by fraudsters to deceive the client. Additionally, other technical methods are used, including ATM self-testing, notifications about the correct appearance, panels that make it difficult to install external devices, and so on. For example, the card enters the device slowly, as it makes oscillatory movements in order to prevent reading data from the magnetic stripe. This is done on all our ATMs, but it does not mean that it is done on all ATMs of all banks. Therefore, a universal recipe: if possible, use NFC.
The NFC module uses the EMV standard. EMV (Europay + MasterCard + VISA) is an international standard for transactions on bank cards with a chip. This standard was originally developed by a joint effort of Europay, MasterCard and VISA to improve the security of financial transactions. The EMV standard defines the physical, electronic, and informational interaction between a bank card and a payment terminal for financial transactions. For a contactless session, algorithms similar to the contact session are used, but the only difference is in the method of transmitting information. For example, if a connection is lost in the middle of a transaction, the kernel has Recovery functionality, which guarantees high reliability of operations.
Total — get in the habit of attaching the card to the ATM. As I said above, our technologies equally protect the client who inserts the card and the client who applies it. But contactless technology has a significant advantage: you will definitely not forget the card in your device.
More than it looks. This is not something out of the ordinary, but a standard ATM function. The forgotten card will be returned to the ATM, then you will need to reissue it or, if this happened at the bank's office, go with your passport to the employee to get it from the ATM.
Using NFC, the number of cards left at the ATM has more than halved over the year (from October 2019 to October 2020).
This has nothing to do with NFC, but I will still say that the keyboard on which you enter the pin code encrypts it. Encryption ensures that the entered PIN code does not appear anywhere. However, the operation itself is encrypted with keys, and the ATM does not store any information. Instead, it goes through secure communication channels directly to the bank and is already checked for authenticity there. Everything happens in real time. It is important to note that this information is not stored anywhere and is inaccessible even to bank employees.
We conducted a survey. The results are as follows:
I will say again: it is better to attach a card/gadget, because it is at least more convenient and safer.
Not very widely. Russia is an advanced country in terms of IT banking. In other words, what we have will be available in Europe in a year or two. Here's a recent post about trends during the pandemic.
Ask in the comments, but please note that ATMs are a topic with very strict restrictions on what I can tell you due to security requirements, so answers will come slowly and probably not to every question.
In 2017, we started implementing NFC on ATMs. Back then, we had a large fleet of ATMs where you couldn't attach a card. It was decided to support the unity of user habits, and we started equipping our ATM fleet with NFC modules. That is, we did not install new ATMs and gradually replace the old ones with them as depreciation progressed, but took almost all existing models and added NFC to them.
From the very first days, it became clear that user habits take a long time to break and we will gradually lose the desire to insert a map for many years to come.
How do I use an NFC card at an ATM?
If you can make contactless payments in a store or cafe, you can also be served at an ATM. In our case, you need to start the session by attaching a card or device (the corresponding hint is on the ATM on the user's waiting screen) and entering the pin code, and then the main screen will open, where the context for the current bank client will be displayed. Here is an example:
This screen displays typical operations that the client frequently performs: this includes withdrawing the usual amounts of cash, paying for kindergarten or a loan, and so on. Improving the ATM interface is quite an interesting story, and I know that this was important a few years ago. We are constantly introducing new features to the interface, anticipating customer requests. Moreover, it can be such small details as reducing steps within operations. It's not immediately obvious, but it significantly improves the user experience.
Currently, for contactless service, the card must be attached to the ATM twice: the first time during authorization, and the second time - when confirming the operation.
Why do I need confirmation?
If the client logged in but left before performing the transaction, a third party will not be able to perform any action with their accounts. To confirm the operation, you need to attach the card or gadget again.
What is the number of ATMs with NFC?
We have the widest network of ATMs in Russia — about 71 thousand devices, 95 % of which are equipped with NFC.
All new cards issued by bank are contactless.
Can I attach my watch or phone to the ATM, just like when making a payment?
Yes. If you have issued a separate certificate for your NFC chip (i.e. linked the card and the NFC chip) and can pay for it in the store — the same applies to the ATM. You don't need to take the card with you at all: all operations, including cash withdrawals and deposits at ATMs, can be done using your smartphone.
Do I need to enter my PIN code when using NFC?
Yes.
From the point of view of ATM software, NFC authentication is no different from card insertion authentication. Architecturally, for an ATM, a card reader is a "black box" that provides authentication data. When modifying ATMs and creating new ones, we extend the card reader's capabilities. In a simplified way, this can be described as connecting another input device with a small integration device. In other words, the card reader gets the same data as when reading the card chip. All operations that require a PIN code when you insert the card also require a PIN code when you attach it.
How does NFC work in ATMs?
The first bank cards were simply "rolled" by imprinters, so they have three-dimensional digits of the number. This payment system still acts as a backup in some stores in the United States in case of a power outage. It is similar to writing a bank check from a checkbook, which was once very common in the West, but almost did not take root in the USSR and Russia. The level of security was ensured by monitoring contracts with the bank and the police.
The next stage of evolution is the magnetic stripe of the card, which essentially contains a fairly simple method of protection. Until now, there are terminals and ATMs in the world that read only the magnetic stripe. By the way, it can be read as a skimmer, but more about this later.
After the stripe, the chips came (this is what the bank card is authorized through now). Approximately similar chips you see on SIM cards. This is a full-fledged computer without a clock generator (it comes with power from the motherboard). The main function of the chip is to contain internal storage, where the certificate is located, allowing you to generate one-time keys. When you attach or insert a card at ATMs, you are working with the chip, not the magnetic stripe.
So what about skimmers?
Fraudsters can install a reader next to the card reader. Bank uses anti-skimming equipment, which is designed to take into account various scenarios used by fraudsters to deceive the client. Additionally, other technical methods are used, including ATM self-testing, notifications about the correct appearance, panels that make it difficult to install external devices, and so on. For example, the card enters the device slowly, as it makes oscillatory movements in order to prevent reading data from the magnetic stripe. This is done on all our ATMs, but it does not mean that it is done on all ATMs of all banks. Therefore, a universal recipe: if possible, use NFC.
Why we recommend using NFC
The NFC module uses the EMV standard. EMV (Europay + MasterCard + VISA) is an international standard for transactions on bank cards with a chip. This standard was originally developed by a joint effort of Europay, MasterCard and VISA to improve the security of financial transactions. The EMV standard defines the physical, electronic, and informational interaction between a bank card and a payment terminal for financial transactions. For a contactless session, algorithms similar to the contact session are used, but the only difference is in the method of transmitting information. For example, if a connection is lost in the middle of a transaction, the kernel has Recovery functionality, which guarantees high reliability of operations.
Total — get in the habit of attaching the card to the ATM. As I said above, our technologies equally protect the client who inserts the card and the client who applies it. But contactless technology has a significant advantage: you will definitely not forget the card in your device.
How many people forget their card at the ATM?
More than it looks. This is not something out of the ordinary, but a standard ATM function. The forgotten card will be returned to the ATM, then you will need to reissue it or, if this happened at the bank's office, go with your passport to the employee to get it from the ATM.
Using NFC, the number of cards left at the ATM has more than halved over the year (from October 2019 to October 2020).
And the pin code — is it transmitted safely?
This has nothing to do with NFC, but I will still say that the keyboard on which you enter the pin code encrypts it. Encryption ensures that the entered PIN code does not appear anywhere. However, the operation itself is encrypted with keys, and the ATM does not store any information. Instead, it goes through secure communication channels directly to the bank and is already checked for authenticity there. Everything happens in real time. It is important to note that this information is not stored anywhere and is inaccessible even to bank employees.
What do the bank's customers say?
We conducted a survey. The results are as follows:
- A lot of customers simply don't know about NFC technology and where to use it. In particular, that their card already supports NFC.
- Those who know about NFC, but do not use it anywhere else, are used to inserting a card and do not plan to change the standard way of working with an ATM. "I'm so used to it", "It's more convenient for me".
- Customers prefer to perform fewer actions, so they actively use NFC to pay for purchases, but for some reason they don't use it at ATMs. While contactless service is safe both from the point of view of hygiene and protection from viruses, as well as the safety of your data — because this way you will not forget the card in the device. "I didn't know I had a contactless card" was a common response.
I will say again: it is better to attach a card/gadget, because it is at least more convenient and safer.
How widespread is NFC technology in Europe?
Not very widely. Russia is an advanced country in terms of IT banking. In other words, what we have will be available in Europe in a year or two. Here's a recent post about trends during the pandemic.
I have a question…
Ask in the comments, but please note that ATMs are a topic with very strict restrictions on what I can tell you due to security requirements, so answers will come slowly and probably not to every question.
