Selected Press Releases As Smart Cards Continue to Emerge in March 2006

Smartcard market explodes


The smartcard industry is poised for an unprecedented explosion in South Africa, with three large-scale rollouts set to begin in 2005 and several more waiting in the wings. More than 50-million smartcards are expected to be issued in 2004 and 2005 combined. And, by 2009, more than 100-million smartcards will be in active use in South Africa. These are the key findings contained in the Smart Card Trends and Deployment in SA 2004 report, released recently by World Wide Worx and Razor's Edge Business Intelligence.

The report focuses on what are known as 'memory cards' and 'microprocessor cards', which are in effect plastic cards containing a small microchip. Memory cards allow only for the storage of data, whereas microprocessor cards allow for information to be added, deleted or manipulated. Both types are also known as chip cards, thanks to the computer chip embedded in the card.

From 1 January 2005, all new credit and debit cards issued in South Africa are required to be smartcards, meaning a roll-out of a minimum of about 12-million smartcards to banking customers over the next five years. The single biggest smartcard project this country will see, however, will be the new Home Affairs National Identification System, known as HANIS, which will require the replacement of identity documents with around 30-million smartcards - one for every eligible South African - during the same five-year period.

Telkom and the mobile network operators are expected to add another 20-million cards in 2005 alone, through the issue of new prepaid and SIM cards, while all pension payments handled by the Department of Social Welfare are expected to move to a smartcard system from 2005 onward, following successful projects in most provinces.

"More than a third of all South Africans already hold a smartcard in their hands indirectly, thanks to the SIM cards in their cellular phones," says Arthur Goldstuck, MD of World Wide Worx. "Now they will start getting to grips with the card itself as it becomes an everyday tool."

The reason for the explosion in smartcard usage is simple: it is more secure than any other identification technology that is economically viable and available, can contain updateable information ranging from personal details to fingerprints to identification photos, and is far less prone to forgery than existing systems.

Says Bruce Conradie, MD of Razor's Edge Business Intelligence, "We will begin to see an unprecedented range of applications for smartcards from 2005 onward, starting with the telecommunications cards we already have and extending to financial services. But it will not be long before almost every service that requires some form of identification or secure payment will take advantage of smartcard technology."

The massive smartcard rollout will require major upgrading and acquisition of new equipment - all retailers who accept cards will have to be ready for smartcards next year - as well as a clear understanding of what smartcard technology is best for what purpose.

"Not only do we have memory cards and microprocessor cards, but each of these offers two different categories of technology," says Conradie. "Contact cards and contactless smartcards dictate what kind of card reader has to be in use, since contact cards must be inserted into a reader, or swiped, while contactless cards only have to be passed near the reader."

Contactless cards have both a microchip and an antenna embedded in the card, which allows for it to be detected at a small distance by the reader. Many South Africans already use such technology without realising it, for accessing restricted areas, paying for road tolls, or managing agricultural stock control.

"The most promising applications we have seen so far involve pension payouts," says Goldstuck. "It shows how the technology can be used today by the most disadvantaged members of our society in the remotest areas and with a minimum of information at their disposal. Imagine how much more it can do for South Africans in the future."

The Smart Card Trends and Deployment in SA 2004 report is available from World Wide Worx. More information can be obtained at

For more information contact Arthur Goldstuck, World Wide Worx, 011 782 7003, or Bruce Conradie, Razor's Edge Business Intelligence, 011 792 4140,

Tide May be Turning for Smart Card Adoption

March 23, 2006

By Sharon Gaudin - Datamation

For several years now the smart card has been touted as the answer to a lot of authentication and security questions. It's sounded the death knell of the password year after year.

But the password hasn't shown any signs of going anywhere. The smart card, on the other hand, has had a slow start, with few companies jumping on board with it.

The tide may be turning, though... finally.

The U.S. government is pushing for smart cards to be issued to federal employees and contractors starting this October. While an official estimate has not been released as to how many cards will be issued in total, the Department of Defense alone reports that it plans on handing out 3.6 million cards to military personnel, employees and contractors.

That means millions of Americans will become smart card holders over the course of the next year. Couple that with the fact that the upcoming version of Microsoft Windows adds increased smart card support and the falling prices of both smart cards and their readers, and industry watchers say smart cards may finally start to get some of the traction that people have been expecting all along.

''We're looking at an evolution here,'' says Mark Diodati, an analyst in identity and privacy strategy services at the Burton Group, an industry analyst firm based out of Salt Lake City, Utah. ''People have always talked about the revolution coming. It's not. You'll see federal employees carrying cards and then you'll see consumers carrying cards in the form of contactless debit cards. And then as Vista becomes commonplace out there, it will pick up more.

''Real commercial adoption will be driven by the Swiss Army knife aspect of it,'' he adds. ''Here's your card -- it gets you into the building and logs you onto Windows and then it'll buy your lunch in the cafeteria... People will start to look at this technology.''

A smart card doesn't appear all that different from a regular credit card, but this device will have a small, embedded computer chip, which can perform tasks and store information. The cards can be used, instead of traditional keys, to gain access to buildings. They can be used as digital wallets, loaded up with a certain amount of money that can be spent in corporate cafeterias, for instance.

But smart cards are getting the most attention for their network security uses. With the addition of smart card readers to corporate work stations, smart cards can be used along with a PIN code, creating two-factor authentication.

Neal Creighton, chief executive officer of GeoTrust, Inc., a major digital certificate provider based out of Needham, Mass., says growing network security concerns will be a major driver of smart card adoption over the next couple of years. ''The environments are a lot more ready,'' he says. ''The entire Microsoft system is ready for this. It's all integrated so smart cards can be used much more easily. In the past, you had to do a lot of integration work. Now, it's already there.''

At the RSA Security Conference last month in San Jose, Calif., Microsoft Chairman Bill Gates told the keynote audience that he finally has the right tools to supplant the password. Of course, this isn't the first time Gates has said the password is going the way of the dinosaur. In 1999, Microsoft unveiled its first stab at an alternative authentication technology -- the Passport single sign-on service. It died. The password lived on.

This time, Gates says he doesn't expect the password to die off over night. In three or four years, though, he says he seems them becoming part of the corporate security arsenal. And he's adding increased smart card support to Vista to back that up.

Corporate Implementation

At Steag AG, an electricity generator and distributor based in Essen, Germany, they've been slowly but surely implementing smart card technology for the past two years.

Frank Pooth, IT project manager for Steag, says they started out issuing employee cards for access control to the physical buildings. Next, they'll move on to securing email with smart cards. Eventually, the cards also will be used for access to printers and scanners, as well as to pay for food bought in the company canteen.

''We won't give employees a second smart card,'' says Pooth. ''We will give them one employee cad that will solve all of our problems with access to the building and to IT resources... We don't plan to implement it on all systems at one time. We will take it step by step. It will take, for the whole company, three years.''

Pooth said they have taken on the project because it's making them more secure and it's saving them money at the same time.

''In combination with a single sign-on strategy, you have a more secure log-on technique,'' he says, adding that it will be cheaper to support one authentication system across the board, rather than a different system for every need. ''You combine what you know and what you have and that's the smart card. It's more secure.''

Falling Prices -- Increasing Sales

Creighton says a drop in the cost of smart cards and related technologies will play a big part in corporate America deciding to implement them.

''If you look at when the technology was really hyped, it was early and it wasn't easily integrated,'' he says. ''It was really expensive. That's where we were. Now it's integrated and at a much lower cost. All those components are there now so it's a much easier decision for people.''

According to Creighton, a company of 5,000 employees could deploy smart cards today for under $10 a user -- and that includes the cards and the readers.

That price should drop even a little more if smart card adoption is planned into periodic hardware upgrades, says Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit industry association based in Princeton Junction, N.J.

Vanderhoof notes that obviously an adoption will be more expensive if a company is starting from scratch, buying the cards and readers, paying for training. The key will be to upgrade to desktops and laptops that already come with smart card readers and technology built in.

''In most companies, they go through a desktop refresh every few years,'' he says. ''One of the options is to buy PCs with smart card readers already built into them or the keyboard... Companies will slowly migrate to smart cards as they upgrade.''

As for the password, Diodati says it will be hanging around for the foreseeable future.

''The password is a ubiquitous form of authentication that is never going away,'' he adds. ''There are legacy applications that will never open themselves up to PKI-based authentication... And there are going to be applications that are low-risk. Maybe you're not moving money around or doing something else that is high risk. Then a password might be the right level of authentication for that. They're portable. Everyone knows how to use them. They'll be around for quite some time.''

Medicare smart card branded 'ID card by stealth'

ABS News Online - Monday, March 27, 2006

The federal Opposition has condemned reports that the Government is considering introducing a Medicare smart card, saying there has been no consultation.

Human Services Minister Joe Hockey is reportedly outlining the proposal to Cabinet this week.

The card would include a photograph and contact details and would enable the holder to receive government benefits.

Labor's Kelvin Thomson says it would be a national identification card by stealth and the proposal should not have gone as far as Cabinet without public discussion.

"This is part of a political pincer movement between Joe Hockey and the Attorney-General Philip Ruddock, which involves the introduction of an ID card by stealth," he said.

"This involves a plan to essentially introduce the ID card without proper public consultation."

The Debut Of "Contactless" Credit Cards

JPMorgan Chase and American Express will soon be issuing millions of new credit cards. The new cards are embedded with a computer chip that will no longer require consumers to swipe their card and sign a receipt. Millions of credit card readers will be equipped with new technology that allows consumers to simply wave their credit card over the reader and the transaction is complete. The new credit cards and card readers have been tested in major cities and should be available nationwide by 2006.

The new "contactless" cards will be great news for merchants who install the updated card readers. The customer will move in and out of the checkout line quickly and the merchant will do nothing except issue a receipt. The new credit cards have sensors that will prevent thieves from retrieving confidential information about the consumer, which is encoded on the computer chip. A thief could use the credit card if it were stolen, but could not get any personal information about the cardholder.

While the new credit cards will be great news for merchants and credit card companies, consumers could be at a disadvantage. In cities in which the new technology has been tested, consumer spending and frequency of use has risen noticeably. Consumers spent more money with the new cards and used them more frequently than traditional credit cards. It is certain that all credit card issuers will soon follow in offering the new "contactless" credit cards.

Peppercoin demonstrates contactless small payments at APTA Fare Collection Workshop

Wednesday, March 22 2006

Using OTI readers, payments technology company Peppercoin has introduced what it calls a first-of-its kind system that will allow consumers to use their existing contactless credit or debit card as their transit pass and, according to the company, reduce the cost associated with proprietary smart card automated fare collection systems.

Innovative prototype with OTI readers, allows consumers to simply wave card to pay and ride

ATLANTA-- Peppercoin, a payments technology company that enables profitable new business models for low-priced goods, services and digital content, demonstrated a prototype of a first-of-its-kind contactless mass transit fare collection system at the American Public Transportation Association's annual Fare Collection Workshop. This prototype system will enable consumers to use their existing credit or debit card as their transit pass for the first time.

Peppercoin's unique approach allows transit passengers to use their preferred credit or debit card as a ride pass, rather than purchasing a separate specialized transit pass. Riders can also use the system to prepay for multi-ride, season or period passes, which can be virtually loaded onto the rider's credit or debit card. The card can then be automatically replenished similar to toll collecting systems such as EZPass.

According to a survey conducted by independent research firm Ipsos Insight in November 2005, more than one in three American consumers would be willing to use a credit card for purchasing transit services.

"Contactless fare payment with a regular debit or credit card brings added speed, convenience and efficiency to people's mass transit travel, including their daily commute," said Mark Friedman, president and CEO of Peppercoin. "The system will be a great benefit for transit operators as well, and we are looking forward to seeing this prototype become a reality in the transportation system."

For operators, Peppercoin's solution will reduce the cost and complexity associated with proprietary smart card AFC systems. It also reduces the operator's costs associated with handling cash, which can cost as much as 20 cents per dollar paid.

Peppercoin teamed with On Track Innovations Ltd, a global leader in contactless smart card technologies, to enable this highly innovative solution. With OTI's Saturn 5000 contactless card reader, transit riders will be able to simply touch and pay as they board their subways or buses.

"Combining OTI's contactless products with Peppercoin's ability to process small payments provides a quantum leap in convenience for transit riders, while reducing costs for operators," said Ohad Bashan, president and CEO of OTI America. "It will help reduce bottlenecks as people enter the subway or board the bus."

EUFISERV Takes Next Step Towards The Single Euro Payment Area

March 23, 2006

EUFISERV has announced that its board of directors has taken decisions necessary for the EUFISERV ATM card scheme to become compliant with the SEPA Cards Framework (SCF). This will allow the scheme to continue to be a part of the European payment system landscape after the launch of SEPA in 2008.

Currently the EUFISERV ATM Card Scheme provides access to cash to over 70 million cardholders. EUFISERV branded cards are issued by over 600 participating banks and are accepted at over 60,000 EUFISERV branded ATMs across Europe.
To become SCF-compliant the EUFISERV scheme will be separated from the processing activities of the company. Participating banks will need only a single license for the whole of SEPA. Support for EMV will be made mandatory and a liability shift rule will be introduced to encourage early adoption.

Mr. Petter N. Johansen, Managing Director of EUFISERV, said that this decision of the company’s Board of Directors assures continuity of service to banks participating in the EUFISERV ATM Card Scheme as well, of course, to cardholders. “In addition to providing SCF-compliant cash withdrawals at ATMs as requested by the authorities, additional ATM services for cardholders will be provided, bringing more value for the participating acquiring and issuing banks.

At the same time, the formal separation of the governance of the scheme underlines EUFISERV’s commitment to fully exploit the company’s switch processing services. Coupled with our recently announced decisions to provide services to the wider market, EUFISERV’s intent to capitalise on its role as an ATM and POS switch processor of all global and SCF-compliant card schemes is progressing as planned.”

GO charging ahead toward `smart card' Manager outlines strategies for growth Running local transit services proposed

Mar. 22, 2006. 01:00 AM


GO Transit wants to give "reward miles" to commuters, build a dedicated bus lane on the Don Valley Parkway and run local transit services to feed its suburban stations, says its top official.

"We're pushing forward with small successes," general manager Gary McNeil told a transportation summit run by the Strategy Institute think tank at the Delta Chelsea. "It's one little battle after another, but eventually we are going to win."

Currently, GO is part of a provincial pilot project to bring "smart card" fare payment to transit users across the GTA, the first step to a reward-based fare system. The pilot project will be underway in 2007 for commuters on Mississauga's Milton line. They'll swipe a card through a reader to pay their fare.

When the project rolls out in full, GO will abandon its monthly passes and 10-ride passes in favour of a program where the more you take GO, the less you'll pay each time, McNeil said.

The fare card will act as a transit bank account; when you use the system, money will be deducted.

"Your ticket price will gradually decrease as you use the system. You won't have to worry whether you should buy a monthly pass this month if you're going on vacation, or whether you should buy a 10-ride ticket. The card will do the thinking for you.

"You won't have to think about the cost of transit any more. It will be on a card — it will make it more convenient.

"It's got a computer chip that makes it smart. It knows where you are when you get on and off, and charges you for it."

Other proposals include:

  • Encouraging suburban municipalities to stop allowing big-box development around GO stations, instead asking them to build business centres that would promote train use.

  • Paying municipalities to put in bus-priority lanes.

  • Trying to convince the City of Toronto to agree to dedicated bus lanes on the DVP. McNeil said GO is willing to foot the $2 million bill for upgrading the shoulders on the DVP for use by buses only, but said the project doesn't appear to be a priority for city staff.

  • Starting up local transit systems, or having that service contracted out, to get suburban commuters to GO train stations faster. As it is, transit in places such as Oakville, Brampton and Whitby try to serve students and seniors, preferring to let GO commuters make their own way to the station by car.

  • "We've embraced the car by providing more parking lots," said McNeil, who said GO added 8,000 spots over five years to bring the total to more than 45,000. "We're probably the largest parking authority in the GTA."

  • But space is limited for new lots and it makes sense for GO to run its own service to save parking spaces, McNeil said.

  • "I'm saying ultimately if local transit doesn't respond to this stuff, we've got to do it," he said. "We're running out of land and it costs a lot of money to build parking structures. I'd much rather people came by local transit if the service was there ... It's a case where we maybe provide the contractor with little shuttle buses and then define the route."

  • GO also has plans to extend trains to 12 cars from 10, build new tracks to beef up service and buy double-decker buses to add seating space.

McNeil said the ridership growth strategies will eventually mean GO Transit will recoup 95 per cent of its operating costs through fares by topping 50 million passengers annually in 2010.

GO already recoups 86 per cent of its operating revenue through fares, tops in the world except for a couple of systems in Asia that make money through land development and leasing deals, McNeil said.

"We are probably the top performer in the world," said McNeil, adding the TTC would be second at about 78 per cent. "If you are an accountant, that's good news because it shows we're taking care of the bottom line.

"But as a transit authority, it means we're pushed to the limit of our capacity, standing room only and pent-up demand."

You could be out of the country and out of luck with your ATM card

By Carol Pucci Seattle Times staff columnist

As thieves become better at cracking ATM codes as well as stealing credit-card numbers, banks are getting more aggressive about locking down their international systems when they suspect fraud, leaving travelers stranded without access to their cash, and no warning.

Take the case of Frank Conlon, a retired University of Washington history professor, who tried to use his Wells Fargo Bank-issued Visa debit card at a cash machine in London recently. It wouldn't work, even though he had used it six weeks earlier in India and Thailand.

The problem didn't have anything to do with his account. Nor was it a technical glitch, he found out after making calls to his branch and to bank headquarters in California.

"Wells Fargo had put a hold on any ATM transaction in the entire U.K.," Conlon said. "When I asked them why they had not informed the customers, they said it was to 'not compromise our investigation.' "

He was told to take his card into any bank and get cash over the counter, but he could find no bank willing to do this. Finally, he obtained the cash he needed by writing a personal check at an American Express office and showing his Amex card.

"Periodically, we do block transactions," said Wells Fargo spokeswoman Lara Underhill. Underhill said the bank's security policies prevented her from providing any details about what happened in London.

"Most of the time, [your card] is going to work, but there are times when we take extra steps to protect our customers."

News reports circulated last week that the Wells Fargo problem was linked with a widespread security breach that caused several banks to reissue debit cards or block access in countries where ATM cards were used to withdraw cash.

Citibank recently confirmed reports that it had detected fraudulent ATM cash withdrawals with some of its MasterCard credit and debit cards used in the UK, Russia and Canada.

A series of consumer accounts had been compromised during data leaks by third-party U.S. retailers, the bank said. As a result, it blocked ATM transactions in those countries earlier this month, and had to issue new cards to some customers.

Avivah Litan, an analyst writing for the Gartner research group, called the combined bank actions reflective of the largest PIN theft to date.

The schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, according to her report. They then use the information to make counterfeit cards.

Fraud alerts

More common than system-wide lock downs is a hold placed on an individual's credit card when a transaction triggers a fraud alert. In these cases, the bank usually informs you, but the alert comes in a phone call to your home or work number, and you usually don't know about it because you're away on a trip.

This usually happens when you try to use your card in a place you normally don't, even Canada, as one Seattle woman recently found out when she tried to use her Bank of America-issued Visa card to buy Whistler ski-lift tickets at a 7-Eleven in Squamish, B.C.

Her card was denied. When she returned home, she found phone messages on her machine from the bank asking her to call.

Credit-card fraud costs banks and merchants millions annually, and ATM forgeries and PIN thefts are rising. Federal laws limit consumers' liability provided stolen cards and unauthorized charges are reported promptly (see for details), but travelers who want to avoid hassles will want to take some precautions.

Here's what to do

• If you're leaving the country, tell your bank where you're going and when, even it it's just across the border to Canada. Do this by calling the number on the back of your credit and ATM cards. Although it might not seem wise to tell a stranger that you'll be away, it's the smartest way to avoid hassles. You can be somewhat vague about the dates.

The bank will alert its fraud department that you will be using your cards while traveling. This works most of the time, but it's not a 100 percent guarantee.

Before you leave, get the phone number (not the 800 number on the back of the card) to call from outside the country in case there's a problem. Usually it's a number that accepts collect calls. Hopefully, you won't be routed to a call center in India. But if you don't get a satisfactory answer from the first person you talk to, ask to speak to a supervisor.

• Don't rely on any one payment method. Take back-up cards (two different credit cards, and if possible, two ATM cards tied to different banks or credit unions), extra cash and/or travelers checks. Memorize any PIN numbers you might need, and keep your backup cards in a separate and secure place.

• Bring an extra picture ID in addition to your passport. You could be asked for two forms when cashing a travelers check or for a cash advance or other banking transaction.

• Don't respond to e-mails saying that your credit or debit card may have been compromised. The practice of sending fraudulent e-mails alerting consumers to fraud that hasn't taken place is called phishing, and it's becoming more common.

Banks don't notify you by e-mail or use e-mail to ask for account numbers, social security numbers or other confidential information. They call.

Former Thai Miss Universe gets "Smart Card"

ID update BANGKOK, March 22 (TNA)

All Thai citizens, aged 15 upward, are to hold electronic identity cards, widely known as "Smart Cards", from now on.

This legal requirement has no exception even though one was once crowned "Miss Universe".

On Tuesday, Thailand former Miss Universe 1988, Pornthip Nakhirankanok Simon, was issued a "Smart Card" at Bangkok's Bangrak district to replace her expired ID card.

She was warmly greeted and welcome by not only the district office staff, but also members of the general public who asked to take photographs with her and sought for her signatures.

Ms. Pornthip, nicknamed Pui, married an American billionaire, Herb Simon, whose niece was once her college classmate, in 1999. She now has a son and visits Thailand from time to time. (TNA)-E002

Online Security Threats Highlight Need for Smart Card-Based Authentication Systems

Smart Card Alliance Details Benefits at Security Week Brazil, Cards Brazil

SAO PAULO, BRAZIL -- (MARKET WIRE) -- 03/23/2006 --

The news reports have become an ever-increasing drumbeat: a hacker somehow breaches the computer network of yet another bank, credit firm or retailer, gaining access to vital data from thousands of customer accounts. Time and again, the result is consumer mistrust as identities are stolen and organizations scramble to limit the damage.

Since identity touches on many everyday activities, including air travel, banking, driving, obtaining medical services and accessing buildings and computer systems, it is crucial that identity information be kept secure in order to prevent crimes that can cause sizeable security risks and financial losses.

Fortunately, the technology behind today's smart cards -- portable credit card-sized devices with embedded microprocessor chips -- allow them to store identity information in a highly secure fashion. Smart cards can be used in secure identity systems to protect an individual's personal information and to provide strong authentication of users seeking access to online resources.

Indeed, smart card adoption is growing rapidly in both the public and private sectors, as companies and agencies look to strengthen their information security beyond increasingly inadequate username/password systems, while finding ways to converge authentication and access control for both computers and physical locations onto a single, secure credential.

The Smart Card Alliance, a nonprofit industry association promoting the use of smart cards, will be a participating sponsor and exhibitor at two major industry trade shows in Sao Paulo, Brazil, that will highlight the latest technologies and solutions aimed at securing online information and making payment transactions faster and more secure.

"Businesses and agencies can no longer afford to trust the security of vital identity data to usernames and passwords only, which are increasingly vulnerable to attack from sophisticated fraud artists, as evidenced by many high-profile and costly network breaches in recent years," said Edgar Betts, associate director, Smart Card Alliance Latin America. "At both SecurityWeek and Cards Brazil, the Smart Card Alliance will demonstrate how the latest technologies are being implemented to ensure that only authorized personnel can gain access to systems and facilities."

In consecutive weeks in March and April, the Smart Card Alliance will play an active part in two major industry events that will highlight the latest in identity authentication and security technologies, and their implementations in Latin America and elswhere:

-- SecurityWeek Brazil 2006, March 27-29, TransAmerica Expo Center: The
Smart Card Alliance will hold a workshop entitled "Smart Cards in IT
Security." This session will look at how smart card technology serves as a
portable, secure container for identity credentials that are cost
effective, scalable and more secure than traditional passwords. The
association will also sponsor a smart card demonstration along with a
member firm, Axalto, the world's leading provider of microprocessor cards.
-- Cards Brazil 2006, April 3-5, Frei Caneca Convention Center: The Smart
Card Alliance is a sponsor and exhibitor at this event, and will present a
session entitled "Smart Cards in the Transit Industry." This session will
highlight ways smart cards are being used for secure payment in mass
transit systems around the world.

About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. For more information please visit

First Data, Retail Decisions To Offer Card-Not-Present Fraud Solutions

ECommerce, First Data Corp., Retail Decisions

First Data Corp. has announced an affiliation with Retail Decisions to provide an enhanced fraud detection solution for First Data's global online merchants.

The fraud solution will provide merchants with multi-layer fraud prevention, which will reduce chargebacks and manual validation expenses. First Data currently provides merchants with an array of risk and fraud solutions and will now offer a fraud prevention tool fully integrated with its payment processing capabilities for worldwide e-commerce merchants.
Pam Patsley, president, First Data International said, "as we continue to offer international merchants processing solutions, it is important that we help them differentiate their business with a robust, global solution for fraud prevention. Our clients now have access to a powerful and comprehensive risk management tool that will reduce fraud costs and allow retailers around the world to expand their business and safely accept payment transactions."

Carl Clump, CEO of Retail Decisions said, "we are delighted to partner with First Data to offer their merchants enhanced fraud prevention solutions. This solution will enable First Data's merchants to reduce their fraud and enhance customer relationships while increase their revenue. This agreement is a testament to ReD's breadth and depth of fraud prevention expertise."

Peppercoin Demonstrates Contactless Transit Payments

Contactless Payments, Peppercoin, Transit Payments

Peppercoin has announced the demonstration of a prototype of a first-of-its-kind contactless mass transit fare collection system that enables consumers to use their existing credit or debit card as their transit pass for the first time.

Peppercoin's unique approach allows transit passengers to use their preferred credit or debit card as a ride pass, rather than purchasing a separate specialized transit pass. Riders can also use the system to prepay for multi-ride, season or period passes, which can be virtually loaded onto the rider's credit or debit card. The card can then be automatically replenished similar to toll collecting systems such as EZPass.
According to a survey conducted by independent research firm Ipsos Insight in November 2005, more than one in three American consumers would be willing to use a credit card for purchasing transit services.

"Contactless fare payment with a regular debit or credit card brings added speed, convenience and efficiency to people's mass transit travel, including their daily commute," said Mark Friedman, president and CEO of Peppercoin. "The system will be a great benefit for transit operators as well, and we are looking forward to seeing this prototype become a reality in the transportation system."

For operators, Peppercoin's solution will reduce the cost and complexity associated with proprietary smart card AFC systems. It also reduces the operator's costs associated with handling cash, which can cost as much as 20 cents per dollar paid.

Peppercoin teamed with On Track Innovations Ltd, a global leader in contactless smart card technologies, to enable this highly innovative solution. With OTI's Saturn 5000 contactless card reader, transit riders will be able to simply touch and pay as they board their subways or buses.

"Combining OTI's contactless products with Peppercoin's ability to process small payments provides a quantum leap in convenience for transit riders, while reducing costs for operators," said Ohad Bashan, president and CEO of OTI America. "It will help reduce bottlenecks as people enter the subway or board the bus."

Visa Introduces Contactless Mini Card, Making Payments Faster and More Convenient than Ever

Visa Introduces Contactless Mini Card, Making Payments Faster and More Convenient than Ever


Industry's First Commercially Scalable Alternative Form Factor for Contactless Payments Now Available for Issuance

PreviewVisa today announced the availability of the Visa Contactless Mini Card, delivering all of the speed of contactless payments in a card that is about half the size of a traditional payment card and easy to carry on a key ring. The new Contactless Mini Card is the industry's first alternative contactless form factor that is ready for large-scale commercial deployment.

The Visa Contactless Mini Card is issued as a complementary card to a Visa credit or debit card. The card includes a small hole in the lower left corner so it can be easily attached to a key chain. This eliminates the need to pull out a card from a wallet or a purse and makes payments via Visa Contactless more convenient than ever. Like the standard-sized Visa Contactless card, the Contactless Mini Card has an embedded contactless chip and antenna that deliver the contactless functionality, as well as a magnetic stripe to ensure that consumers can use the card wherever Visa is accepted.

"Sometimes the biggest advances for consumers are the smallest, and that's true for the Visa Contactless Mini Card," said Elizabeth Buse, executive vice president, product development and management, Visa USA. "At half the size of a standard Visa card, it's convenient to carry and simple to use. That ease of use will help continue the momentum behind Visa Contactless, as we offer more payment choices to cardholders."

Issuer, merchant, and cardholder interest in contactless payments continues to surge. Visa research shows that the mini card is the second most preferred form factor after the standard-sized card, with the majority of consumers stating that they would be interested in adding contactless functionality to a mini card. Now Visa issuers can offer both standard-sized and mini contactless cards to their cardholders in full, large-scale deployment.

The launch of the Visa Contactless Mini Card was made possible through the expansion of the Visa Smart Breakthrough program, which resulted in a new, cost-effective, and more flexible contactless chip solution. Visa worked with its partners in card technology and manufacturing to reduce the size of the antenna embedded in a contactless device. In addition to mini cards, the new contactless solution has the flexibility to support other form factors, including 3D key fobs, mobile phones and other handheld devices. The Visa Contactless Mini Card is the only alternative contactless form factor in the U.S. that today can be issued as a companion card to all of the standard-sized cards in Visa's U.S. cardholder base.

"The mini card is the latest example of Visa's approach to technology innovation - we believe in developing ideas that offer true value and are designed to be successful on a commercial scale," Buse said. "Our partners in the industry expect nothing less from Visa."

Visa To Launch Contactless Cards In Europe This Year

Several major European banks will soon launch Visa-branded contactless payment systems, in which consumers can make purchases by tapping their cards against a reader, Kevin Smith, Visa Europe's vice president of consumer market development, tells Card Technology sister publication CardLine Europe. "It's fair to say that we will see pilots of these applications later this calendar year," he says, after which some banks will roll the programs out to all cardholders in 2007. According to Smith, major banks and retail chains in the UK are together exploring the possibility of contactless payments.

The retailers, in particular, are showing interest because they believe contactless payment will increase customer spending, Smith says, noting that a recent study by Visa USA confirms that supposition. "It does indicate that, for existing card acceptors, contactless actually does provide incremental card activity," he says. In addition, Smith says, many European banks view the addition of a contactless payment function to their existing cards as a means of differentiating their cards in the market and bolstering their brands. "There's a mixture here of marketing to existing and new customers, but also as a true way of actually driving additional volume and activity on these cards," he says. (2006-03-21)

[March 20, 2006]

DF metro to introduce smart card system

( Via Thomson Dialog NewsEdge)The Mexico City (DF) subway system STC is preparing to introduce a new payment system using prepaid smart cards to make operations more efficient for users, STC spokesperson Mercedes Aguilar said, confirming a report in newspaper Reforma.

"This system is already operating for pensioners, who can use the system free when they receive their credentials," Aguilar told BNamericas. "This will mean the full automation of the system for all users."

"Once we finish supplying credentials to around 200,000-300,000 pensioners, we will begin gradually replacing the mechanical ticket-operated turnstiles with optical card-readers, which will make things much more efficient for users," said the spokesperson, adding that this would be in the second half of this year.

The Metro authorities expect that the new card-reading turnstiles will have a far greater lifespan than the current mechanical system and approximately 1,200 of the new apparatuses will be installed in all 175 stations of the network, Aguilar said.

No specific investment figures have been mentioned for the changes at stations. Since the introduction of the new card readers will be relatively gradual, the costs are likely to be spread over more than one budget period, said the official.

However, despite the costs of the new system, the STC administration has no plans to increase ticket prices from their current level of 2 pesos (US$0.19) and nor will introduction of the new system result in any staff redundancies, as normal tickets will continue to be sold, at least for the time being, Aguilar added.


New card for food stamps is issued

Monday, March 20, 2006

THE COLUMBUS DISPATCH ovelia Eskew watched her mail closely after getting a letter from the state informing her that she would soon receive a new debitlike card for food stamps.

"It came the other day," the Columbus wom an said, patting her pocket. "I just need to call to activate it."

One week from today, Ohio will change the way it distributes food stamps for only the second time in 42 years.

In the late 1990s, the state got rid of paper coupons to prevent fraud. This time the state expects to save $23 million a year in administrative costs by replacing its high-priced "smart card" with the more widely used magnetic-stripe card like those used at groceries, gas stations and ATMs.
Eskew, 68, is one of the more than 1 million low-income Ohioans who use food stamps to buy groceries. Like most, she has yet to call a toll-free number to activate her card and select a pin number.

She has a week.

At 11:59 p.m. Sunday, the green Ohio Direction cards that recipients currently use will no longer be accepted by grocers and other retailers.
Two minutes later, at 12:01 a.m. next Monday, recipients can start using the new blue and silver cards.

April benefits will be immediately available and any remaining balance on old cards will be transferred to the new ones by March 29.

The Ohio Department of Job and Family Services announced in October 2003 that it was abandoning its high-tech "smart card" after The Dispatch detailed how it was the most expensive system in the nation.

Unlike 48 other states, Ohio and Wyoming use the smart card with an embedded computer chip that holds account information. Other states use magnetic-stripe cards, which rely on phone lines to access account information.

While Ohio’s smart card costs $4.73 per caseload per month to operate, the new cards will cost 89 cents.

John Scaggs, who oversees food stamps for the state, anticipates a smooth transition.  "The system we are going to, an online swipe system, is 40-year-old technology. It’s reliable and stable," he said.  The bigger challenge is spreading the word about the new cards and making sure recipients activate them.

Earlier this month, the state sent notices to more than 500,000 households receiving food stamps or that had gotten benefits during the past year, informing them that new cards would be coming in the mail.

As of Thursday, all 515,817 cards had been sent out, and 87,735 of them, or 17 percent, have been activated.  Department officials say they expect that number to increase dramatically in the next week or so when the cards become functional. Thousands of cards, they say, likely will never be activated. They were sent to former recipients who might have a balance of just a few dollars.

"Even though they have all been mailed, we know that a lot of cards haven’t reached the recipient yet," said Dennis Evans, spokesman for the state agency. "We needed to change the system and we’re doing our best to get the word out. But (activating the card) is that one component that they are responsible for."  Scaggs said most of the inquiries received so far have come from recipients asking why they haven’t gotten their card.

"People should have them by (Thursday)," he said. "If not, they can call the customer service number of contact their caseworker."

"When we converted from paper coupons to cards, a significant portion of the population wasn’t familiar with debitlike cards," Scaggs said. "Now a high percentage of this population is familiar with the current card and debit or credit cards. Cashiers are also familiar with the technology and can be of more assistance."

Lisa Hamler-Fugitt, executive director of the Ohio Association of Second Harvest Foodbanks, said the new cards might encourage more eligible Ohioans to sign up for benefits because they are swiped by the same readers other shoppers use. The smart card had a special reader that often was located at only a single cash register.

"I think this will do a lot to reduce the stigma," she said. "They look just like credit cards."

March 17th, 2006 12:28 PM EDT

Report: New Technology Will Drive Growth Of Smart Card Readers

The largest potential growth in the smart card readers and chipsets market over the short term has to come in the form of migration to next generation payment technology. EMV migration in Europe, Asia Pacific and Latin America along with contactless payment in the U.S. is the most important application supporting the growth in the readers and chipsets market.

E-passports, national ID, drivers' license and transit are also large markets for smart card readers in the medium term. The market opportunities from the government projects will grow tremendously in the medium term, which opens up numerous lucrative market opportunities.

New analysis from Frost & Sullivan reveals that the market generated 6.9 million on units in 2004 and estimates to reach 33.0 million in 2010.

Persons interested in a virtual brochure, which provides manufacturers, end-users, and other industry participants with an overview of the latest analysis of the World Smart Card Readers and Chipsets Markets can send an e-mail to Tori Foster, corporate communications at with the following information: full name, company name, title, telephone number, e-mail address, city, state and country.

"With banks shifting their business model to online banking the rate of growth in the smart card readers segment will be decided by whether the banks adopt PC-link readers or USB keys for user authentication," said Frost & Sullivan Industry Manager Anoop Ubhey. There are better cryptographic algorithms available that make online authentication secure. EMV payment cards can be configured to contain digital signatures and keys for online authentication. It is more economical for banks to migrate to online banking than continue with the "brick and click" model. In addition, with most enterprises and government agencies going in for logical access to their networks the smart card reader infrastructure will become commonplace making the transition easier.

"USB dongles and USB keys are giving fierce competition for smart card readers in the logical access market," said Frost & Sullivan Research Analyst Alejandra Etcharran. "With this market dominated by many small manufacturers, if the authentication market does not adopt smart card readers as a standard then the larger manufacturers will lose market share in this sector."

To overcome or stop any real threat coming from the smaller manufacturers a careful monitoring of the logical access control market must be put in place. Taking on the smaller manufacturers on the price front would be difficult but they can be countered through volumes and innovative product offerings. Offering value adds, in terms of software and service to issuers is another one, which might prove to be more successful in the medium term. Using such tactics will allow you more time to dampen the approach from these companies.

World Smart Card Readers and Chipsets Markets is a part of the 9206 subscription, provides an overview and outlook for the market. This study has been segmented into analysis by type of smart card readers and by geographic region analyses. This research includes detailed market opportunities, industry trends and detailed competitive analysis that have been evaluated following extensive interviews with market participants. Interviews are available to the press. For more information, visit

Dexit Announces Board, CEO Changes

Filed in: Contactless Payments, Stored Value March 20, 2006

Toronto-based Dexit has announced the appointment of Janet C. Martin as the company's new CEO along with the resignation of board member Rubin Osten.

Ms. Martin replaces Renah A. Persofsky, the founder of the company, who has served as President and Chief Executive Officer since 2001. Ms. Martin will also become a director of the company, replacing Ms. Persofsky, who has resigned from the Board.

"Renah's entrepreneurial spirit has been the driving force behind the inception and launch of Dexit, for which the company is most grateful. As Dexit enters a new phase, it was the Board's view that a different set of skills is necessary to meet the company's new challenges. Janet's leadership abilities and senior managerial experiences are ideally suited for the next stage of Dexit's development," said Jeffrey Chisholm. Dexit Inc., based in Toronto, has pioneered an "instead of cash" electronic payment facilitation service for small transactions (generally under $25). The Dexit service enables consumers to pay for a variety of low-cost items quickly and conveniently with the tap of a RFID (radio frequency identification) tag linked to a pre-paid account.

Smart card may ease airport security queues Pearson set to be first in Canada to use system Travellers show identity with iris, fingerprint data

Mar. 14, 2006. 05:12 AM Toronto Star


Travellers may soon be able to swipe through security lineups at Pearson International Airport using the country's first smart security card.

Clear Card, developed by U.S.-based Verified Identity Pass, stores a passenger's biometric information — all 10 fingerprints and an image of both irises — on a card, which is then used at dedicated airport security queues. The system could be implemented this year if Canadian regulators sign off on it.

"This will help to abbreviate the process at the security checkpoint and allow you to have a less hassled experience as you go through the airport," says Allison Beer, director of business development for Verified Canada.

The details haven't been finalized but it will work this way: Anyone carrying the card will head to a verification kiosk at the airport, where the card is scanned and a fingerprint reader or iris scanner is used to verify the person's identity.

The system is aimed at frequent travellers and it's expected applicants will have to fill out an online application and undergo an interview. A similar system in Orlando costs subscribers $79.95 (U.S.) each year and saves an average of 25 minutes. Cardholders still must pass metal detectors and X-ray machines,

While Clear Card won't relieve overbooking or check-in lines — airlines still decide what time travellers have to be at their gates — it does promise to hasten the security process.

So far, the only airport in the world that uses the technology is Orlando International Airport in Florida. Norman Y. Mineta San Jose International Airport and Indianapolis International Airport will begin using Clear Cards in spring 2006. In Canada, the company plans to talk to all of the major airports, hoping to replicate the program.

While the Greater Toronto Airports Association (GTAA), which oversees Pearson, has already signed off on the program, Transport Canada must still weigh in before it can be implemented. The ministry did not return calls for comment. Beer says Verified can have the program in place as soon as 30 days after receiving that go-ahead.

The application process for travellers involves two phases: an online application and an in-person assessment. Online details include a biography of the applicant. During the second phase, fingerprints and iris images are collected and placed on the card, which Verified claims is tamper-proof.

Conditions will vary in Canada, but the Orlando system includes a background check and ensuring the applicant is not on any terrorist watch list. Officials at the GTAA declined to be interviewed, but did release a statement:

"The GTAA has entered into an agreement to work together with all the appropriate agencies to develop this service offering. We are at the conceptual stage now and a lot of detail remains to be developed. At this time, the GTAA has no further comment than that."

Canada Customs uses an iris scan system called CANPASS-Air to speed up travel between Canada and the U.S.

JCB agrees to MasterCard contactless payments protocol

Finextra 14/03/2006 13:04:00

Japanese card issuer JCB says it has agreed to share a common contactless communications protocol based on MasterCard's PayPass ISO/IEC14443 implementation specification.

Visa agreed to support the Mastercard PayPass ISO/IEC14443 protocol in March last year.

JCB's adoption of the specification means that the major international card brands will be basing contactless payment applications on the same communications protocol.

The Japanese firm says a common specification will allow POS terminal vendors to reduce the burden of system development. The protocol will also reduce initial costs for banks and merchants as it ensures global interoperability for contactless payment products.

Akihiko Shigemori, SVP, Advanced Technologies, JCB, says: "By this arrangement, we at JCB can accelerate our expansion of our contactless payment field in the international markets."

JCB says it plans to begin development of an international JCB brand contactless system based on the common communication protocol this year.

In September last year the Japanese card issuer joined an initiative from Visa and MasterCard to align security requirements, testing methodologies and approval procedures for PIN Entry Devices (PED).

Payment industry comes together to ensure smooth migration to chip technology in Canada

TORONTO, March 13 /CNW/ -

Members of the payment card industry -- Interac Association, MasterCard Canada Inc., Visa Canada Association, and many of their respective card issuers and acquirers -- today announced a firm commitment to a broad industry migration to chip technology. The migration to chip card technology represents a significant change in the Canadian payments landscape, and this large-scale coordination of key players is an important step in ensuring a smooth transition for all participants in the electronic payments system.

While each organization provides their own proprietary security offerings, the payment card industry has come together to ensure a common set of international standards around this new technology. These global standards, known as EMV(TM), allow for the harmonizing of policies, procedures and technical standards, ensuring interoperability among all payment schemes and thereby simplifying the implementation requirements for payment system participants, including merchants. The adoption of these international standards also ensures that participants in the Canadian payments system will utilize established technology, which has been tested and proven in other countries that have already migrated to chip.

The move to chip card technology is the latest innovation in the rapidly-changing debit and credit card environment, and demonstrates the industry's efforts to further secure Canadian electronic payments. Already tested, proven and in wide use around the world, chip cards provide unparalleled security for the payments industry. Chip cards are plastic cards with an embedded computer chip and provide the ultimate in protection against counterfeit and lost and stolen card fraud. In addition to providing increased security, the innovative technology behind the chip card also affords both merchants and cardholders greater convenience at point-of-sale.

This multilateral announcement follows individual announcements by Interac Association, MasterCard and Visa regarding their respective intentions to move to chip card technology, with each organization setting out individual timelines for migration. Beginning in 2007, many merchants and cardholders will start to see the introduction of cards that feature chip technology, and within three years of this date, it is expected that the majority of cardholders and merchants will be able to fully benefit from this new technology.

The migration to chip card technology represents a forward-looking evolution of electronic payments systems designed to make an already safe payments system even more secure. During the transition period to chip, magnetic stripe cards will continue to provide Canadians with a safe, reliable and convenient method of payment. In addition, cardholders can continue to place their confidence in the protection afforded by the additional security features offered by individual organizations.

Smart Card Alliance Transportation Council Announces First Year Successes, New Officers, Upcoming Initiatives


The Smart Card Alliance Transportation Council today announced its first year results, upcoming project plans and new officers, including its new Chair Paul Korczak from MTA New York City Transit. A focused group within the overall structure of the Alliance, the Transportation Council works to help accelerate the deployment of standards-based smart card payment programs within the transportation industry.

First year Council participation exceeded expectations, including ten top tier U.S. transit agencies. In addition to transit agencies, the Council's 43 members represent a cross-section of the industry, including chip and card suppliers, transportation system suppliers, systems integrators and financial services providers. New members joining the Alliance and participating in the Transportation Council include ACS, Massachusetts Bay Transportation Authority, METRO -- Southwest Ohio Regional Transit Authority, San Francisco Bay Area Metropolitan Transportation Commission, Metropolitan Transportation Authority Bridges and Tunnels, MTA New York City Transit, Port Authority of New York and New Jersey, Parcxmart, PBS&J, PepperCoin, Scheidt & Bachmann, TransitCenter, Tri-County Metropolitan Transportation District of Oregon (TriMet) and the Utah Transit Authority.

"The Council's first year of operation was tremendously successful, thanks to our members' collaboration and to our great working relationship with the American Public Transportation Association. The Council has been able to move forward with projects that look at how to bring smart card-based payments to the public in different transportation segments," said Randy Vanderhoof, executive director of the Alliance.

The Council's first major accomplishment was publishing the white paper, Smart Cards and Parking, available at The white paper attracted broad Council member participation and includes extensive industry information on the use of smart cards in both parking and transit.

"The high level of participation in the Council and the excitement around its projects this year really illustrate that the transportation industry is serious about accelerating the use smart cards for payments across the many modes of transportation and transportation-related services. It was great to be able to work as chair to lay the groundwork for this Council and to help further the progress of this technology in this market," said Greg Garback, executive officer, department of finance, Washington Metropolitan Area Transportation Authority (WMATA) and the exiting co-chair of the Council.

The Council elected new officers and steering committee representatives in February. New Transportation Council officers are:

-- Chair: Paul Korczak, MTA New York City Transit
-- Vice Chair, Transit: Chris Cipperly, WMATA
-- Vice Chair, Parking: David deKozan, Cubic Transportation Systems

New steering committee representatives are:
-- Willy Dommen, Booz Allen Hamilton
-- Michael Laezza, ERG Group
-- Ashi Majid, Infineon Technologies
-- Tomas Oliva, TriMet
-- Tim Weisenberger, U.S. Department of Transportation/Volpe Center
-- Bob Wilberger, Northrop Grumman Corporation

Also elected and serving in a non-voting, advisory capacity are:
-- Mike Dinning, U.S. Department of Transportation/Volpe Center
-- Greg Garback, WMATA
-- Martin Schroeder, American Public Transportation Association

"This is an important time for the transportation industry, as business cases for expanded use of contactless smart cards in both transit and in banking are emerging. In large part, the impetus comes from a market-driven business interest to address micropayments," said Paul Korczak, assistant chief officer, MetroCard Sales Operations, MTA New York City Transit and incoming chair. "As such, this year will be an important time for the Transportation Council to work on projects that look at how, in the context of emerging business cases, a broad interest in open, interoperable system solutions can be joined with advances in contactless smart card technology to improve customer service and the cost effectiveness of transit fare payment."

Council priorities for 2006 include:

-- Exploring linkages between transit payment and new contactless
financial payment approaches.
-- Collaborating with the APTA Universal Transit Farecard Standards
Taskforce to examine the need for a security specification for the UTFS
standard for transportation electronic payment systems.
-- Expanding on parking activities of the past year to engage with
organizations deploying parking payment solutions and to discuss linkages
between existing transit payment approaches and parking payment systems.
-- Developing a white paper describing multi-use vs. multi-application
cards for transit payment.

The Transportation Council is open to participation from any organization that joins the Alliance and the Council. For more information, please visit

Payment-card companies agree on standard


Globe and Mail Update POSTED AT 2:24 PM EST ON 13/03/06

Moving through a store's checkout will soon become an entirely different process as a result of an agreement among the country's top payment-card suppliers to move to microchips.

In an announcement Monday, MasterCard, Interac and Visa announced an industry-wide drive to ensuring a smooth transition to chip technology, which eventually will make credit cards, as we know them, obsolete.

Chip-card technology, as it is called, are plastic cards with embedded computer chips, and their makers claim they provide the ultimate in protection against counterfeit and lost and stolen card fraud. The technology also offers merchants and cardholders greater convenience at the checkout line.

While each payment-card supplier provides its own proprietary security offerings, the entire industry is set to agree on a common set of international standards for chip cards. These standards, called EMV, harmonize policies, procedures and technical standards, ensuring interoperability among all payment schemes. The result, the card-makers say, will simplify the way both merchants and customers make their transactions.

These international standards will use internationally accepted technology, which has been tested in other countries that have already migrated to chip. During the transition to chip-card technology, shoppers will still be able to use magnetic-strip cards.

This multilateral announcement follows individual announcements by Interac Association, MasterCard and Visa regarding their intentions to move to chip card technology.

Merchants and cardholders will start to see the introduction of cards that feature chip technology in 2007, the group members say. The majority of cardholders and merchants will be able to fully benefit from this new technology three years after that.

Pick a card, any card or your number is up

By Isabel Berwick

Published: March 10 2006 17:56 Financial Times

Checking out of a swanky hotel last weekend, I handed over my credit card so that the steep bill could be forgotten for a month (or three). But after several incorrect attempts, the Pin was locked. I was also hazy about the Pin on a second card, so both cards ended up being rejected.

It’s a scene that has been repeated across the country, as new rules that came into force last month demand that consumers with “chip and Pin” cards use their four-digit personal Pin to pay for face-to-face transactions.

This hotel was perfectly within its rights to refuse to allow customers to sign for the bill in the old-fashioned way. But it was a lousy conclusion to the weekend and made me determine to jettison all the plastic and use just one credit card with a memorable Pin.

If, as some experts predict, other consumers have had similar problems remembering multiple Pins and switch to a single credit card, this will have a huge impact on the credit card market.

At the moment, the average consumer carries four pieces of plastic (an unwieldy 2.3 credit cards and 1.6 debit cards). The good news in this should be that card issuers will have to compete more aggressively for our business.

Not surprisingly, big credit card issuers refuse to comment on this yet, saying it’s too early to estimate the impact of compulsory “chip and Pin”.

But Mark Bowerman at the payments trade body Apacs says: “It is looking like the number of credit cards in issue is decreasing. It has flattened off, partly because of debt issues – people don’t want to take on more debt.”

Richard Thompson, partner at PricewaterhouseCoopers, researches trends in the credit card industry. He says: “We do think chip and Pin will reduce the number of cards used.

“The key for issuers is to be ‘front of wallet’ – there will be a focus on reward schemes matched to lifestyles and what people value.”

Thompson believes the future of credit cards lies in this “lifestyling” – issuers will hope to become the “winning” card in the wallet because their brand and offers appeal to customers’ wider lives and aspirations.

This might include an expansion of useful loyalty schemes (airline offers or cashback deals) as well as altruistic schemes – such as Amex’s new “Red” card which donates 1 per cent of customers’ spending to fund programmes in Africa helping women and children affected by HIV/Aids.

For those who don’t want (or can’t afford) to ditch excess cards, the obvious solution to the problem of multiple Pins is to go to a cash machine and switch all the cards to a single Pin.

The catch is, of course, that you’ll need to remember the original Pin, or get a reminder from the issuer, in order to change it.

A single Pin for all cards is not recommended practice from a security point of view, but Apacs takes a pragmatic view.

Mark Bowerman explains: “What we say is that if you are struggling to remember numbers, rather than writing them down, change them to the same number. It’s down to each person as to how many different Pins they can remember.”

Citibank card fraud - magnetic strip to blame?
Gartner predicts more ATM hacks...

By Dan Ilett

Published: Friday 10 March 2006

A Citibank ATM network breach in Canada, Russia and the UK could have been prevented if the bank's US customers had chip and PIN technology on their cards, a leading analyst has said.

Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a "block" of PINs and the keys to decrypt them.

Avivah Litan, a research director for Gartner, told "You won’t have the same problem with a chip card. They are hard to duplicate but it's pretty easy to copy a magnetic stripe."

Phishing was last year but banks have wised up to that, so now it's the PIN block fraud. Certainly this is a pot of gold for them.
With a PIN-block, hackers break into retailer servers and steal a chunk of PINs, then create counterfeit cards that enable them to withdraw cash at ATM machines. Litan wrote that in this case the thieves probably stole magnetic-stripe data found on the back of ATM cards.

She said: "What's really exposed are the retail systems that use the ATM system. It could have been an insider – it's very hard to know. It was someone who had access to the [encryption] keys data. They were very skilled."

The analyst said the crime reflects the largest PIN theft to date and the financial industry will be hit by more PIN-block fraud in the future.

She said: "Phishing was last year but banks have wised up to that, so now it's the PIN block fraud. Certainly this is a pot of gold for them.

"What's better – going for cards or going for the details? This is the simplest way – breaking into the bank using the ATM system. With the UK it was because Americans go there and use the magnetic stripe [on their cards]."

Earlier this year, reported that the major security weakness in bank cards is in the magnetic strip because it is easy to duplicate. The technique is known as skimming.

Martin McMillan, CEO of Level Four, a company that builds software and testing tools for ATMs, said: "If you were to have a chip-only card, skimming would disappear. As long as you have a magnetic strip on the back of the card it will be susceptible to skimming."

Citibank confirmed only US customers had been affected by the theft. It is now reissuing cards to customers whose accounts were blocked after the fraud was discovered.

A spokesman for Citibank told "All this occurred because of a breach at a company in the US. There was a small proportion of customers who were affected. We are not aware of customers affected outside the US."

Government Smart-Card Project Hits Snags on Fingerprints, Costs

By Stephen Barr

Tuesday, March 7, 2006; Washington Post Page D04

The government's smart-card project appears at risk of falling behind schedule.

Federal agencies are supposed to begin issuing government-wide identification cards that can vouch for the identity of federal employees and most contractors in October, but the Government Accountability Office warns that setting up and testing new ID systems may not be completed within deadlines set by the Bush administration.

The GAO reviewed the progress of six agencies in developing smart-card systems and found differences in implementation plans, which could hamper efforts to create a government-wide ID card accepted by all agencies. The congressional watchdog agency also found a lack of reliable information about the costs of buying cards and equipment and modifying software systems.

"We acknowledge much more work must be done in order to be successful," the Office of Management and Budget said in a letter accompanying the GAO report. The letter was signed by Karen S. Evans , who is in charge of technology policy at the Office of Management and Budget.

President Bush launched the smart-card project in August 2004, calling for more secure and reliable forms of identification for government workers as part of a broader effort to keep terrorists, criminals and other unauthorized people from getting into federal buildings or hacking into computer systems.

Federal employees are issued a variety of ID cards, and many can be easily forged or altered to gain access to federal buildings. Some agencies, such as the departments of Defense and State, have developed versions of smart cards for many of their employees.

Smart cards, which resemble plastic credit cards, are embedded with a computer chip that permits an exchange of data with another system. The card can store biometric information, such as fingerprints, and can track where a person goes, based on clearances through security checkpoints. In addition to building access, smart cards can be used to supplement passwords for logging onto computers, with users inserting the card into readers on their desktops.

Under the federal project, cards must display the name of the government employee or contractor, a photograph, the name of their agency or affiliation, a serial number, and an expiration date.

There is no estimate of how many smart cards will be handed out across government (although the Defense Department has said it plans to issue 3.6 million cards to the military, civil service, contractor and other employee groups).

The administration's timetable requires agencies to start issuing cards Oct. 27 and to verify or complete background investigations on employees and contractors in 2007 and 2008.

But the project has hit some snags. The original guidelines called for the cards to carry electronic representations of two fingerprints, but the GAO said agency officials have objected because reading two fingerprint images will require a large amount of computer memory.

The GAO report said it could take 30 seconds to read the fingerprints, "a length of time that would likely cause unacceptable delays in admitting individuals to federal buildings."

Some agency officials prefer to store only details of the ridges in a fingertip, which would cut the transmission time between the cards and card readers to less than 10 seconds. But GAO said that the partial images are of "questionable reliability" and that vendors use techniques that are "proprietary and incompatible." Efforts are underway to resolve the matter, GAO said.

The cost of converting ID systems, however, may be one of the largest problems facing the government. The GAO said some agencies may find it difficult to cover conversion costs out of existing budgets.

"Agencies have been faced with having to potentially make substantial new investments in smart card technology systems with little time to adequately plan and budget for such investments and little cost information about products they will need to acquire," the GAO said.

Stephen Barr's e-mail address

Chip-and-pin 'cuts fraud by 13%'

BBC News - 6 March 2006

The new cards are helping to cut fraud
The chip-and-pin system cut plastic card fraud by 13% in 2005, according to the Association of Payment Clearing Services (Apacs).
Losses due to the fraudulent use of credit and debit cards fell last year by £65m to £439m.

Most categories of fraudulent card use dropped, except for transactions over the phone, internet or by mail.

Chip-and-pin cards were introduced in 2004, with their use becoming required in shops from February this year.

The new type of card appears to have brought a decisive turnaround with fraud levels now back to the levels last seen in 2003.

In 2004, as the new cards were being introduced, card fraud continued to shoot up, by 20%, costing banks and retailers more than half a billion pounds.

Sandra Quinn of Apacs hailed the impact of chip-and-pin, which has been rolled out to most of the UK retailing and banking industries since October 2003:

"Seeing card fraud losses come down is cast-iron proof that chip-and-pin is doing its job.

"Back in 2002 we forecast that fraud would have risen to £800m in 2005 if we didn't make the move to chip-and-pin so it's heartening to see total losses well beneath this figure" she said.

Four digits

Chip-and-pin cards require people to enter a four-digit number into a terminal at the point of sale, rather than relying on a signature which can be forged to authorise a purchase.

The new cards were first tested in Northampton in 2003, although that was ten years after they had been successfully introduced in France.

Since 2003, the use of the Pin numbers has become increasingly widespread.

Last month banks and retailers started to tighten up the system by curtailing the ability of people to continue signing for purchases if they have forgotten their pin numbers, or if they have never memorised them in the first place.

Falling fraud

The biggest drop in card fraud last year was where they had been stolen or lost in the post before reaching their legitimate owner.

That dropped by 45% to just £73m.

This was partly because the new cards, which are harder for thieves to use, have now replaced the older versions.

Apacs also acknowledged that fraud using cards stolen in the post has dropped because the surge of new cards being sent out has passed.

Other types of card fraud also saw significant reductions.

The use of cloned or skimmed cards was down 25% and the use of those lost by, or stolen from, their rightful owner fell by 22%.

However fraud where the card was not present, such as for phone or internet purchases, continued to rise and was up by 21% at £151m.

The banking industry is now trying to develop technology to rein this in, for example by devising small handheld card readers which will let people tap in their Pin numbers to verify phone or internet transactions.

Security Tackles Smart Card Hackers

By Christine Evans-Pughe -- Electronics Weekly


Troublesome people, hackers.

A weekend with no interruptions and by Monday they will have dreamt up a clever new way to steal your electronic data. For a device with an accessible security chip (typically we're talking about smart cards), a nice entry point is the information that leaks out through the way the chip operates.

By monitoring standard characteristics such as execution time, power consumption and electromagnetic radiation and then applying statistical analysis techniques, hackers have very quickly extracted security keys from microprocessors, DSP, FPGA and ASIC-based encryption systems.

At the DAC conference last summer, Kris Tiri from UCLA and Ingrid Verbauwhede of the University of Leuven in Belgium, presented a paper that described how they found the key of an unprotected ASIC advanced encryption standard (AES) implementation in under three minutes using one of these non-invasive "side-channel" attack techniques.

As ever more critical personal information gets stored in encrypted form on silicon chips (passports and now ID cards being prime examples), there is a growing need to find design techniques and methodologies that guard against such potential security breaches at the design start.

The best known side-channel attack is differential power analysis (DPA), first described by Paul Kocher in 1998 (this was what Tiri and Verbauwhede used). The DPA attack uses the fact that power is only drawn from the power supply when a zero to one output transition occurs. You measure the power consumption of the chip while it carries out several hundred cryptographic computations with different data.

Statistical analysis is used to retrieve information from the power consumption variation that is correlated to the secret key. It is only necessary to know which algorithm is being used and to have access to plain-text or cipher-text data.

A radical recent advance in this sort of attack is differential electromagnetic analysis, in which a small coil or other magnetic sensor is brought to the surface of the chip itself. The attacker sees not just the gross power signal, which is a composite of the power drawn by all of the circuits in the chip, but also a local signal correlated with the power drawn by some target circuit.

This can yield far more information, particularly if a number of coils or sensors are used together. "You could land one coil over what you know is a bus and something else over what you know is the processor and another over memory," says Simon Moore, senior lecturer at the Cambridge Computer Lab.

Introducing Jitter

Most smart card chips are now designed to ensure that signals emanating from 'leaky' parts of the circuit are minimized by reducing power consumption and by adding noise. But these techniques cannot prevent an attack like DPA that relies on the elements of the signal being lined up and compared rather than being lost in noise.

A next line of security might be to add time-dependent countermeasures, says Ken Warren, Smart Card business manager for Cryptography Research (CRI), a firm founded by Paul Kocher to license IP for chip security. "If you can introduce indeterminacy and jitter in the timings either by variable clock periods or by introducing dummy calculations, that can help," explains Warren.

CRI has encountered implementations where conditional branching can be determined from observing differences in execution time from analysis of power consumption traces. "Balanced power consumption circuitry and execution timing techniques are most effective when embedded into the processor design," he says.

More complicated software and hardware countermeasures also exist. CRI, for example, has IP for adding randomness to calculations. It also licenses algorithmic countermeasures that involve introducing transformations or permutations prior to the calculations.

At the protocol level, it has techniques such as diversifying a key faster than the circuit is leaking information. "If you calculate the circuit is leaking half a bit per transaction and you change the key every ten transactions, you know the attacker can't get enough information to find the key," Warren says.

Key diversification techniques have been used to design leak proof algorithms to secure financial transactions in banking smart cards.

Utilizing EM Simulation

An important way forward is to analyze as you design. Simon Moore and his colleagues Huiyun Li, and Theodore Markettos at Cambridge Computer Lab, for example, have just published a paper that shows a way to validate for security during design time, in this case looking at data dependent electromagnetic (EM) emissions coming from asynchronous and synchronous processors.

The most straightforward way to simulate EM waves propagating in a circuit is to use a 3D or planar EM simulator, which involves solving Maxwell's equations for the electric and magnetic vector fields in either the frequency or time domain. However, a full-wave field simulator is too time-consuming for chip-level analysis.

In addition, different types of electric and magnetic sensors measuring in the near or far field are used in EM attacks, all of which require different simulation methods. And to add to the complications, you need to take account of modulated EM emissions as well as the direct EM emissions.

The Cambridge Computer Lab's team has taken the approach of partitioning the system into two -- the chip and the package. The package is simulated by an EM simulator and modeled with lumped components, R, L and C. The chip, incorporating the packaged lumped parameters is then simulated in a circuit simulator like Spice, which obtains the current consumption of the system.

The security evaluation methodology involves a procedure of data processing on the current consumption to simulate EM emissions. EM analysis on a small block such as an ALU can use a Verilog/Spice co-simulation that allows various instructions to be executed and modified through testbench files written in Verilog.

Once the current data for the desired block or whole processor is collected it is passed to Matlab and is processed to implement differential electromagnetic analysis according to the sensor types and emission types.

Another group looking into design-time security analysis is the SSCO (small secure communicating objects) research project, which is part of southern France's CIM PACA (Centre Intégré de Microélectronique de Provence-Alpes-Côte d'Azur), a major co-operative scheme covering SoC design, physical characterization, and micro-packaging.

The SSCO partners Atmel, ASK, Mentor, Philips, STMicroelectronics and University of Nice are developing a methodology for designing and optimizing the configuration of communicating objects at the system level. The idea is to be able to simulate, analyze and verify the whole communication chain, taking into account the required frequency range, the protocols, the modulation, the baseband functions, the RF, the antenna, as well as the propagation channel.

"The interest is to be able to mix different levels of abstractions depending on the criteria or problem you're interested in. VHDL-AMS will be the kernel of the simulation linked with Matlab Simulink. This allows us to go from specification all the way down to hardware implementation using the same environment and testbench and signal post-processing," explains Professor Gilles Jacquemod, who is in charge of the project at the University of Nice.

"Hackers can currently track the security protection through the weakness of the system by looking at hidden channels between analogue and digital blocks. Mixed-signal simulation enables better design and analysis of that part," explains Jean Oudinot, Mentor's European product specialist manager for analog mixed signal.

Hacking techniques are a moving target but the industry can be equally ingenious. At SAME, for example, STMicroelectronics presented a paper on ways of making scan-chain test circuitry hack-proof.

One suggested countermeasure was to design the test circuitry so it re-scrambled itself into a completely different orientation every few nano­seconds. That will fool them for a while.

Finnish Merchants Fail To Move On EMV

Card Technology - (2006-02-28)

In Finland, merchants own 100% of the point-of-sales terminals and fraud amounted to no more than a few basis points last year.

It’s little wonder then that fewer than 5% of the POS terminals in the Nordic country are able to accept payment cards complying with the international EMV standard. Banks have converted as many as 80% of their online debit cards from magnetic stripe to more secure EMV chip cards. But few of the transactions comply with EMV.

“Big retailers have done little (with their terminals); fraud is not a big a problem,” says Jarkko Anttiroiko, vice president in charge of card issuing and development at OP Bank Group, one of Finland’s largest issuers. He estimates fraud accounted for some few millions out of 24 billion euros worth of payments in 2004. That trend continued in 2005.

The failure of merchants to move to EMV could be a problem as eurocrats try to introduce a common payment card scheme, known as the Single Euro, or European, Payments Area, known as SEPA. Anttiroiko represents Finnish bankers on the cards working group of the European Payments Council, the group that is trying to bring about voluntary compliance with the SEPA mandates.

Those mandates say that all debit card transactions within at least the eurozone countries will have to comply with EMV by 2010. Finland is one of 12 current eurozone countries, but Anttiroiko has his doubts merchants will hit the SEPA deadline.

“That’s one of the challenges in the Finnish market, how to force retailers to invest,” he tells Card Technology. “There is no SEPA for retailers. They have no obligation.”

Of course, if banks cannot acquire non-SEPA payment card transactions after 2010, then merchants that want to accept cards would be forced to switch. The European Commission could also step in with penalties on merchants. But for now, banks on the European Payments Council will have to think of other incentives to encourage merchants in Finland and other low-fraud countries to buy into EMV.

UK Retailer To Issue Smart Cards To Employees

Card Technology - (2006-02-28)

Beginning later this year, UK retailer John Lewis Partnership will begin the conversion of a disparate employee ID badging system into a unified one, says Siemens Communications, a vendor working on the project. The dollar value of the deal was not disclosed.

The retailer, which operates 27 John Lewis department stores and 174 Waitrose supermarkets, has about 63,000 employees. Miles Knapman, project manager at John Lewis Partnership, tells Card Technology the goal is to have a single card that employees can use for cashless vending, building access and secure logon to networks.

Currently, because each location had been left alone to choose its own employee badge program, and partly through acquisitions, an employee from one store may not be able to use that badge at another store, whether it’s to log on to the network or gain entry to a building, Knapman says. Some locations still have paper ID cards, he says.

The exact configuration of the new cards will depend on what the employee needs, he explains. Some may carry a bar code in addition to a contactless chip. Others may have a contact chip as well. Cost will be another factor in deciding who should get a dual-chip card, Knapman says. Those cards cost about £5 ($8.78) each. “At the moment, that’s a bit expensive,” Knapman says.

Keeping those cards updated, and ensuring they are deactivated as workers leave the company is a sizable task, but one that Knapman expects to be manageable. Rather than rely on someone in the information technology department to administer the smart cards, John Lewis Partnership will funnel that task to its human resources staff, Knapman says, via Siemens-developed integration software, called DirX. The data maintained by the HR staff will be channeled through that software to a card-management system from UK-based Intercede, which says this will be the first implementation of the Siemens software with its product.

When a new employee begins work, the HR staff enters the relevant information, and then orders a new card. HR workers won’t have to know how to run the card-management system.

Though the company’s locations are spread throughout the UK, John Lewis Partnership has chosen a centralized issuance system to limit costs, Knapman says. Each card printer costs about £5,000 ($8,769). “We have more than 200 locations,” Knapman says. “We thought, ‘We can’t do that.’” That leaves some questions about how to handle visitors to company locations, and how to have cards ready on an employee’s first day. Knapman says those issues are still being worked on.

RBC rolls out Speedpass contactless payments keyring to debit card customers

Published: 03/03/2006 09:34:00

Royal Bank of Canada (RBC) has begun rolling out Speedpass with debit, a key ring device that transmit payment instructions to specially fitted terminals at ExxonMobil petrol stations in Canada.

Speedpass with debit is linked to RBC's Client Card so that customers don't have to use the actual card to pay. Instead customers point the key tag at specially fitted terminals on the pump or in the store, select the account and enter their PIN. Funds are automatically debited from the chosen account.

RBC says the contactless system is secure as everytime a purchase is made a PIN is required and there is no personal, credit or bank account data stored on the keyring.

The bank's credit card holders have been using the Speedpass keyrings since 2001, but RBC says this is the first time the technology is being rolled out to debit card custoemrs. Different coloured key tags will help customers distinguish between credit and debit payments - black for credit and blue for the new Speedpass linked to debit cards.

Doug Collins, VP, consumer accounts and payment services, RBC Royal Bank, says: "This new feature offers our customers another payment option at the pump or in the store. It's like using our client card without the card."

Chip-sandwich gives 100x capacity

Using an innovative "chip-sandwich" technique that involves face-to-face interconnection, Infineon is able to design chip card ICs that offer more than 100 times the memory capacity of today's chip cards, while just doubling chip area.

Infineon's face-to-face technology is an advanced stacking method of two or more chips that allows the design of high-density, space-saving chip systems for chip card applications. Face-to-face chips can be visualized as a sandwich in which the two "buttered" open-faced sides, meaning the chips' functional areas, are laid one on top of each other. Without extra wire bonding, the chips - for example a security microcontroller and a memory chip - are mechanically and electrically interconnected via hundreds of tiny contact pads on top of the chips, resulting in higher performance and memory capacity on the same chip area, while at the same time fitting into a standard chip card specific package.

The benefits of the face-to-face technology are manifold: Depending on hardware customisation or application needs, this flexible approach allows stacking of chips with diverse interfaces, such as USB (Universal Serial Bus), SPI (Serial Peripheral Interface) bus or ISO14443 interfaces, as well as asics and fpgas and chips manufactured using different processes and technologies, such as EEPROM, Flash, NROM (Nitrided Read Only Memory), etc.

The new SLE88CFX1M00P, which belongs to the company's 88 family of 32bit chip card controllers, provides eight times the memory capacity of today's chip card controllers with 128Kbytes of memory. It combines the 88 family's integral security concept, its integrated intelligent power limitation system for very low power consumption and powerful peripherals, and the capability to swiftly adapt the performance to application requirements.

The controller also allows multi-tasking and multi-application operations of finance, identification and access control applications.

Brits Love Online Banking As Alliance & Leicester Introduce New Security

Mike Slocombe

03 Mar 2006

Almost 60 per cent of Britons rely on the Internet to do their banking, according to new research commissioned by the Alliance and Leicester bank.

Surveying around 2,400 people, the study found that just under one-third (29 per cent) use Internet banking between once and twice per week, with just over one in 10 (12 per cent) logging on to their bank everyday

The YouGov survey revealed that there's been a 63 per cent rise in people managing their bank accounts online since 2003, with balance checks proving the most popular activity (96 per cent) followed by money transfers for payments (76 per cent).

It seems that people still prefer to sort out complex problems by visiting the bank, and of those folks who choose to avoid online banking, over a fifth (21 per cent) said they preferred to deal with people face to face, with 13 per cent expressing concerns about security.

With this in mind, the Alliance & Leicester has announced that it will become the first UK high street bank to give all its customers two-factor authentication technology.

Designed to cut down on identity theft and online fraud, the two-factor authentication compels users to provides two means of identification.

This usually involves something that has been memorised by the user (like a password or special code) along with a physical device that generates random numbers or code.

With this security double whammy, hackers who have managed to capture the first pass code should be unlikely to proceed because the customer then needs to generate a new code to authorise online transactions.

The authentication technology will also be used to prove the authenticity of a bank's Web site, and this should help clamp down on phishing sites.

The bank hasn't revealed any further details yet, although it has said that the initiative would be a "simple and robust way" for customers to be confident that "their data online is safe from criminals."

Other banks are also jumping on the security bandwagon, with Barclays running a new chip card reader trial involving 5,000 customers and staff, while Lloyds TSB is close to completing an exhaustive six-month test of a keyring type device.

The trial involved 30,000 UK online customers, with Lloyds TSB declaring itself well chuffed with the initial findings, which produced a healthy 78 per cent adoption rate amongst users.

Around 95 per cent of people using the device said they found it easy to use with the bank claiming a 100 per cent success rate in reduction of fraud among users.

Despite its success, Lloyds said that the current trial was more about testing consumer response to the technology, and it's more interested in working to meet banking industry group Apacs' universal security standard that will eventually be used by all banks.

As more banking activity goes online, the face of High Streets looks set to change forever, with the Economic and Social Research Council recently concluding that the rise of Internet and phone banking has led to more branches being closed. 

The Little Balkan Bank that could do Two-Factor Authentication

By Margaret Locher

By the end of this year, U.S. banks will be required to have two-factor authentication on their websites to provide a more effective means of confirming their online customers' identities.
If the experience of a small Central European bank is any indication, the process to implement such authentication systems could be challenging and costly. Gojmir Nabergoj is senior adviser for Banka Koper, a Slovenian bank based at the Adriatic Sea port of Koper. Banka Koper earned about $26 million in net profits in 2004. Nabergoj says his bank finished its successful implementation of two-factor authentication for online customers last summer after three months of work.
The bank started online banking with a user ID and static PIN, then introduced a PKI-based system with a smart card reader; however, not many customers used it because of its complexity. So the bank equipped its customers with card readers at no charge. The readers allow a chip card holder to access the bank's services using onetime password authentication.
Nabergoj says the bank also introduced customers to the onetime password device and authentication service in person, not by e-mail. Now, three months after deploying onetime password devices, Banka Koper has almost 16,000 users, or 82 percent of its online banking customers.
The system means that cards with a magnetic strip are no longer at risk for fraud or theft. Nabergoj says that replacing the magnetic strip cards with the chip cards "was very expensive," costing between 150,000 and 200,000 euros (about $181,000 to $242,000).
Ron Carter, director of payment solutions at identity management vendor nCipher, helped Banka Koper with its implementation. Carter says that the cost of two-factor authentication systems, including chip-cards and back-end systems, has been the main barrier to their adoption in the United States. The prevalence of chip-based smart cards in Europe makes the adoption of the systems easier there.
One aspect of Banka Koper's experience will resonate with American security executives: The most difficult part was convincing the bank's management that it was the right thing to do. It took a successful test of the technology for them to buy into the benefits of flexibility and security, Nabergoj says.