Brother
Professional
- Messages
- 2,590
- Reaction score
- 506
- Points
- 83
The use of a contactless method of interacting with an ATM is now becoming fashionable. And I myself prefer to use this way. Moreover, for very pragmatic reasons: no one will jam or grab your card.
Not that this often happens to me, or there are reasons to be afraid of the card being seized, but a couple of times I came across a long timeout of a frozen ATM, and I no longer want to stand for a few minutes with the hope of picking up the card.
However, if you have a tokenized card (that is, stuffed into your phone or watch), then the contactless method of interaction is the only one that is available to you. The phone does not fit into the slot of the card reader, you can not check it.
Today I will tell you a small detail of how such a contactless scenario works.
In all those cases in which I came across a contactless ATM, all transactions were based on the so-called. 2-tap script. Those. it was necessary to double-touch the card reader during work. Although a less secure way of building 1-tap (one touch) is possible. What is the limit and why is two better (although less convenient for the client)?
Here's the thing.
Only a chip, EMV-card has a contactless interface. A card with a magnetic stripe cannot have any contactlessness. And if the card is chip, then a transaction with it is a very difficult thing. The data must be signed with a card, which means that it must be presented with this data. You need to present a lot of things: the data of the terminal (ATM in this case), and the amount, and the type of operation (withdrawal, payment, or a lot of other options), and PIN for verification ... In general, a whole novel in letters.
However, at the beginning of the script, we still have no idea what operation and for what amount we will be performing, and if this is a financial transaction at all. In this case, we need to somehow start the script. And the ATM is most likely in the "Waiting for a card" state. To go further, you must definitely know what the card number is. Because further script will branch depending on the initial digits of the card number (prefix). For our clients, we can offer more different services than for others. And with "own cards" there can be branching. For example, there are more options for some card products than for others. In general, it is not only important for us to initiate the start of the script, but it is also vital for us to know which card (or token) we will work with.
And it is for this that we need the very first tap (touching the reader with a card / phone).
Then, almost everything is as usual - we collect information about what exactly the client wants, for what amount. We fill in all the necessary internal buffers of the ATM. By the way. Most likely, we have not yet sent to processing a single bit of information about what we are doing with the client. First, you need to collect all the necessary data.
And when we found out everything, we know the amount of the transaction and all that, then only here it is possible to send a request to the host.
But we have a chip card! We need to get from her a cryptogram (something like a signature) - ARQC. To do this, all this data must be sent to her. This is where the second tap is required. A new inviting screen asks you to do so. You present the card, data is transmitted to it and a cryptogram is requested ... We receive ... And only now we send this whole packet of data to processing - let him try to generate a transaction there.
There is a second option when we do not ask for a card signature. Here the difficulty arises that there is no corresponding signature and a number of other card data. But there is information that payment systems turn a blind eye to this gap specifically for cash withdrawals, understanding the difficulties associated with the implementation of the scenario. This is where we have a 1-tap script.
However, if something happened, the evidence base for this transaction is rather small when compared to a full-fledged chip transaction. There is no cryptogram, no confirmation that the operation is legitimate. Of course, it's not so easy to dispute this transaction, but, strictly speaking, not everything was done according to the standard. Therefore, banks avoid single-tangent scenarios. You are asked to attach the card a second time.
