Plastic Money

Plastic Money

[ From chapter-9 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]

Plastic Money is designed for cashless payments and getting cash from one’s bank account with ATMs all over the world. It is the most convenient way to carry money. It is safer to carry than to carry the paper notes. ATM around the world accept plastic card and dispense required amount of money. Plastic card can also be used for payment for most good and services although there may be a lower and upper limit of transaction. Bank charges on plastic transactions can often work out less than commissions on purchases of traveler’s cheques.

Today it is already impossible to imagine modern bank operations, commercial transactions and other payments without using the plastic cards. Plastic money due to reliability, universality and convenience, which won the deserved recognition all over the world, have received a wide circulation.  So, now, the Visa cards holders' number makes more than 300 million. Also, about 300 million clients are totaled by other largest payment system presented as MasterCard and EuroCard alliance.  Besides there are a lot of international payment systems, such as American Express (AmEx), Diners Club (DC), JCB, and numerous national, regional and local (inter- and mono bank) one-currency systems.

Approximately 90% of adults hold one or more cards in UK and USA.

In the sphere of financial services in Bangladesh during the last few years, the new kind of payment means – “Q-Cash”  and “Cash Link” is used on the plastic cards base (magnetic and chips) in addition to the proprietary cards of Dutch-Bangla Bank, and branded cards from VISA and MasterCard issued by different banks.

1.         Plastic money types

           

There are many varieties of plastic money, as listed below:

           

a)         Credit Cards

Credit cards are issued once the customer has entered into an agreement with the credit card company. The card permits the customer to buy goods and services straight away up to an agreed amount. The customer then decide over what period to repay the money owed plus interest on the amount spent. A monthly statement is sent to the customer showing his account details, what he spent, where, on what date and how much is owed. The full amount can be re-paid which may mean the customer would avoid any interest charges or if he chooses to repay a lesser amount he will incur interest charges. Most Credit card companies have a set minimum payment this is usually Tk.500/- or 5-10% whichever is greater of the money the customer owe each month. Interest will then be charged on the outstanding debt each month. A credit card can usually be used in ATM but higher rates of interest may be charged on cash withdrawals. Some credit card companies offer gold, platinum and standard credit cards. All the cards provide credit facilities but each type of card has different conditions and benefits.

b)         Debit Cards

These cards are a substitute for using cash or writing a cheque. The money is taken directly from the customer’s bank account. The card can be used in ATM machines allowing them to withdraw cash from their own bank account and it is also used in POS terminals to pay for goods & services.

c)         Payment, Pre-Paid or Electronic Purse Cards

These are cards that the customer load with cash and they then use the card as an alternative to cash. These are generally used for small purchases or to buy on the Internet.

d)         ATM Cards

These are also known as a cash card, cash dispenser card or cash machine card. A plastic card is used in an ATM for cash withdrawals and other banking services.

e)         Charge Cards

This is a card similar to credit card with a credit limit, however unlike credit card the account normally has to be settled in full at the end of each month. Usually there is an annual fee for having use of this credit facility.

f)          Store, Budget or Option Cards

These cards offer a form of credit. Stores or retail groups issue them. The card is used to purchase goods from the store or one of the stores in the retail group. The customers are sent a monthly bill and interest is usually charged if he doesn’t pay back all he owes each month.

2.         Benefits of Plastic Money

a)         Benefits for Customers

Carrying less cash is safer for the customers. In case of Debit Card, a Personal Identification Number (PIN) ensures secure access to their checking accounts.

The customers won't be limited to cash on hand with the use of the Plastic cards. And they won't need to remember to carry cheques / cash.

Customers speed through checkout lines faster with their Plastic cards. There is less change to be made and no cheques to write and approve.

b)         Benefits for Merchants

Whether there is a new business or an established enterprise, card acceptance will likely have a big impact on the bottom line. Here are some of the benefits of card acceptance by the Merchants:

1. Increased Sales

Consumers spend more when they're not constrained by cash on hand. Also customers may visit the merchants store more often.

2. Customer Satisfaction

The customers will appreciate the fact that the merchants allow them the flexibility to pay the way they want to pay— including by credit or debit card. Happier customers are more loyal customers.

3. Speed of Checkout

Checkout with rapid electronic payment will bring speed to the customers. No more counting change or waiting is required while customers write cheques.

4. Improved Efficiency

Card transactions today are conducted electronically. These paperless payments can save time and money by minimizing cash handling and payment reconciliation, giving more time to do more important things—like managing and growing business.

5. Safety

With lower volumes of cash, Merchants are less vulnerable to theft and pilfering.

6. Currency Conversion

Electronic payments through most of the branded Plastic money are settled in the currency in which the merchant sells his goods and services, regardless of where the cardholder is from.

7. Safer than Cash or Checks

Because transactions are 100% online, debit card reduces risk of bounced cheques and disputes.

8. Reduced processing & collection cost

When customers use their Debit/Credit cards in ATM instead of using at POS terminals or presentment of cheques, the Merchant’s bill/cheque processing and collection costs are reduced.

3.         Issuer and Acquirer

The Bank or an organization which issue card is called issuer. If you are having a credit / debit card of DBBL, your issuing bank is DBBL.

The Banks or payment organizations which install POS terminals at merchant locations or ATM are called Acquirer. If you are using a card of DBBL at an ATM of BRAC Bank, the acquiring Bank, in this case, will be BRAC Bank. If you have asked for an amount of Tk.10,000 at the ATM, but ATM dispenses less money whereas your account has been debited in full, you have to log complain with your issuing bank, not with the acquiring bank.

4.         Terminology for Card transactions at ATM and POS terminals

4.1.      On-us transaction

In a transaction, if the issuing and acquiring banks are same, then the transaction is called ON-US transaction. For example if a customer of Bank-A, makes a transaction at the ATM / POS of the same bank (Bank-A), then the transaction is termed as on-us transaction.

4.2.      Off-us or Not on-us transaction

If customer of another bank makes a transaction at the ATM / POS of our Bank, the transaction is called off-us or not on-us. For example if a customer of Bank-B makes a transaction at the ATM / POS of Bank-A, then the transaction is termed as off-us or not on-us at Bank-A. However this transaction will be termed as remote on-us at Bank-B.

4.3.      Remote on-us transaction

If customer of our bank makes a transaction at the ATM / POS of their Bank, the transaction is called remote on-us at our bank. For example if a customer of Bank-A makes a transaction at the ATM / POS of Bank-B, then the transaction is termed as remote on-us at Bank-A. However this transaction will be termed as off-us or not on-us at Bank-B.

4.4.      Interchange fee:

If a customer of Bank-A makes a transaction at the ATM of Bank-B, then Bank-A will pay a charge to Bank-B. The Bank-A will realize such charges (normally more than this amount) from the customers.

On the other hand, if a customer of Bank-A makes a transaction at the POS of Bank-B, then Bank-B will pay a charge to Bank-A. The Bank-B will realize this charge from the sale proceeds of the POS merchant, which is called merchant commission.

The above charges payable by one bank to another bank is called interchange fee. The interchange fee is fixed by international payment associations like MasterCard, Visa, Dinar Club, Discover, JCB and may vary for local and international cards, EMV and non-EMV cards (for EMV please see section 4.5 of this module). The interchange fee may be determined by local payment association like DBBL-Nexus, Q-Cash, Cash-link or Omnibus.

A chart of various interchange fees is given below:

Interchange fee for ATM transactions:

Card Type			Interchange fee
MasterCard – ATM	International	Non-EMV	USD 1.25
		EMV	USD 1.25
	Local	EMV, Non-EMV	Taka 40.00
Visa  – ATM	International	Non-EMV	USD 1.25
		EMV	USD 1.25
	Local	EMV, Non-EMV	Taka 12.00

POS interchange fee (Visa):

Terminal	Card	Interchange Fee
EMV	EMV	1.00% (paid to Issuer)
EMV	Non-EMV	1.00% (paid to Issuer)
Non-EMV	EMV	1.20% (paid to Issuer)
Non-EMV	Non-EMV	1.10% (paid to Issuer)

POS interchange fee (MasterCard):

Terminal	Card	Interchange Fee
EMV	EMV	1.06% (paid to Issuer)
EMV	Non-EMV	1.06% (paid to Issuer)
Non-EMV	EMV	1.26% (paid to Issuer)
Non-EMV	Non-EMV	1.10% (paid to Issuer)

4.5.      Merchant Commission:

Bank provides POS terminals to the merchants (shops) free of cost. Bank also supplies necessary papers for POS terminal and performs regular maintenances. In lieu, bank realizes a commission from the sale proceeds of the merchant. This commission is called merchant commission. The merchant commission varies from merchant to merchant (based on total sale volume of the merchant), which ranges from 1.50% – 3.00 % for branded card, and from 1.00% – 2.00% from proprietary cards.

4.6.      EMV and Chip Card

The conventional cards contain magnetic strip at the back of the card which stores customer and card related information. Retrieval of information from a magnetic strip is easy. When the card is handed over to the merchant for transaction or used in the ATM, hackers can easily copy the information inside the magnetic strip and produce a duplicate card. Using this duplicate card, they perform fake transactions at the POS or ATM (if PIN can also be collected, which is not stored in the meg-strip). This type of fraudulent activities has been increasing day by day. To protect this, Europay, MasterCard and Visa jointly devised a security mechanism called EMV. EMV stands for Europay-MasterCard-Visa. In an EMV card the information are stored in the computer chip using some computer algorithm which is very difficult to copy and retrieve. Please note that both the normal chip card and the EMV card use computer chip, but the EMV card, in addition, has some computer logic prescribed and certified by Europay, MasterCard and Visa. Thus EMV card is most secured card in the world. Europay, a payment association, has been purchased by MasterCard.

4.7.      Liability Shifting

EMV has announced a rule called Liability Shifting, which said that if a fraud is occurred, the non-EMV party will always be responsible for the fraud, thus non-EMV party has be pay the fraud money to the EMV party. Thus if a customer uses an EMV card anywhere in the world, and if fraud occurs in any non-EMV ATM or POS terminals using his card number, the customer and his issuer are always safe.

If the ATM and POS are EMV certified, the MasterCard and Visa’s EMV technology guarantees that the fake card will not be accepted at these terminals as these terminals will never read the meg-strip part of an EMV card. If the ATM and POS terminals are not EMV certified, they will not be able to read the chip, rather will read the meg-strip part of an EMV card.

In Bangladesh, as of the year-2010, DBBL has issued EMV cards (both MasterCard and Visa) and also certified its all the ATMs and POS terminals from MasterCard and Visa for EMV.

4.8.      Charge Back

If a fraud occurs using a card of Bank-A at the POS/ATM terminal of Bank-B, Bank-A’s customer’s bank account or credit card account has been debited. Thus when the customer will receive his statement of account, he will find that some transactions are reflected in his statement which are not made by himself. He will, then, report this to his issuer (bank). The issuer will analyze the transaction and if found that as per the rule of the payment association they have the right to get the money back from the acquiring bank, they will bring the money back to their nostro account via the payment association. This process of bringing the money back is called Charge Back.

5.         Payment Associations

5.1.      International:

Plastic Money can be classified by payment associations / systems or card associations. The most famous payment associations / systems are MasterCard, Visa, Amex, JBC, Dinar Club, Discover and Union Pay of China. One card can be supported and serviced by only one payment system.

Some payment associations / systems can emit only cards of some types. For example American Express and Diners Club emit credit cards only, and others may emit only debit cards. World famous leaders such as VISA and MasterCard emit and support both types of cards.

It should be pointed out that credit cards of different systems are divided into classes. VISA has two main classes: Classic and Gold. MasterCard has Standard and Gold classes and American Express has Mass and Gold cards.

5.1.1.   MasterCard

The MasterCard story begins in 1966 when a group of banks created a member-owned association that later became MasterCard. In 1968 the company extended its presence to Mexico, Japan and Europe, marking the start of its commitment to becoming the leading global payments network. Through the 1980s, MasterCard continued to build on this promise, bringing the advantages of electronic payments to new regions and markets around the globe.

MasterCard integrated with Europay International in 2002, establishing a unified global corporate structure and also becoming a private share corporation.

Global Headquarters

Purchase, New York

Employees

Approximately 5100 (located in offices around the world) as of the year-2010.

Global Regions

MasterCard is organized geographically into the following regions: Asia Pacific Middle East Africa; Canada; Europe; Latin America; and the United States.

MasterCard Worldwide Brands

MasterCard is one of the most widely recognized credit and debit card brands in the world, representing instant buying power, immediate deposit access convenience, security worldwide, and flexible payment options.

Maestro is one of the most widely recognized global debit card. It is the only online, PIN-based debit brand that can be used to make purchases and get cash at ATMs worldwide.

Cirrus is the brand name that stands for the global MasterCard/Cirrus ATM Network, among the largest ATM networks in the world. The Cirrus brand represents immediate deposit account access convenience at more than one million cash machine locations worldwide.

Membership:

Through the thousands of financial institutions that are MasterCard’s customers, the company markets a strong portfolio of brands and products worldwide, including MasterCard, Maestro, Cirrus, MasterCard Debit and MasterCard PayPass.

MasterCard provide two types of membership – Principal Member and Associate Member. Principal Member is a direct member and it has direct connectivity with MasterCard network using a MIP (MasterCard Interface Point) which needs to be established at the Data Center of the Member Bank. An Associate Member does not need to setup MIP and thus it routes all the transaction through a Principal Member to which it is an Associate Member. The Associate Member also needs to pay less membership fee and charges.

5.1.2.   VISA

Visa is a global payments technology company that connects consumers, businesses, banks and governments in more than 200 countries and territories worldwide. Visa Inc.’s headquarters are in San Francisco. Visa has approximately 5,500 employees around the world as in the year-2010. They operate three data centers on two continents. Visa Europe is a separate membership entity that is an exclusive licensee of Visa Inc.’s trademarks and technology in the European region.

Today, Visa network spans:

   •   15,900 financial institution customers
   •   1.7 million  ATMs²  (as of March 31, 2010)
   •   200 countries and territories
   •   1.8 billion Visa cards (as of March 31, 2010)

Visa Products:

Credit Products:

Visa offers various VISA credit cards such as Visa Platinum, Visa Signature and Visa Infinite. All Visa credit cards come with standard benefits and features, including Auto Rental Collision Damage Waiver, Emergency Card Replacement and Zero Liability protection that safeguard cardholders against unauthorized purchases.

Debit Products:

Visa debit cards such as Visa Electron and Visa Debit are safer than carrying cash, more convenient than writing cheque. Visa debit cards offer security protections that help prevent, detect and resolve fraud, including continuous fraud monitoring and coverage by Visa’s Zero Liability policy, which protects cardholders from unauthorized charges.

Pre-paid products

Visa provides a wide range of Visa prepaid cards and services through retailers, financial institution branch offices, employers and government agencies, including:

·            Visa reloadable prepaid cards

·            Visa Gift cards

·            Visa TravelMoney cards

·            Visa Healthcare cards

·            Visa Payroll cards

·            Visa Incentive cards

·            Visa Government Disbursement cards

·            Visa ReadyLink, Visa’s prepaid reload network

Recent Innovations:

Recent innovations pioneered by Visa include:

• Mobile Payments and Services — As the number of mobile devices continues to grow, Visa is working to extend its products and services through the mobile channel. In developing economies where phone penetration is significantly higher than bankcard penetration, mobile technology represents an opportunity to leapfrog a generation of financial services and payment products, allowing consumers to use a mobile device to access and transfer funds, make payments, pay bills or top-up wireless air time. In developed economies, Visa has an opportunity to deliver mobile services that enhance the consumer payment experience, including merchant offers that are tailored to consumers' lifestyles and locations, transaction alerts and mobile payments at the point of sale and on-the-go.

• Money Transfer — Visa Money Transfer is a person-to-person payment platform that enables the transfer of funds from account to account securely and quickly using the Visa network.

• eCommerce — Visa is one of the most widely accepted payment brands online. Visa protects online transactions through multiple layers of security, including Verified by Visa, allowing issuers to authenticate cardholders in online transactions.

• Chip Technology — In a number of regions, Visa supports the deployment of chip technology, whether EMV contact chip or contactless Visa payWave. Chip cards have a small, powerful embedded microprocessor that can provide enhanced security and increased transaction speed. This chip can also carry other applications that enhance the consumer payment experience such as merchant loyalty programs. Chip card technology can also expand the use of Visa payments to new acceptance environments such as transit, vending and parking.

History and Milestones

1958:   Bank of America launches the BankAmericard in Fresno, Calif., with an innovative “revolving credit” feature.

1974:   The International Bankcard Company (IBANCO) is formed to administer the BankAmericard program internationally.

1975:   The first debit card launches.

1976:   BankAmericard changes its name to Visa — a simple, memorable name that is pronounced the same in every language — and adopts the blue-and-gold flag.

1983:   Building on “anytime, anywhere” promise, Visa launches a global ATM network, providing 24-hour cash access to cardholders across the world and contributing to the convenience of modern business and leisure travel.

1995:   Visa co-develops industry-wide chip card specifications, Europay/MasterCard/Visa (EMV), to ensure that all chip cards will operate with all chip-reading terminals.

2007:   Visa launches the Visa mobile platform, a business and technology framework for facilitating the adoption of mobile payments and value-added services.

2007:   Visa announces the completion of the company’s corporate reorganization, creating a new global corporation called Visa Inc. with Visa Europe remaining a separate entity.

5.2.      Local payment associations and ATM Networks:

5.2.1.   DBBL Nexus:

DBBL-Nexus is an ATM network owned and operated by Dutch-Bangla Bank Limited. It has more than 1200 ATMs connected to its network at the end of year-2010. Twenty Banks are sharing this network. The customers of these banks can use the ATMs to withdraw money using their debit cards.

5.2.2.   BEPS:

BEPS was formed by Bangladesh Electronic Payment Systems as Visa credit card processor in year-2003. Some local banks became member of BEPS and start issuing Visa Credit Card without investing on Credit Card System (hardware & software) and card personalization system. BEPS was responsible to personalize card, host the card information & PIN, and authorize the transactions on behalf of the member banks. BEPS also deployed some POS terminals in the market. Q-Cash acquired BEPS in the year-2008.

5.2.3.   Q-Cash

Q-Cash was formed by IT Consultants Limited (ITCL) in 2001. At present Q-Cash installed around 250 ATMs throughout the country (in the year-2010). Initial member Banks were AB Bank, Eastern Bank, IFIC Bank, Jamuna Bank, Janata Bank, Pubali Bank, Shahjalal Bank, Sonali Bank, Mercantile Bank, Mutual Trust Bank, National Bank, Trust Bank and Uttara Bank. Now (in the year-2010) more than 20 banks are members of Q-Cash network. Customers of the member banks can withdraw money from any Q-Cash ATMs at a fixed interchange rate. Q-Cash has also card personalization system. They can also host data and PIN in the switch, and can pre-authorize transactions on behalf of the members Banks. Pre-authorization includes validation of cards and PIN. Final authorization which includes debiting bank account, is done at the individual bank’s core banking system.

Q-Cash is a processor for ATMs. ITCL acquired BEPS in 2008 and thus Q-Cash become Credit Card Processor also.

5.2.4.   E-Cash:

E-Cash is an ATM Network which was established by ETN (Electronic Transaction Network) in 1999. The initial members were Islami Bank, NCC Bank, Bank Asia, Dhaka Bank, National Bank, Al-Baraka Bank, Southeast Bank and Credit Agricole Indosuez. ETN has initially installed 21 ATMs. ETN had card personalization system, and as such were able to personalize cards. They were also able to host data and PIN at their switch, and pre-authorize transactions on behalf of the members Banks. The final authorization was done at the E-cash system where the member banks had access to upload periodic balance of their respective cardholder’s account balance.

5.2.5.   Cashlink:

Cashlink was formed in 2008. Later on they have acquired E-Cash in 2009. The current members are: AB Bank, Islami Bank, Bank Asia, Dhaka Bank, Social Islami Bank, Southeast Bank and Agrani Bank. Currently (in 2010), they have more than 120 units of ATM in their network.

5.2.6.   Omnibus:

Omnibus is an ATM Network initiated by BRAC Bank in 2007. As of now (2010) it has more than 250 ATM in its network. BRAC Bank, One Bank, UCBL, Eastern Bank and Rupali Bank are the member of Omnibus network. In addition, all the member banks of Q-Cash and Cashlink have access to Omnibus ATMs.

5.2.7.   Joining, monthly and transaction fee:

The various fees and charges for joining a network and the fees to be paid on monthly basis and transaction basis as was set by the respective banks/companies in the year-2010 is given below:

Fee type	DBBL-Nexus	Q-Cash	Omnibus	Cashlink
Joining fee payable by member bank	Nil	Nil	Taka 10,00,000 or Nil if Bank has at least 1 ATM	Nil
Monthly fee payable by member bank	Nil	Taka 250,000/-	Nil	Slab-1: 0 – 14,999 transactions: Tk.150,000/- Slab-2: 15,000 – 29,999 transactions: Tk.100,00/- Slab-3: 30,000 or more transactions: Nil
Processing fee payable by member bank	Nil	Taka 5.00	Taka 3.00	Taka 3.50
Acquirer fee	Taka 10.00	Taka 2.50	Taka 6.00	Taka 3.50
Issuer fee	Nil	Taka 2.50	Taka 6.00	Open to Bank to set
Total	Taka 10.00	More than taka 10.00	More than taka 15.00	More than taka 7.00

Source: Cashlink, 2010

6.         Income from Credit Card Business:

There is a variety of incomes for the issuer and acquirer such as interest income, annual card fee, interchange income, cash withdrawal fee, late payment charges, foreign exchange income etc., as may be seen from the following chart:


6.1.      Sources of income from Debit Card issuing (payable by cardholder):

1.         Card issuance fee

2.         Annual / Renewal fee

3.         Card replacement fee

4.         PIN re-issue fee

5.         As issuer of debit card, the bank’s low cost deposit increases significantly which indirectly contribute to generation of income for the bank.

6.2.      Sources of income from Credit Card issuing (payable by cardholder):

1.         Card issuance fee

2.         Annual / Renewal fee

3.         Card replacement fee

4.         PIN re-issue fee

5.         Interest on Outstanding debit balance

6.         Late payment fee

6.3.      Sources of income from ATM acquiring (Payable by cardholder / issuing bank)

1.         Interchange fee (if the cardholder of another bank is using the ATM)

2.         Cash advance fee (If a credit card holder withdraw money from ATM)

3.         Consumer paper fee (fee for taking paper slip)

4.         Video retrieval fee (retrieval of CCTV video as per customer’s demand)

6.4.      Sources of income from POS acquiring (Payable by Merchant / Cardholder)

1.         1.50% – 3.00% commission on the sale value (payable by Merchant)

2.         Exchange earning in case of foreign transactions (realizable from Cardholder)

7.         Technology related to Plastic Card

7.1.      Plastic

Plastic card is a plate with standard dimensions (85.6 mm. x 53.9 mm. x 0.76 mm.) produced from special, mechanic- and thermo-resistant type of plastic used to store information.

7.2.      Magnetic Strip and Micro Chip

As electronic data media, the cards are divided into magnetic strip cards and integrated chip (microprocessor) cards. The first ones are called magnetic cards, the other ones are smart cards, or chip cards.

Cards with a magnetic strip are the most widespread today – circulation is over two billions. The magnetic strip settles down on the back side of a card and, according to standard ISO 7811, will consist of three tracks. First two of them are intended for storage of the identification data, and on a third it is possible to write down the information (for example, the current value of a limit of a debit card). However because of low reliability of repeated process of recording / reading, recording on a magnetic strip, as a rule, is not practiced, and such cards are used only in a mode of reading of the information. However such type of cards is rather vulnerable for swindle. In the USA in 1992 the total damage from frauds with credit cards with a magnetic strip has exceeded one billion dollars.

On a magnetic strip card the following data is provided:

a)         on a card’s face one can find:

·         Owner's name

·         Card number

·         Card’s validity

·         A logo of a card’s issuing bank

·         Payment system logo

Some cards have holograms for extra protection.

b)         on the opposite side there are:

·         A place for an owner’s signature

·         Magnetic stripe

·         Owner’s photo (in some cases)

·         Logos of ATM networks where the owner can perform operations with the card

Card number consists of 16 digits:

·         The first six digits- a code of an Issuing Bank

·         The following nine numbers – card’s bank number (card account number)

·         The last one - control digit

In smarts cards a data carrier is the microprocessor / micro-chip - the memory size of which can store from 32 bytes up to 16 kilobyte. This memory supposes unitary recording and repeated reading, or admitting both repeated reading, and repeated recording.

Smart cards were invented in the early 1970s. In the mid-1980s, French banks began widespread use of the technology as retail transaction debit cards.

The microprocessor allows to take certain actions on the data stored in the card via the card’s operating system with multiple functions for memory and service control and security measures.

The microchip embedded in smart cards can be a simple memory-only device (also called IC cards for integrated circuit) or a complex read/write microprocessor (also called a central processing unit or CPU). Now-a-day normally Chip is available with eight kilobytes storage capacity, which can hold 1,600 words of text or a digital snapshot of a fingerprint, palm print or retinal scan. It is predicted that 16-kilobyte chips will be available soon and that a 64-kilobyte chip will be produced sometime in the next decade - the sky is the limit.

Encryption makes access control applications more secure. One can set up his reader so that it requires a cryptogram to be correctly passed between the card and the reader - like a challenge and response. The reader will challenge the card with a number and the card has to encrypt it and send it back to the reader. The reader checks the response to see if it is correct. Only an authentic card will know how to encrypt it because it is the only one that knows the particular encryption keys that have been set up for that application.

7.3.      Personalization of plastic cards

Depending on the type and purpose of plastic cards, one can choose various types of personalization:

-          Encoding of chip-module

-          Recording on magnetic strip (HiCo, LoCo)

-          Imprinting of unique numbers (pin, login) covered with scratch-strip by means of thermo-printer or bubble jet

-          Embossing with tipping

-          Imprinting of bar code

Encoding – Recording of information on the magnetic strip or micro chip.

LoCo – Low-coefficient magnetic strip (300 oersted).

HiCo – High-coefficient magnetic strip (noiseproof, up to 4,000 oersted) with high resistance to magnetic fields, i.e. information that is protected on a magnetic strip is difficult to delete using a magnetic field.

Embossing – A method of mechanically pressing information comprising from letters and digits onto a plastic card; allows significantly faster payment by imprinting a slip on it.

Tipping – Covering embossed symbols with a painted film to stand out from the background images of a plastic card; most often uses gold, silver or other metallic colors; The needed brightness is achieved by adding black or white paint.

Signature strip – A special strip on a card for inputting a signature or other information; can be with or without captions that prevent the signature to be rubbed off.

Hologram – A holographic sticker that is pressed onto a card under high temperature; functions as an additional level of protection from creating imitation cards; comes in two types, 2D and 3D.

8.         Fraud in Plastic Money

Scams targeting plastic money are on the rise, and are becoming more sophisticated by the day (Wahyoe Boediwardhana and Urip Hudiono, 2005). In the early days of credit cards, conmen only had to use a little sleight of hand to steal and then forge the holder's signature. But protecting the card now is much more difficult.

The `pickpocket' method was used back in the 1980s. Now they are deploying state-of-the-art equipment in their scams. In this digital age, credit card fraudsters now use "skimmer" machines to read and duplicate the personal data encrypted in the magnetic strip of a card. They do not even have to get hold of the card anymore, as they can tap directly into telecommunication lines used for credit card transactions and intercept card data. Meanwhile, as using credit cards for online transactions becomes more common, "phishing" techniques have also developed, in which conmen claiming to be employees of credit card issuers contact unsuspecting card holders and sweet talk their way into obtaining data. In the end, everybody loses -- card holders get huge bills, and then complain bitterly to credit card issuers.

Acting on the situation, the central bank of Indonesia (Wahyoe Boediwardhana and Urip Hudiono, 2005) had recently issued a regulation requiring that all credit card issuers in the country utilize credit cards that use "smart chips" instead of magnetic strips by year 2006. The country's criminal justice system will also act on credit card fraud ensuring that all district court judges are trained to handle credit card fraud cases and that they hand down deterrent sentences. The Bandung District Court in Indonesia recently sentenced a credit card fraudster to four years in jail, while the Denpasar district court sentenced another to three years.

Plastic card fraud was one of the fastest growing crimes in the UK in the late 1980s and early 1990s (APACS, 2004(2)). Losses more than doubled over the period reaching just over £165 million in 1991. The major banks and building societies agreed that collective action was necessary to stem the losses and in September 1990 they formed the Plastic Fraud Prevention Forum (PFPF).

The immediate measures introduced by the industry (banks, payment systems etc.) in the early 1990s focused on those areas where most fraud was committed, i.e. on lost/stolen cards being used over the counter in shops and stores. Initiatives included:

·         The introduction of lower floor limits (the amount above which a retailer needs to seek authorization from the card issuer) particularly in fraud-prone retail sectors, so that more transactions had to be referred for authorization.

·         Use of 'hot card files' - lists of cards reported lost or stolen - broadcast electronically to the point-of-sale (POS) terminals so that retailers could check a card automatically.

·         Delivering cards to the customer using more secure forms of delivery.

·         Enhancement of security features within the card. These include the hologram and information enhancements to the magnetic stripe.

·         Working with retailers to encourage co-operation with the introduction of POS initiatives.

·         Dialogue with police of all levels.

·         Promoting practical advice for cardholders and good practice for retailers through campaign.

The success of the above initiatives leads the fraudsters to targeting new areas such as:

8.1.      Counterfeit

Counterfeit is the fastest growing fraud-type. Cards used to perpetrate fraud are generally lost or stolen cards which could be used intact or altered by re-embossing and re-encoding, or counterfeit cards that are entirely new. In order to counterfeit a card it is necessary to know the details of a current valid cardholder -- hence the desire of offenders to obtain legitimate credit card details from sources such as the Internet (a method which is being used increasingly by offenders throughout the world). Blank, white plastic cards are then embossed with stolen numbers, the magnetic stripe is encoded with matching numbers, and the signature panel on the card installed. Identifying logos and color printing are added to mimic a real card.

Sometimes information on the card's magnetic strip is obtained by "card skimming". This is when a legitimate card is obtained for a few seconds to enable it to be passed over a magnetic tape reader so that a counterfeit copy may be made.

Another technique is "buffering", which involves modifying the information stored in the magnetic strip of the card or obtaining security codes electronically.

Although magnetic stripe cards are relatively easy to forge, smart cards are more difficult to counterfeit, but there are claims that they are not absolutely tamper-proof.

To protect against it, chip cards built to an internationally-agreed standard are being introduced. Retailers are also being trained in techniques for spotting counterfeit cards.

8.2.      Application Fraud

Frauds relating to the issue of cards may be perpetrated in one of two ways:

First, so-called "true name fraud" occurs when an offender obtains the personal details of a real person and uses them to acquire credit cards in that name. The offender then uses the cards to purchase goods for which the liability passes to the legitimate cardholder.

The second type of fraud involves the use of false identification details, which are used to obtain a legitimate card in a false name by individuals who later default on payment and abscond.

Application fraud traditionally accounted for only a small percentage of plastic card fraud cases with card issuers being quite successful in taking preventive action. In England, for example, between 1991 and 1993, losses sustained through application fraud declined more than 50 per cent, due to a range of security initiatives (Newton 1995).

8.3.      PIN Fraud

Other vulnerabilities arise out of the way that the individual making use of the card authenticates his or her identity when using the card. This is mainly a problem with debit cards used in electronic card reading machines, which can verify the identity of cardholders by requiring them to enter a PIN or password. In order to enhance the security of the system, the user's PIN is encrypted before it travels through the network, thus making it difficult for the PIN to be discovered by hacking into the network.

A more substantial security risk arises from the manner in which the PIN is communicated to the cardholder, recorded and remembered by the cardholder, and used by the cardholder at a terminal during a transaction. Although cardholders are clearly warned of the dangers associated with disclosing their PIN, writing it on the card, or keeping it in the same place as the card, a considerable proportion of cardholders refuse to heed such advice, thereby placing themselves at risk of loss - for which they will be personally responsible.

8.4.      Card Not Present

The rise in sales transactions through internet payment gateway has led to significant growth in fraud where the card is not present. At present, most commercial transactions which take place on the Internet are undertaken by customers purchasing goods and services by disclosing their credit card details. It has been estimated that transactions valued at approximately $A640 million took place on the Internet in 1995, and by the end of 2005 global online commerce is expected to reach between $A97 billion and $A238 billion (Russell G. Smith, 1998).

Credit card information is illegally obtained either by hacking into databases of account numbers which are held by Internet service providers, or by intercepting account details which travel in unencrypted form. There are also many online scams perpetrated by customers who make use of false credit card details, as well as merchants who fail to honor online agreements.

The banking industry in UK implemented an automated system in 2001 to enable merchants to verify the billing addresses of cardholders and cross-check coded digits on cards to make these types of transaction more secure (APACS, 2004(2)).

9.         Plastic Money Fraud Prevention Strategies

There are four primary strategies which can be used to prevent plastic card fraud.

9.1.      Action by Card Issuers

Card issuers can adopt a wide variety of strategies to reduce the risk of plastic card fraud. The most pressing need is for financial institutions not to issue cards to individuals unless they are satisfied of their identity.

Various procedures could also be adopted to ensure that plastic cards are not stolen and that cards and PINs are communicated securely to customers. Banks could also assist merchants by notifying them promptly of stolen cards and PINs.

Cards could also be required to display the holder's photograph.

One of the main strategies used to prevent EFTPOS fraud has been simply to lower floor limits (the transaction value at which authorization is required from banks before the card can be accepted).

Finally, various transaction monitoring strategies have been suggested to minimize losses through smart card fraud by quickly identifying fraudulent transactions and limiting the maximum value of transactions (AUSTRAC, 1996).

9.2.      Action by Merchants

Frauds involving merchants constitute a large problem for financial institutions as merchants or their employees are ideally placed to handle the customer’s card, to permit access to computer networks and to alter transaction details.

Finally, merchants should examine any suspicious behaviour and appearance of customers. This might involve customers selecting purchases rapidly; being dressed inconsistently with the nature of the purchases selected; customers who split purchases between various slips in an attempt to forestall authorization calls to issuers; customers who make multiple purchases all under the floor limit; and customers who buy many of the same items but in different colors and sizes (Grau, 1992).

Unfortunately, it is often not possible for merchants to use all of these techniques through fear of deterring potential customers.

9.3.      Action by Cardholders

Protection of one's card, PIN or password is the primary crime prevention strategy which card holders need to take. Although consumers are advised not to disclose their PIN, keep it with their card, or write it on the card, studies have revealed that between 20 and 70 per cent of people fail to adhere to such advice (Sullivan, 1987).

9.4.      Technological Solutions

A wide range of technological solutions have also been devised in order to reduce the security risks associated with plastic card payment systems.

9.4.1.   Protections against Card Counterfeiting

Various strategies have been devised to enhance the security of plastic cards and to make them more difficult to alter or counterfeit. These include the use of micro chip, holograms, embossed characters, tamper evident signature panels, magnetic stripes with improved card validation technologies, and indent printing.

9.4.2.   Card Restrictions

As an alternative to target hardening, the risk of large-scale fraud through the use of plastic cards could be reduced by placing limits on the size of card-based transactions or the amounts of money that may be stored on plastic cards. There could also be a limit on the life of the cards.

9.4.3.   Fraud Detection Software

Software has also been devised which is able to analyze plastic cardholder spending patterns in order to alert individuals to the presence of unauthorized transactions. Merchant deposit monitoring techniques also exist to uncover claiming patterns of corrupt merchants. One software package called PRISM (Proactive Fraud Risk Management) is used to detect credit card fraud carried out through the use of lost cards, stolen cards, counterfeit cards, fraudulent applications, cards never received, mail order, phone order and catalogue sales and merchant fraud. The cost is between $384,000 and $1.92 million depending on system requirements and configuration (Nestor Inc., 1996). While initial installation costs may be high, the benefits obtained through the prevention and detection of fraud makes the use of such systems worthwhile for large organizations.

9.4.4.   Improved Cryptography

Finally, cryptography, which is the mainstay of electronic banking security systems, could be improved to protect data transmissions over the net. This is currently being explored to secure online electronic cash systems by joint ventures such as MasterCard and Visa International's Secure Electronic Transaction Protocol, which uses public key encryption to protect data from being compromised, and is expected to be fully operational shortly.

9.4.5.   EMV

           

a)         What is EMV?

           

EMV is standard for Smart Card Debit / Credit. EMV was jointly developed by Europay, MasterCard and Visa. Recently JCB and Amex have joined EMV as well. Latest version is EMV 2004.

           

A Smart Card is a computer chip and contains the following:

           

·         Memory

·         Storage Space which stores Card ID, Owners ID, PIN, Authorization Levels, Cash balance, Credit Limit

·         An Operating System such as Native OS,  MULTOS or JavaCard

·         Application Programs – standard routines

EMV has incorporated mandatory and optional steps defined by EMVCo (www.emvco.com) such as:

                       

·         Secure Card Authentication Method (CAM) through Static Data Authentication (SDA)

·         Dynamic Data Authentication (DDA)

·         Combined Data Authentication (CDA)

·         Secure Cardholder Verification Method (CVM)

·         Enhanced Risk Management

·         Contains certain defined Application Programming Interfaces (API’s) and certain physical and electrical standards

b)         What is EMVCo?

           

EMVCo is a company formed by Europay International, MasterCard International and Visas International in February, 1999. In 2002, acquisition of Europay International was made by MasterCard International. In 2004 and 2009, JCB and Amex joined EMVCo respectively. Currently Amex, JCB, MasterCard & Visa each have 25% share.

           

c)         Benefits of EMV:

·         Prevent Counterfeit card

·         Secure transaction off-line, no need to go all transaction to on-line. Saves online cost.

·         Possibility to lose amount in chip-liability shift

·         Easy to implement various programs such as contactless MasterCard PayPass.

·         Higher revenue from a non-EMV issuer and Acquirer.

d)         Why Banks should move to EMV?

·         Interoperability

o    Of card acceptance, security and payment functions

o    Liability shift

·         Enhanced security

o    Cryptography, offline risk management with a common decision being taken between card and terminal

o    Protection against counterfeit fraud, lost or stolen (through offline PIN)

·         Better Control

o    Sophisticated authorization decisions off-line/forced on-line

o    Issuer controlling the risk

o    Customer centric decisions at the terminal, control managed within the application on the chip

·         Operational Savings

o    More off-line processing, fewer chargebacks, longer card life

·         Issuer can update the card at the terminal:

o    Change parameters via “scripting”

o    Add/activate new applications – like card level loyalty.

e)         What is the risk of counterfeit in Meg-strip card?

i)        The card can be copied with a $50 USD small device.

ii)      The track information is not encrypted and is very easy to personalize cards with copies data.

iii)    Copied Data can be altered very easily before personalizing counterfeit card.

f)          How does EMV protect Counterfeit fraud?

i)          Copying chip data is not easy (may be possible with billion dollar investment)

i)                    In DDA card, copying chip data and making counterfeit card is not enough as this type of card generates dynamic key by processor inside the card which is unique for each DDA card which we call ICC key. Card data is signed by this ICC private key which can’t be decrypted without this particular card ICC public key.

Note: DDA stands for Dynamic Data Authentication which:

1.   provides authenticity and integrity of ICC and terminal dynamic application data (signed by ICC private key).

2.   Allows detection of unauthorized alteration of ICC data after the card has been personalized.

3.         Prevents replay attacks and ICC counterfeiting.

iii)        The card information in a DDA card is kept encrypted three times by a) Card Key (also called ICC key, this is card specific key), b) Issuer private Key (RSA key generated by Issuer host), c) CA signed IPK (Issuer public key encrypted by EMVCO CA private key).

iv)        The public key can decrypt the private key and all the terminals have the EMVCO CA public key.

v)         The card can decide itself what actions to take for a particular transaction (depends on the txn amount, txn frequency, txn type) according to the IAC (Issuer Action Code) in the Chip card set by issuer at the time of personalization. The response may be approve offline, decline off-line or go on-line.

vi)        For On-line transactions, after getting the card data in the above decryption processed, the card data is further encrypted by UDK (unique derivative key, this is TDES key) and generates ARQC (authorization request key). This UDK is generated from MDK (master derivative key) at the time of personalization. This MDK is shared also stored in the Issuer Host. When an ARQC for a transaction comes on-line to Issuer host, the host decrypts the data with that UDK (as the host has the MDK), if it finds the card data ok and other validations are done at the issuer host, the Issuer host sends back an ARPC (authorization response code) which is signed by UDK. As the card also has the UDK (earlier mentioned, card contains the UDK at the time of personalization), it can decrypts ARPC and can see what Issuer Host advised.

g)         What are main contents of a meg-strip card and chip card?

           

Meg-strip card contains Track1, Track2 data which records Card name, Card Number, Expiry date, CVV, PVV etc.

Whereas chip card contains:

i)             All the information of Meg-strip data in specific fields

ii)            Card data under ICC private key

iii)           ICC public key under Issuer private key

iv)           Issuer Public Key CA private key

v)            UDK (for generating ARQC for Online)

vi)           UDK(Mac),  UDK(Enc) (for Issuer Script Update)—Same UDK values are kept in the card and Issuer host, thus It validated & update the scripts sent by issuer & vice versa.