EMV ATM Solution Product Paper

8/14/2019 EMV ATM Solution Product Paper

1/16

EMV ATM solutionProduct Paper


2/16

Product paper

Page 2 of 16

2005 CR2 Ltd. All rights reserved www.cr 2 .com

EMV compliantATM and debit card management solution

This paper provides a thorough description of CR2s complete EMV compliant ATM and debit card solution

Background - EMV and Smart Card technology

Since the introduction of chip card technology, SmartCards have been seen as theultimate replacement for the magnetic stripe cards used for credit and debitapplications worldwide.

Magnetic stripe cards in the 21st century have been developed and enhanced tothe point that there is now little or no scope for further security enhancements for

the prevention of fraud. Subsequently the level of card related fraud continues togrow globally and as a result leading card schemes, Europay, MasterCard andVisa (EMV) have started looking at alternative technology.

Following their initial analysis, the concept of chip and PIN card technology wasintroduced. This simply requires the embedding of a computer chip on the plasticcard. This new approach offers a number of significant benefits to thecardholders, retailers and financial institutions including:

Improved transaction processing Advanced security features Greater control of the security through advanced software application

In the late 90s, an EMV mandate instructed that all financial institutions move tochip card technology. Specifications were released for issuers, acquirers andsoftware suppliers. These specifications formed the basis for conformance to thenew EMV requirements. EMV, as the standard is now known, aims to ensure that:

All cards and terminals used globally are compatible with each other The same terminal and card approval processes can be used worldwide The standards are fully open and published

These basic provisions ensure that there is a global acceptance and compliance

with the standard.

The two main security features of EMV are: Card Authentication Method (CAM) - protects the card against counterfeiting Card holder Verification Method (CVM) - protects against lost and stolen cards.

This involves online mutual authentication - the means by which an issuer cansatisfy himself that a transaction has come from a specific and authentic cardand that the approval/decline response has been sent by the authentic issuer.


3/16

Product paper

Page 3 of 16


CR2s EMV solution

CR2 is a leading provider of channel banking software and is continuously

developing new solutions to allow financial institutions to conform to internationalstandards.

CR2s business is focused on offering leading-edge delivery channel and card-based solutions to the world market and has proven technology solutions in thefollowing areas:

Channel Management ATM management POS management Card Management Internet banking Mobile banking Phone banking

With these capabilities, CR2 is uniquely positioned to offer banks a one-vendorapproach that guarantees their future position as a leading banking serviceprovider .

CR2 is already significantly advanced in the development of a fully compliant EMVproduct suite ranging from end to end ATM solution, POS solution, debit andcredit card management, electronic purse solutions, as well as Smart Cardproduction.

EMV ATM and debit card managementThe EMV debit package includes the software and services necessary for aninstitution to issue and acquire internationally accepted EMV compliant debitcards. The ATM solution uses EMV Level 2 compliant cards.

CR2 will work with banks to engage a vendor once the choice of personalisationsolution has been finalised.

The solution includes the complete range of business processes: Card production Card management

EMV ATM services EMV ATM branding and software distribution ATM network management Connection to international payment networks Connection to host system EMV transaction processing EMV acquiring


4/16

Product paper

Page 4 of 16


EMV modules

The following CR2 products are included in the EMV solution: CardWorld Card Manager

EMV Chip card management Lost and stolen card management Card report generation Card product configuration

CardWorld Producer EMV chip card personalisation

BankWorld ATM ATM services ATM branding and software distribution

EMV ATM network management

BankWorld Card Gateway Connection to International Payment Networks Transaction monitoring to ensure they conform to network

specifications EMV transaction acquiring

BankWorld Channel Manager ATM Transaction authorisation with the host

Solution Diagram


5/16

Product paper

Page 5 of 16


EMV chip card personalisation

As EMV chip card personalisation is a complex process, CR2 has partnered withthird party organisations specialising in chip card production. These include

Datacard 1 (card personalisation hardware) and Thales E-Security (chip datapreparation). CardWorld Producer prepares card embossing and encoding files tofeed the card production devices.

Alternatively CardWorld Producer can prepare data in a format that can be usedby an external agency to personalise cards.

In order to personalise cards, data must be entered into the CardWorld Producer

module. This may happen in one of three ways: Card file import Online database import Manual data entry

The preferred method of card detail entry is via import files. This requires a file tobe generated by the host detailing the accounts for which cards are to be issued.

1 Datacard Group is a leading card personalising solution provider, offering solutions for smart cardprograms, card issuance operations and digital identity programs.

HS

Magstripe Data (MSD) and Embossing Data (ED)

HS

Step 2: EMV chip data preparation

Certificate authority,eg MasterCard, Visa

Magstripe Data (MSD) + Embossing Data (ED) + SmartCard Data

Step 3: Card personalisation

Step 1: Emboss and encode data preparation


6/16


7/16

Product paper

Page 7 of 16


EMV ATM services

BankWorld ATM Client

is the software thatresides on and runseach ATM. Using acombination of keytraditional and newATM technologies, themulti-media ATMapplication allowsfinancial institutions toprovide an increasedservice offering to

customers.

ATM Client Presents banks with the opportunity to launch chip card services Provides Financial Institutions with a high profile, image enhancing multi-

media ATM network which provides banks with a potential advertisingplatform. EMV and XFS compliant ATMs and hardware will be required

The Web technology allows banks to deploy a wide range of media and feedsas part of the customer interface. Of particular advantage is the fact that thecustomer interface is specified purely in HTML and XML requiring noproprietary languages or tools.

Provides banks with the option to offer secure standalone ATM servicesthrough CR2 proprietary track three processing. In cases wherecommunication to the host is lost, BankWorld ATM Client is still able to offercash withdrawal services.

Supported servicesThe following services are supported by BankWorld ATM Client

Fast cash from the primary Account. Cash withdrawal from any account linked to the card Cash withdrawal in second currency Balance enquiry for any accounts linked to the card Statement request Mini statements available on screen and hardcopy can be printed Book request supporting paying in and cheque book requests PIN change Funds transfer between customers bank accounts held on a card. Deposit by cash, cheque, mixed deposits and deposit by instruction. Bill payment by cash, cheque, account transfer or using a combination of

deposits Mobile top up


8/16


9/16

Product paper

Page 9 of 16


These features include GUI applications that enable banks to drill down into ATMdetails and examine components of individual devices. The ability to remotely

investigate device faults ensures that engineers are fully prepared before costlymaintenance trips to remote locations are undertaken.

ATM network management; Device status and service control


10/16

Product paper

Page 10 of 16


Host connection

BankWorld Channel Manager connects each of the channels to one or multipleback office information system. This eliminates the complexities of adding new

back offices as and when required by banks.

CR2 has a highly skilled integration team and have built up a vast amount of experience to date in back office integration. To perform integration, a componentneeds to be developed which typically converts from our API formats, to theformat used by the Back Office system. CR2 refer to this component as a BOIS(Back Office Integration Service). There are already a number of BOIS availablefor many of the core banking packages.

Sample List of BOIS BankMaster - Misys Equation - Misys Iflex - Flexcube Globus - Temenos Midas - Kapiti

The host connections can be provided over a number of communications protocolsor combinations of protocols including TCP/IP sockets and proprietary queues.The method of host integration will be determined by the banks preference andthe messages to be processed by the bank.

Connection to payment networks

BankWorld Card Gateway is designed to route transactions between connectedparties (switch, schemes etc) and CardWorld Card Manager. It allows customersto use their cards at Visa connected terminals worldwide.

For the purpose of this paper, the connected parties will be limited to the VisaInternational Payment Network. Additional parties such MasterCard can beconnected through deploying a MasterCard interface.

BankWorld Card Gateway also supports ISO8583 connections to various nationalnetworks.

Sample List Jonet Jordan Shetab Iran Cashnet India Benefits Bahrain NAPS - Qatar


11/16

Product paper

Page 11 of 16


Transaction acquiring

BankWorld Card Gateway performs the core routing, recording and reporting of

transactions. When a customer uses the card, the transaction will be routed tothe banks Visa connection via the Visa network. It is then in turn, passed toCardWorld Card Gateway where the message will be stored before routing toCardWorld Car Manager.

CardWorld Card Manager will perform authorisation and forward any responsemessages to the gateway. These will be converted into the format required bythe particular network before being recorded and sent back out to the paymentnetwork.

The Gateway includes GUI applications for transaction investigation and reporting

and allows the user to search the database using key fields. Once a particularmessage has been located, all related messages can be retrieved and viewed.

A second GUI controls and monitors the state of the interfaces connected to thegateway. As well as allowing the operator to stop and start interfaces, the systemtracks uptime and usage of each interface.

Transaction authorisation

The Gateway routes transactions to CardWorld Card Manager for authorisation.The first authorisation check performed by Card Manager is to examine the ARQCor Authorisation Request Cryptogram. This is a secure value generated by thecard and processed by the payment network as part of the authorisation requestmessage. By decoding the ARQC, CardWorld Card Manager will verify that therequest originated with a valid card and that the details have not been tamperedwith during the process.

CardWorld Card Manager then compares the transaction information against thelimits set for the identified card record. Card limits include set of services enabled or disabled for the card transaction limit frequency limit cycle limit

All transaction limits may be set separately for both cash and purchasetransactions. Individual cards may also have different limits from those of thecard product group to which they belong.

The system also checks the card status, valid dates and PIN. Once all of thesechecks are completed successfully, the system will authorise the transactionamount against the account balance.

Account Balance authorisation is carried out via BankWorld Channel Manager. TheChannel Manager connects to one or more banking host applications. ChannelManagers stand-in capability allows transactions to be authorised on behalf of aperiodically offline host. The Channel Manager maintains records for accountsheld on the host system. During normal online operation, these accounts aresynchronised so that a correct card balance is available, should the host go


12/16

Product paper

Page 12 of 16


offline. During the offline period the Channel Manager authorises transactionsagainst the local copy of the account balance. The balance is then adjusted toreflect successful transactions. The Channel Manager also records the

transactions so that they may be posted to the host when it is next available. Thisensures that account and statement details are correct and that the correcttransaction fees and charges can be applied.

System requirements

GUI Client requirements Pentium 750 MHz or above 80GB minimum free hard-drive space 1GB memory Windows 2000

Oracle 8.1.7 Client software

Windows 2000 Server 1 ATM and card management DL360 Single U Rack Mountable Server Dual Pentium PIII 1.4GHz or higher 2 x 18 GB SCSI-2 RAID 1 Disk Mirroring Configuration Memory: 512GB Network: Dual GHz Network Card with Automatic Fail Over Support Oracle 8.1.7 Server Software (Standard edition)

Windows 2000 Server 2 Host connection DL380 Two U Rack Mountable Server Dual Pentium PIII 1.4GHz or higher 6 x 18 GB SCSI-2 RAID 1 Disk Mirroring Configuration 3 Logical Drives Memory: 512GB Network: Dual GHz Network Card with Automatic Fail Over Support Oracle Server Version 9 Orbix 3.3 Oracle Client 8.1.7

Card personalisation devices Hardware security modules Thales RG7xxx or 8000 Series or software

encryption can be used Thales P3 Module DataCard EMV desktop package PIN mailer printers Dot Matrix

ATMs EMV Level 2 and XFS compliant ATMs Processor - Pentium 500 MHz - 700MHZ or higher Hard disk - minimum of 10 GB Memory - recommend 256MB (128MB absolute minimum) Monitor display - minimum 640 x 480 with highest possible resolution

One CD Rom drive One Floppy disk drive


13/16

Product paper

Page 13 of 16


Appendix 1 - EMV card technical information

This section provides additional technical background and details the processes

that take place when an EMV card is entered into an EMV terminal.

1. Card entered into terminal2. Terminal interrogates it to see which applications are present. Data on an EMV

card is organised in structures similar to the directory structure of a PC. Theinterrogation process is not dissimilar to a PC program searching a PCdirectory structure to determine which files it can read.

3. Terminal software will offer the terminal operator the selection of availableapplications.

For this example we will use a Visa terminal that communicates with the Visa VSDC (Visa Smart Debit Credit) application.

4. Terminal will default to VSDC application as this is theonly application common to both terminal and card

5. Card holder performs purchase6. Terminal can perform purchase offline (if it is below a

floor limit) or online.Floor limits are defined by two fields counter andamount - stored on the card. These fields are used tolimit the risk associated with offline transactions The counter represents the number of transactions

that can be performed offline before the card mustbe used online. Each time an offline transaction isperformed, the counter is decreased by one. Once the count reaches zerothe next transaction must be performed online. If this is not possible theterminal will decline the transaction. Whenever the card is used online, thecounter is reset to its original maximum value.

The amount field represents the financial risk that the card issuer is willingto take on offline transactions. Each time a transaction is performedoffline, the card will reduce the offline amount by the transaction amountuntil no offline limit remains. At this point the card will again request theterminal to perform an online authorisation. Again, if the terminal isunable to perform an online authorisation it will decline the transaction.

7. In order to perform transaction online, card generates an ARQC. (ARQC isunique to each transaction and is supplied by the card to the terminal)

8. Terminal application uses this value as part of authorisation request

9. ARQC forwarded to acquiring bank10. Acquiring bank forwards message to issuing bank

through Visa payment network.11. Issuing bank receives message through Visa network12. ARQC will have been encrypted by card using a

derived key based on card detailsThe issuers authorisation software will also derive thiskey from card details and its own issuer key. This willonly be possible if the card was issued by this issuer using the correct issuer


14/16

Product paper

Page 14 of 16


key. If not, the card will be detected as fraudulent and declined. If the card isnot fraudulent, the derived key is used to decode the message digest whichcan then be used to ensure the message contents are valid. This provides

further security as if the message contents have been tampered with, themessage digest will not match the message and the transaction will again bedeclined on the assumption of fraud.

13. Issuer authorises transaction by responding toacquirer through the Visa network.Part of the response message will include an issuercryptogram which the card can use to ensure that theresponse is from the expected issuer. This is importantas part of the response can include post issuanceupdates which allows the issuers authorisationsoftware to update information stored on the card.Currently this post issuance update functionality isprimarily used to reset the offline counter and amountfields following an online transaction.

14. Acquiring bank will receive authorisation responsethrough visa network and forward it to acquiringterminal.

15. Terminal will advise card of response16. Card will verify issuer based on issuer cryptogram17. Card produces an audit cryptogram to be recorded by terminal.

The audit cryptogram is a secure value which provides evidence of theactivities performed by the card and the terminal. This value can be used toprove the card was present during any disputes and will form part of the

information passed to the issuer in the clearing file.


15/16

Product paper

Page 15 of 16


APPENDIX 2: Benefits of EMV Smart Cards

EMV Smart Cards have a number of secondary benefits to financial institutions:

Reduce costsUS cost models show that magnetic stripe cards cost US $12 to deliver toconsumers and that credit cards are retained for 2 years. An issuing banksROI is 1.5 years, leaving only 6 months to profit from the customer. SmartCards cost US $16 to deliver, but the ability to update the cards withoutreissuing, increases the length of time a card is retained, and so increasesthe banks profitability.

EMV Smart Cards can be reconfigured after being issued. With the currentmagnetic stripe cards, a new card must be issued in order to change acustomers offline limits. However, with an EMV Smart Card, a script can besent to the terminal which updates the configuration of the card. This allowsdifferent limit rules to be stored and applied by the card in offline mode thussaving the bank the cost of reissuing the card.

The ability to enforce sophisticated offline limits means that moretransactions can be performed offline, which typically is more cost effectivethan having to service transactions online. This secure offline processing canbe particularly advantageous for peak periods such as summer sales, as itallows the bank to smooth peak usage efficiently effectively supporting thesame peak load with fewer resources.

Increase revenue streamsChip cards provide the means to process multiple applications via the smartchip on each card. These mini-computers can provide the user with value-added services including loyalty schemes and e-purse all via the one card.This provides the issuer with an infrastructure for new income streams.

With these benefits in mind, card industries are pushing for issuers and acquirersto become fully EMV compliant by offering incentives for early migration. Visa hasalso introduced the EMV Visa Early Option scheme (Chip card data managed byVisa), which is quicker and cheaper for organisations to participate in while theyprepare for full migration.

For markets where fraud is relatively low and hence the cost of EMVimplementation is difficult to justify, card organisations have a three prongedapproach:

EMV TIFT initiative: When the card is acquired at an EMV terminal, theinterchange rate payable by the acquirer to the issuer is decreased by 10basis points of the transaction value

Liability shift to non EMV party: In the event of a disputed transaction, theparty who has not implemented EMV is liable for the cost of the transaction.

Financial incentives where each EMV region is offered funds to help banksoffset the costs of migration to EMV


16/16

Product paper

Page 16 of 16

2005 CR2 Ltd All rights reserved www cr 2 com

Appendix 3:Impact of EMV

As with the advent of any new technology, there are some affects oninfrastructure and deployment:

Personalisation Issuing institutions must have the capability to personalise chip cards andload them with the payment application. This will typically require an upgradeto the card embossing/encoding applications. An alternative for low volumeissuers is to consider outsourcing card production to a third party processoror partner bank.

Payment network interfacesEMV compliant systems need to process larger payment network messageswhich includes the additional security information generated by the chip. Thismay require an upgrade or reconfiguration of the interface between theissuing system and the payment networks.

Card managementThe card management system should be capable of interpreting andperforming authorisation based on the additional security information(Authorisation Request Cryptogram) generated by a chip based transaction.The card management system must also be able to generate post issuanceupdates on the chip as well as issuer security information before performingany post issuance updates.

Device upgradeInstitutions will need to upgrade their banking devices, such as ATMs and

POS terminals. ATMs with card readers will need to be deployed with EMVcompliant software. Similarly POS terminals that support chip cards will needto replace all existing POS terminals.

EMV deadlines by region

Region Visa MasterCardEU 1 st January 2005 1 st January 2005

Middle East 1 st January 2006 1 st January 2006

Asia Pacific 1 st January 2006 1 st January 2006

Caribbean 1 st January 2010 1 st January 2005

Latin America 1 st January 2008 1 st January 2005

Africa 1 st January 2006 1 st January 2006

South Africa 1 st January 2006 1 st January 2005

Documents

EMV ATM Solution Product Paper