Pages

Thursday, March 10, 2011

Risk Management in EMV scenarios & Intellect cards’ ability to mitigate them

Risk Management in EMV scenarios & Intellect cards’ ability to mitigate them

Executive Summary

Card & Terminal Risk management in the payment products industry have gone through many milestones based on the best practices by issuers and acquirers over the last two decades. To focus and narrow down of fraud exposure to the targeted levels, particularly in the last few months, be it in issuing business or acquiring transactions, financial institutions around the world have always faced many challenges. The dynamic technological advancements and the outcome of smart card based payment products coupled with EMV co compliance man dates and scheme requirements have forced fraudsters move from EMV compliant geographic zone to magnetic stripe based card issuers zone to continue their fraud games.While the non-compliant banks have challenges in terms of migrating to smart card based issuing and acquiring while complying with EMV compliance, the EMV compliant issuers and acquirers are busy climbing the ladder to gain control and master over risk management parameters both in card data personalisation and transaction management.

In a series of white papers on how to manage risk in an EMV scenario, in general and Intellect cards EMV risk management capabilities to mitigate that risk, in particular, this white paper Part I, discusses the nuances of EMV risk management and focuses on Card holder Verification methods (Herein after referred to as “CVM”). This paper also addresses howthis ismanaged
in Intellect Cards Application.

It is assumed that the reader of this white paper is reasonably familiar with the EMV compliance requirements and the transaction flow, both online and offline.

Business Challenge

Authenticating a genuine customer is much more elaborate process today. From a simple verification to complex bio-metric devices,many technological changes have taken place. In the payment product industry, remote authentication of card holder demographic information has gone through many changes in the last decade. From simple signature verification in plain and naked eyes to PIN verification in an online transaction to bio-metric scanning and comparison of data, payment products
industry in some ways is the forerunner in innovating and bringing fool proof mechanisms when it comes to customer authentication.

Typically, the success of card holder verification method (CVM) is directly proportional to how well the CVM global rules are understood and deployed in production. This is particularly true when it comes to EMV co mandated CVMs. The biggest challenge of authorizing a transaction to a genuine card holder lies in effectively implementing the correct CVM without losing balance and control on business appetite and customer complaints.

The task of card holder verification may not necessarily deal only with verifying the cardholder identity. It expands beyond the desired method of deployment. For example within the available methods, if an issuer to choose to opt one of the methods to verify a cardholder during a transaction (say signature along with offline clear text PIN), the transaction may be successful to the satisfaction of the issuer. But a fraud can take place at any stage of the transaction and issuer has to be sure whether a
right method is used in right context. Assuming that in this case the fraudster is not aware of how to crack an encrypted offline PIN and if the issuer is opted to prioritize this as a last option in anticipation of acquirers’/terminal’s inability to support encrypted PINor not included as one of the methods at all during personalisation, then the transaction liability issue could turn well against the issuer. This leaves out Issuer with no option except to lose the charge back rights to acquirer as the EMV compliant
terminal has chosen the list of method as per the priority set by the issuer in this example.

Download

Download full paper At
http://www.enjineer.com/forum

No comments:

Post a Comment