Selected Press Releases As Smart Cards Continue to Emerge in January 2007

Chip-based cards may cut into fraud

But wide use could take up to three years

Jan 30, 2007 04:30 AM

  business reporter

Credit and debit cards embedded with computer chips have virtually wiped out the kind of security breaches that compromised millions of cards used at Winners and HomeSense stores in Canada, industry officials say. But it will be another three years before the cards are widely available in Canada.

Some Royal Bank Avion cards have embedded chips, but few merchants are equipped to take advantage of the feature. The cards are for the convenience of international travellers.

The first major rollout in Canada of chip-based cards will begin later this year as consumers' existing cards begin expiring, according to Visa Canada. Some Canadian retailers already have the kind of readers required to use the cards, but it will take until 2010 to replace all the millions of cards and card readers in use across Canada.

"It's really a large-scale investment on the part of the payments industry," said Kirkland Morris, assistant vice-president of strategic policy and programs at the Interac Association of Canada.

Interac, which represents debit-card issuers in Canada, along with Visa and MasterCard in Canada are participating in a pilot project this fall in Kitchener-Waterloo to test the cards, as well as the readers and network required for processing.

Countries in Europe and Asia that have adopted chip cards, also called smart cards, say the cost of card fraud has been cut by as much as 80 per cent. "We're really excited about what this is going to do for us," said Gord Jamieson, director of risk management and security for Visa Canada.

Card fraud in Canada is a multi-billion-dollar problem that's growing every year, partly because fraud artists have moved to countries that don't yet have chip technology, Jamieson said. Last year, credit- and debit-card fraud added up to more than $360 million, with credit cards bearing the brunt of the cost and counterfeit cards accounting for most of the crime.

No one is guaranteeing smart cards will end the kind of fraud that occurred after hackers broke into computer at Winners parent TJX Cos. Inc., putting millions of cards at risk.

"We never say chips are impossible to crack," said William Giles, vice-president of advance payments for MasterCard Worldwide. "We're making it so the economics aren't there. If it takes you 20 years to do it, or costs $20,000 to do it, the economics aren't there. You may hear about labs that do attacks on chip cards. They're not economically viable attacks."

The fallout from the security breach at TJX continued last week as bankers in the company's home state of Massachusetts confirmed that a handful of the compromised cards had been used for fraudulent activity. In Canada, the banks say they are monitoring any exposed credit card account numbers but have not seen any suspect transactions so far.

"If we do, we're going to contact those customers right away," said Kelly Hechler, a spokesperson for the Toronto Dominion Bank.

Current security features limit credit-card fraud by making the cards difficult to replicate, said Visa's Jamieson. As well, banks and other card issuers have systems to issue alerts about unusual activity. In addition, Visa's Zero Liability policy means cardholders are protected from the cost of any fraud that occurs on their accounts.

Still, the TJX incident has prompted renewed calls from consumers for tougher protective security measures. The card industry says consumers will get that with the new chip-based cards.

The industry is also implementing two other features to curb fraud. For the first time in Canada, a consumer will have to punch in a personal identification number, or PIN, instead of a signature, to use a credit card. Merchants will also be required to meet tougher standards for the collection and storage of card data.

Though PINs don't eliminate fraud, they do make it more difficult, MasterCard's Giles said.

That security feature saved Canadian debit-card users from being compromised in the TJX breach, because the cards are useless without the PIN, Interac spokesperson Tina Romano said. "Debit cards in Canada were not affected," she said.

That's not the case in the United States, where some debit cards require only a signature.

The payment-card industry is already pressing retailers to meet higher security standards.

"We prohibit the storage of what we call full track data, which is everything that's on the magnetic stripe, including the account information, the expiry date and the CVV," a special security code, said Visa's Jamieson. "Obviously, not everybody adheres to that."

He said 94 per cent of Visa's top merchants in Canada are in the process of ensuring they measure up.

To the consumer, making a purchase with a chip-based credit card will seem fairly familiar. Much like with a debit-card purchase today, the consumer will put a card into a reader. But instead of swiping the card through the reader, the owner will leave the card in place throughout the transaction while punching in the PIN and confirming the purchase.

Behind the scenes, the transaction will look quite different, because the reader can now obtain much of the information it needs directly from the card, including the authenticity of the PIN, instead of retrieving it over the network from the cardholder's financial institution.

As well, the banks can continually upgrade and change the "public and private keys" used to encrypt the cardholders' data.

The cards could also reduce the risk of shopping online, the industry said, if consumers installed card readers at home to communicate with merchants' sites and require PINs before registering payments.

Security isn't the only reason the card industry can't wait to get smart cards into consumers' hands. The cards also open up a whole new window of marketing and promotion opportunities. Smart cards can be loaded, for example, with all the customers' loyalty-program information. Chip cards can be programmed to make small "contactless" payments – over wireless networks that don't require PINs – at such places as fast-food restaurants and transit stations where speed is of the essence.

So, if chip-card technology is so attractive, why is it taking so long to get to Canada, which is known for having a banking industry among the most automated in the world?


Europe got an early start with France adopting its own proprietary system in the 1980s. As fraudulent activity began migrating, France's neighbours had to follow its example to protect themselves.

But an international standard wasn't set up until 1996, said MasterCard's Giles. The fact that the U.S. shows few signs of adopting chip technology anytime soon is also a factor.

"We can't ignore the fact that we share a border with the U.S.," he said. He hopes Canada's decision to forge ahead will help spur on the U.S.

Meanwhile, Visa's Jamieson said, the number of people likely to be defrauded from the TJX security breach will probably be very small compared with the number the company said were compromised. TJX has said the hackers got access to cards used over a long period, including all of 2003 and from last May to December. That could encompass millions of transactions, observers have said.

But those cards and the networks used for processing are loaded with security features that make the cards difficult to replicate and use, he said.



Visa, Nokia Turn Phones into Wallets

Credit card company, mobile phone giant create system allowing consumers to pay for goods with their phones.

January 9, 2007

By Reuters

Visa, the world's biggest credit card payment system, has launched a global system to turn mobile phones into wallets for millions of customers in a deal with the world's top handset producer, Nokia.

Users can pay for groceries and other purchases by swiping a phone over a reader that electronically communicates with a microchip on the phone. Phone owners confirm the purchase with the push of a button and the deal is complete.

The platform is the result of many years of trials around the world and will enable mobile contactless payments, remote payments, person-to-person payments, and mobile coupons.

Consumers will also be able manage their payment accounts and funds from their mobile devices, Visa said in a statement issued at the Consumer Electronics Show here. IBM has also helped to create the mobile payment system.

Visa will use global technology standards which have been selected and developed over the past few years by groups such as the Mobile Payment Forum from the world's major credit card companies, telecoms operators, chip makers and handset vendors.

The wireless standard that will link mobile phones with payment systems in stores and elsewhere will be the Near Field Communication (NFC) chip, which will be hidden under the phone cover and makes contact when swiped over a reader.

This NFC technology, developed by former Philips chip unit NXP and Sony, is already widely used in public transport access cards.

Visa said its cards and payment systems currently generate more than $4 trillion in sales volume worldwide. On October 11, Visa announced plans to restructure its global operations and create a new publicly traded company called Visa.

The initial version of the mobile payment platform launched on Monday offers contactless mobile payment, personalization over mobile telephony networks, coupons and direct marketing.

Subsequent versions of the platform, to be made available later in the year, will include remote payment—also using mobile telephony networks—and person-to-person payment.

"This tiered launch approach enables Visa issuers and mobile industry partners to take advantage of near-term opportunities in specific markets and consumer segments now," Visa said.

Until now, mobile payment systems have been restricted to trials, and most test only one or a few services.

In October, Japan's leading credit card company, JCB Co., started Europe's first mobile phone credit payment trial with Nokia and Dutch telecoms operator KPN in seven stores in the Netherlands and among 100 card holders.

Other mobile phone payment trials in Germany and Finland enabled consumers to pay for public transport.

With Contactless, It’s Faster Payments That Draw Retailers the Most

(January 9, 2007)

The primary reason contactless payments are gaining favor with merchants has to do with speedier transactions and other point-of-sale efficiencies, while retailers installing or planning to install the technology show little concern about its security, according to a recent survey of retail companies. Some 58% of 160 respondents to the survey, which covered North America and Europe, said they plan to implement contactless payment within the next two years, while 30% have already done so. Of the 58%, those planning to install within a year accounted for 28 percentage points; within one to two years, 30. Retailers in Canada and the U.S. provided 54% of the responses.

As it turns out, though merchants generally are concerned about transaction costs and recognize contactless payments offer no direct benefit with respect to card-acceptance rates, they are drawn to the technology because it promises to speed up tender times and hike in-lane throughput, according to Sahir Anand, retail research analyst at Aberdeen Group Inc., a Boston-based research firm. Anand conducted the survey and analyzed its results.

So far, neither Visa USA nor MasterCard Worldwide has offered interchange incentives specifically targeted at contactless payments, so a contactless transaction costs merchants the same as if a card had been swiped. “The bulk of the respondents say the card associations are not offering anything remotely substantial, but cutting down on manual processing at the point of sale is substantial,” says Anand. This is especially true for cash-intensive businesses, he says, where contactless can replace bills and coins. “There’s less money handling and other input efficiencies, so there’s a hidden cost there that can be saved,” he says.

Indeed, among factors prompting merchants to adopt contactless, improved transaction volume and competitive differentiation rate highest, the survey shows. Meanwhile, the factors considered most important to achieving a return on investment in contactless, according to the survey, are process efficiency, transaction time, and customer satisfaction. The last two factors generated responses exceeding 60% overall. “They’re looking at how streamlined their lane experience is as a result of contactless,” says Anand. Studies by Visa, MasterCard, and American Express Co. have documented substantial reductions in average tender time for contactless transactions when compared with cash and conventional cards.

At the same time, merchants seem largely unconcerned about the security of contactless payments, which rely on radio waves to transmit card-account information to a POS device. Though recent reports have indicated heightened risk surrounding the security of payment data in contactless transactions—reports the card networks have rebutted—nearly three-quarters of respondents who had installed or are considering adopting contactless technology said they don’t view security as a “major factor in their planning or implementation strategy,” says an Aberdeen report. Indeed, 80% don’t see security “implications” as a reason not to consider contactless, the report says.

This result surprised Anand. “I was quite shocked,” he says. “It’s a valid issue.” He attributes it to retailers’ tendency to “absolve themselves” of liability for fraud losses related to cards, as well as to general confidence in security measures, including unique transaction codes and cryptographically protected transaction messages, that the card networks have introduced.

But, for all its progress so far, contactless does face significant concerns among merchants, according to the survey. Anand says these include the cost of transceivers, the devices that read the radio transmissions at the point of sale, and slow adoption among consumers. Merchants are concerned about whether the contactless “message is getting across to the average consumer,” says Anand. “A movie-theater chain said a lot of times a clerk has to suggest the use of contactless rather than it being impromptu.”


Apacs responds to chip and Pin scare
Banking association investigates warning that consumers could be duped

Clement James, 08 Jan 2007

The Association for Payment Clearing Services (Apacs) has responded to claims of a vulnerability in the supposedly watertight chip and Pin system.

Researchers at Cambridge University claimed last week that a flaw in the system could lead to consumers being duped by fake machines.

Steven Murdoch and Saar Drimer said that most discussions over the security of chip and Pin have focused on the tamper-resistance of terminals.

But this only ensures that the terminal will no longer be able to communicate with the bank once it has been opened.

This does not prevent anyone replacing most of the terminal's hardware and presenting it to customers as legitimate, so freely collecting card details and Pins.

The researchers took the chassis of a genuine terminal and replaced much of the internal electronics, taking control of the screen, keypad and card-reader.

To demonstrate the technique they uploaded a video of the terminal playing Tetris to YouTube.

Apacs, the payments organisation representing high street banks, said: " People could, in theory, use this to steal account details from cards. Our experts are in discussion with the manufacturers of terminals to see what can be done.

"However, we would say that this has only been seen in a laboratory so far. People would not be able to create counterfeit chip and Pin cards, but they could use this information abroad to make purchases."


Driving in Sri Lanka gets smarter

02 January 2007

Sri Lanka’s Department of Motor Traffic (DMT) is to introduce a new driving licence system using smart card and biometric technologies later this year.

The project will be rolled out by biometrics firm Face Technologies, which has formed a joint venture to handle the project with Austria Card as the technology partner and Metropolitan Group as its local partner.

The DMT will additionally implement a driving licence management system to streamline the personalisation, production and issuance of the new credentials. Each applicant’s photograph, digital signature and fingerprints will be captured when the application is submitted. The licence will then be processed, personalised and posted to the applicant within two weeks. The DMT also plans to introduce a priority same-day-delivery service.

The new smart card-format driving licence will include a microchip containing driver information such as digital photograph, fingerprint and digital signature. It could also contain additional emergency information, including the driver’s blood group and medical information. The card will use security printing features such as laser engraving, optically variable ink, holograms, guilloches and micro printing.

The entire project is being implemented on a build, operate and transfer basis. The supply contract includes all application software, computer infrastructure, servers, networking and work stations, as well as support and maintenance and operational services for seven years.

The driving license could also be extended to include integration with the country’s national ID card and the ePassport, as is being planned in other countries.

Tale of technologies

The Hamilton Spectator

(Dec 30, 2006)
The stripe

What: The black magnetic stripe on the back of your card that holds your banking information.

How it works: You swipe your card and punch in your pin number. The information is then sent back to your bank, which verifies a match and allows you to take out money.

How to crack it: Some fraudsters work with clerks, who swipe a customer's card twice -- once in the debit machine, and the second in an illegal, and likely hidden, card reader. Others sneak an inconspicuous card reader on top of an existing pinpad, which gathers information from the magnetic stripe without anyone noticing.

Skimmers also need the corresponding pin number, which they get from hidden video cameras.

The chip

What: A tiny computer with an operating system and software, just like your personal computer or laptop.

How it works: The chip "communicates" with the terminal, running through a host of security checks before sending the information to your bank, explains Kirkland Morris, assistant vice-president of strategic policy and programs for the Interac Association.

"It's embedded with cryptographic keys," he said. "It is very much like inserting a physical key into a lock and opening it, and it takes the right key to open the lock."