EMV Standard Implementation in Iranian

EMV standard Implementation in Iranian Banks Risks & Challenges

General View on Payment cards frauds and solution

There are diversified vies regarding the various forms of payment card fraud. In this paper we discuss extensively these views with a view of isolating the most dominant forms of payment card fraud so as to come up with viable solutions of how to tackle them.

Common Payment cards frauds

There exist various types of payment card frauds. The main reason for migrating to the EMV card scheme is to reduce the various forms of chip fraud. The main forms of credit card fraud are:

Counterfeiting

Can be lost or stolen

Issues of cardholder being absent which leads to both internet and telephone order being used as gateways to propagate this type of crime.

There are various methods through which magnetic-credit cards are counterfeited. The first method involves the 'skimming' attack on the card. The new EMV technology is however designed in a way that allows for the support of encryption protocols that utilize non-secret technology which is however dynamic in the countering of various transactions that involve the counterfeiting of the card. The exact mechanism involved entails the use of protocols that prevent various replays while at the same time making use of private cryptographic keys in the process of authenticating the card payments with various issuers and merchants (Russell, 2010). The use of the encryption keys can only be effective if the secrecy of the keys used in the card is assured. This is currently the only way of ensuring that these cards are protected from the various the dangers of skimming attacks.

The technology of ensuring that the encryption keys are properly managed is currently at a matured level as pointed out by (Ward 2006,91).

There are other methods used in perpetrating credit card fraud. These are outlined below:

Mail non-receipt fraud

This form of card fraud occurs whenever a new or a replacement payment card which is destined for a certain bank is never received by its intended recipient. This form of card fraud is prevented through the dispatching of card that are inactive that are to be activated by their intended owners via phone calls to the card issuer. The reality on the grounds is that certain banks till send out cards that are already in activated mode.

Chargeback fraud

This type of fraud occurs or rather is perpetrated whenever a card holder makes use of their legal cards to purchase certain goods and services. However when they receive their statement they claim that they charges against it were never authorized by them. They can also claim that they never received the good or service in the first place.

Skimming

This type of credit card fraud occurs whenever an employee or a given merchant maliciously makes a second copy of an individual's credit card details prior to the processing of their payments. The illegally acquired copy is then sold to criminals in the black market who end up cloning it for the purpose of illegally using it to make unauthorized withdrawals and payments from various outlets. The good news is that this form of credit card fraud has been stemmed down through the introduction of coded technologies such as VCC and CVS. These codes are never encoded on the chip itself but rather are written physically on the cards back. The VCC and CVS are therefore the final step in the process of authorizing. The cloned card can therefore not work without these codes. There have been reported cases of card skimming in ATMs. This is done through the use of an illegally installed ATM machine to which a 'skimmer' device is attached in order to read the all important card details contained in the magnetic strip. Additional devoices are also installed in the machine in order to capture the activities on the keypad. Such a device is the installation of a fake fascia to the surface of the genuine keypad.

Online credit card fraud

This form of online credit card fraud is perpetrated on the internet. It is also the most common form of credit card fraud. This is as a result of the wide spread use of the internet in order to conduct various forms of transaction. The convenience and efficiency that come with the introduction of e-commerce is therefore hindered a great deal by the rampant cases of online credit card fraud. The worst part of this form of credit card fraud is the fact that the hacker steals the details of the card secretly whenever the victim inputs their credit card details into the computer system. This form of payment card fraud can also be perpetrated through the use of fake emails that prompt the victim toupdate their credit card information online. A bogus link is then sent to the victim that prompts them to insert the required information that is then used to scam them. The acquired information is then sold or used by the hacker to initiate online purchases.

2.4.2. Protecting Card Transactions.

Extant literature has been dedicated to the study of how to protect various payment cards from the rampant cases of fraud. Balfe and Paterson (2008, 171) clearly state that the use of the internet in the process of carrying out transactions has made it possible for e-commerce to be carried out via what is referred to as Card Not Present (CNP)(APAC 2003) to be so popular.

Various reports have also been published in order to illustrate the gravity of various forms of credit card fraud in various parts of the word. A study conducted in the UK in 2006 shown that the cases of card fraud through the internet had risen and accounted for close to 36% of all the forms of credo card frauds (APAC 2003). The resulting financial losses were enormous. This happened despite the fact that there were various forms of secure payment technologies and gateways. As pointed out by Balfe and Paterson (2008, 171), the use of technologies such as SLL to protect various payment card information is never sufficient. This is because of the complexity involved in the carrying out of various forms of internet-based CNP transactions. This is because the use of SLL never protects the details themselves. It only helps in securing the channel that the information is conveyed through. There is therefore a lack of information on whoever is authorizing the passage of information through the channel itself. Studies have revealed that a proper demonstration of accurate Personal Account Number (PAN) as well as its corresponding Card Security Code (CSC) is a sufficient for any given hacker to gain access to the account of a certain card holder. In order to reduce these kinds of loopholes various more advance technologies have been devised such as the use of 3-D secure authorization that allows for the authorization of the cardholder to be carried out for the various forms of CNP transactions (VISA 2002). This is done through requiring of a customer to provide separate authentication information in step prior to the processing of the whole transaction. The downside of these techniques is the fact that it is easily compromised by various forms of malware. These include Trojans and certain key loggers which are intended to steal information from the intended victim. This has therefore led to the recent development of more advanced and secure methods of protecting card transactions such as the use of specially strengthened 3-D secure authentication techniques which are intricately integrated into the existing EMV payment cards (VISA 2002).

Other recent development in the field of securing card transactions is the use of Trusted Computing in order to make possible the use of certain client side certification (Alsaid and Mitchell 2006, 123).This is done in conjunction with other technologies such as Trusted Computing Group's TLS which are utilized in executing attestations. There is however still certain amount of danger posed to this system by various forms of malware. This is however discussed in details by various literatures such as Jackson and Mitchell (2007). This involves the use of Trusted Computing as an aid to the existing card readers so as to generate unique digital signatures.

The move to adopt EMV standards have been widely discussed by various literature.SPA (2010) extensively discusses the latest techniques used in ensuring that the cardholder is sufficiently protected from the rampant cases of fraud. Through their white paper, the Smart Payment Association clearly shows the reasons why there is need for migration to better EMV systems in order to reduce the cases of credit card fraud. They point out that it is the various cases of fraud that has necessitated the migration of the existing systems towards the better and safer EMV standards.

The level of success of the EMV standards can be illustrated through the analysis of its success rates in various countries such as the United Kingdom where it was noted to have lead to a substantial decline in the number of cards that were stolen and then subsequently used in perpetrating the illegal act of card fraud. The rates of reduction of these cases were noted to be about 20% per year as from 2004 when the standards were introduced (UK Payments Administration LTD 2009). The exact phenomenon observed is as indicated in Appendix A.

Mechanism

The mechanism involved in the protection of the card details by means of the EMV technology is discussed by various scholars and organizations. SPA (2010, 1) clearly explains that the need for authenticating data in the various EMV systems is to ensure that the cars being used is genuine. This is made possible via a system referred to as the Card Authentication Methods that is dependent on the capabilities of the chip itself.