Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

From Pen to PI N The move to Personal Identification Numbers

for Retail Purchases and what it means for Consumers, Retailers


and Banks

Nigel Beatty
Senior Consultant, EMV and Smart Cards

A Giant Leap?
In February 2002, APACS (the Association for Payment Clearing Services), which
represents the UK banks for payments, announced the timetable for the UKs migration
to the use of PIN as the standard method of confirming the identity of the cardholder
(cardholder verification) when debit or credit cards are used for retail purchases. In
co-operation with the retail community, the migration will commence in early 2003 with
a trial in the Northampton area and will be followed by a national rollout which is
planned to complete during 2005.
The UK represents one of the worlds most sophisticated card payments markets, with
cards first being introduced in the 1960s. UK card purchases have traditionally relied on
paper signature checking to verify the cardholders identity, but experience shows that
these checks are often cursory, sometimes non-existent and provide no more than
minimal protection against stolen cards being used for purchases. The only practical,
reliable method of cardholder verification currently available is PIN.
Behind this move is the continuing rise in UK
card fraud. In 2001, the total reached
410m
1
, a 25% annual increase reflecting
the continuing acceleration of fraud losses.
This trend has attracted government
attention, not least because the ease with
which card details can be copied (skimmed
to make duplicate cards or used in telephone
or internet transactions) or can be fabricated
to make counterfeit cards has made card
fraud an easy target for organised crime.
Government pressure apart, the prospect of
further rises in card fraud losses makes the
move to technologies that will eliminate a large proportion of this fraud now more viable
in terms of a business case. The estimated overall cost of 1.1bn starts to look like a
good investment, and if the experience of other markets where PIN at PoS has been
introduced is repeated, this will be justified in France, the introduction of PIN (without
the other benefits of smartcard migration) cut PoS fraud from lost and stolen cards by
80%.
Many fraud countermeasures have, and continue to be introduced. These have included
the wider use of hot card files, updated daily and stored in point-of-sale (PoS) terminals
and more selective and targeted on-line authorisation, where the transaction details are
sent to the card issuer for checking. However, the most fundamental anti-fraud
programme was started in the mid-1990s, when the banks embarked on a trial of credit
and debit smartcards with embedded computer chips. These carry a smartcard
application based on the new global EMV standard for payment smartcards, named after
Europay, MasterCard and VISA, who jointly developed the standard. EMV smartcards can
prove, when used in a compatible PoS terminal, that the card is genuine. The trial was a
success and mass-issuance of smartcards began in the late 1990s. Phase 2 now starts
enhancing the technology to prove, in addition to the card being genuine, that the
customer is the rightful card owner.
0
100
200
300
400
1997 1998 1999 2000 2001
UK Card Fraud (m)


How Does It Do That?
The smartcard works by storing information securely for use during a transaction to
perform checks and processes using its internal microprocessor. One such item is the
cardholders PIN and the secure way it is stored in the smartcard means it can never be
revealed, although it can be changed (more on this below). The ability of the smartcard
to process data represents a fundamental change in the way PoS transactions are
conducted, since card issuers are now able to take an active role in deciding the outcome
of a transaction including the decision on whether the transaction will be sent on-line
for authorisation by having their smartcards carry out pre-determined actions using
information both stored in the card and provided by the PoS terminal at the time of the
transaction.
EMV smartcards can, in conjunction with the PoS terminal, check that:
a) the organisation that issued the card is bona fide and has been certified by the card
scheme whose brand (e.g. VISA) appears on the card
b) the smartcard is genuine, because it contains secret keys that could only have been
placed there by the card issuer
c) the data stored in the smartcard has not been tampered with.
This is achieved using a technique called Public Key Cryptography, in which related
pairs of Public and Private Keys are used to create and then recover other keys or data
from digital certificates or digital signatures stored in the card. The hierarchy of trust
that is established to implement the Public Key Infrastructure (PKI) with the card
scheme at its top ensures authentication of all parties involved in the transaction and
ultimately of the smartcard itself. In addition, every time a transaction using the card is
sent on-line for authorisation, separate cryptographic checks are used to provide mutual
authentication between the card and the card issuer.
To prove the identity of the cardholder during a purchase, the retailer enters the
purchase amount or it is calculated by the till as usual. The cardholder then confirms the
transaction by punching their PIN into a PIN Pad with a calculator-like keyboard which
is shielded from view and either built into the terminal or connected by a cable. The
terminal securely sends the PIN entered by the cardholder to the card where it is
compared, within the smartcard itself, to the stored PIN. If correct, the purchase
proceeds; if not, the cardholder may have another chance to enter their PIN but, just
like at a cash machine, three wrong PINs will lock the card which will then need to be
unlocked before it can be used for purchases again. The stored PIN is never revealed to
the outside world during this process.
Using EMV smartcards therefore, two factors which decide the result of a transaction can
be determined locally, without contacting the card issuer: are both card and cardholder
genuine?
Confusion for Consumers?
Most consumers who use credit or debit cards for purchases also use a card at cash
machines (ATMs), where PIN is already the standard for verifying cardholder identity.
The ATM card they use is often the same debit card they could use to make purchases
(e.g. Switch, Delta) and therefore the PIN associated with that card is familiar to them.
However, many consumers hold more than one card (the average is 2.75 cards per
adult
2
) of different types and/or issued by different organisations: credit cards, debit
cards and charge cards issued by their personal bank, their employers bank or a third
party (e.g. Goldfish). Often the cardholder will not know or will not have been issued
with a PIN for cards other than their ATM card, so the issues for consumers will arise less
from the mechanics of using a PIN at the point-of-sale than from keeping track of the
PINs for all their cards.


The industry is addressing this by enabling cardholders, from Day 1, to change their
PINs at ATMs, allowing them to set the same PIN for all their cards if they wish.
Discussions are continuing to ensure this works in practice how, for example, to
provide this service at all ATMs, not just those operated by the cards issuer (some
issuers do not operate any ATMs).
Customer service procedures are also needed to support cardholders who have
locked-out their cards, accidentally or from genuinely forgetting their PIN. If they
remember the PIN, their card can be unlocked, but if they cannot recall or never knew
the PIN, it must be re-advised or a new PIN issued, and then the card used in a special
ATM transaction to perform the unlock.
The Retailer Perspective
Overall, the outlook for the retail community is positive, in spite of the inevitable
teething troubles and a migration period of at least three years. A consensus among
retailers, banks and consumer groups will be necessary to ensure a consistent customer
message and experience and to manage the transition period, when some cardholders
will certainly forget or not know their PIN.
For PINs to be used, all point-of-sale equipment, owned by banks or retailers, needs to
be upgraded or replaced to introduce PIN pads. While the benefits for the banks are
clear, there are also significant retailer benefits. These are widespread for example:
simpler point-of-sale procedures because assistants will no longer be required to make
decisions based on paper signatures, reduced liability for fraud since the presence of
card and cardholder can be proven, faster checkout times (particularly important for
supermarkets and the promise of higher floor limits resulting from the reduced fraud risk
and therefore fewer transactions needing on-line authorisation by the card issuer.
Another key area where PIN will benefit retailers is enabling the wider use of unattended
terminals, where previously there was no means of verifying cardholder identity
opportunities for card acceptance at unmanned petrol stations, vending, car parks and
many other sectors will develop.
What the Banks Must Do
Banks in the cards business play a card issuer and/or a transaction acquirer role, having
relationships with cardholders and retailers respectively. Another acquirer group are the
operators of ATMs, although most of these are also card issuers. The processes for
issuing cards and the underlying security processes will undergo significant change, as
will the cards themselves, leading to the eventual replacement of the entire UK
cardbase, including existing smartcards.
Other than point-of-sale upgrades, the introduction of PIN for purchases will not have
major impact on systems that are now in place for processing retail transactions
providing these are already upgraded to smartcard capability, nor will existing ATM
transactions be affected.
Another area where major change will be required is in the provision of PIN Management
Services (PMS) for changing and unlocking PINs. PMS will be delivered through the ATM
network and will use new, specially designed transaction types. Card issuers, networks
(e.g. LINK) and ATM operators will need to introduce PMS to ensure that the introduction
of PIN for purchases is successful, gains cardholder acceptance and will continue to
operate with minimum disruption and cardholder confusion.

1
source: APACS
2
source: APACS/Office for National Statistics




Nigel is an experienced business consultant with a broad and extensive knowledge of the payments industry.
He has worked with clients providing consultancy at senior levels within some of the UKs leading financial
institutions and has particular expertise in the area of EMV smart cards. Nigel works with clients to develop
strategies, define business cases and deliver solutions throughout the electronic payments industry.

You might also like