Aconite Smart Solutions

Similar documents
Proxama PIN Manager. Bringing PIN handling into the 21 st Century

1. Merchant initiated transactions for merchant payments

ATM Webinar Questions and Answers May, 2014

EMV and Apple Pay. The world of credit cards is on the move.

Security enhancement on HSBC India Debit Card

Canada EMV Test Card Set Summary

ECSG (Vol Ref. 8.A01.00) SEPA CARDS STANDARDISATION (SCS) VOLUME. Payments and Cash Withdrawals with Cards in SEPA

Frequently Asked Questions

Pinless Transaction Clarifications

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

The Future of Payment Security in Canada

TAS CASHLESS 3.0 FOCUS ON. The absolute framework for electronic payment management. CASHLESS 3.0: the ultimate. payment experience

Target, the third largest retailer in the U.S., suffered a

EMV Adoption in the U.S.

Virtual Terminal User Guide

Frequently Asked Questions

X Infotech Banking. Software solutions for smart card issuance

Quick Guide. Token Service Provider

THE ADOPTION OF EMV TECHNOLOGY IN THE U.S. By Guy Berg Global Industry Sales Consultant Datacard Group

White Paper: Reducing Certification Cycles for Chip EMV Application

Your guide to getting the most from your card

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

U.S. EMV Migration Update. A joint presentation from Citizens Commercial Banking and Worldpay

Say hello to your new Visa Debit Card

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

My new Apple device will have a payment feature. How do I set it up?

WHERE DO YOU WANT TO GROW. Solutions for Community Financial Institutions

Acquirer JCB EMV Test Card Set Summary

Semi-Integrated EMV Payment Solution

PayPass M/Chip Requirements. 3 July 2013

EMV: The Race Is On! September 24, 2013

Visa s Future of Security Roadmap: Australia

USA EMV Test Card Set Summary

The Small Business Guide to Mastering EMV

Ignite Payment s Program on EMV

BANKWORLD POS. Today s solution for tomorrow s self-service bank BANKWORLD BANK ON THE FUTURE WITH TODAY S TECHNOLOGY CR2.COM

esocket POS Integrated POS solution Knet

BankWorld Agent Solution

MOBILE APP. Today s solution for tomorrow s self-service bank BANKWORLD BANK ON THE FUTURE WITH TODAY S TECHNOLOGY CR2.COM

Essential Lite. Merchant Operator Guide. Model: Move5000

CHIP CARDS. Banks are issuing payment cards embedded with security chips to help protect you against fraud at the register. What is a Chip Card?

THE ARRIVAL OF PIN ON MOBILE. An Introduction to the Next Generation of Face-to-Face Mobile Payment Acceptance

EMV Implementation Guidance: Fallback Transactions

Say hello to your new Visa Debit Card

Glocal Test Pack. Product description and user s guide 2018 MERCHANT TESTCARDS ALL RIGHTS RESERVED

Merchant Testing and Training Pack

HCE E-Book HOST CARD EMULATION: NFC S MISSING LINK

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV. International ATM liability shift 2

Euronet s Dynamic Currency Conversion Solution Increase Your Revenue as an Acquirer with a Value Added Service

Hot Topics in Payments Cornerstone CU League Small CU Committee July 9, 2014

EMV: Facts at a Glance

Covering Your Assets: Payment Landscape and Technology

FINASTRA DIGITAL BANKING CONSUMER THE NEW GENERATION OF BANKING IS A CROSS-PLATFORM, MOBILE EXPERIENCE SOLUTION

EMV Implementation Guide

ESSENTIALS OF E-COMMERCE (UNIT-2) PROCESS OF ELECTRONIC TRANSACTIONS AND THE INDIAN PAYMENT MODEL

Mobile and Contactless Payments Requirements and Interactions

EMV and Educational Institutions:

EMV Terminology Guide

Frequently Asked Questions (FAQs):

Understanding the 2015 U.S. Fraud Liability Shifts

On-Demand Solution Planning Guide

The e-commerce solution. Your key to successful online business

Retail Payment Systems Internal Control Questionnaire

EMV: Frequently Asked Questions for Merchants

Testing & Certification Terminology

Verifi id. Contents. Integrated ID and Card Payment Systems

When the hard-to-reach become your preferred customers. Finc / the offering which addresses financial inclusion challenges

EMV Frequently Asked Questions for Merchants May, 2015

Quick Guide. Token Service Provider

EMV Adoption. What does this mean to your ATMs?

KFH DEBIT CARD-i - FREQUENTLY ASKED QUESTIONS (FAQs)

KNOW YOUR RUPAY DEBIT CARD

5. Why do I need to change my existing BSN debit card to a new BSN PIN & PAY card to use PIN?

TAS FOCUS ON. The absolute framework for electronic payment management. cashless 3.0: the ultimate. payment experience IN THIS DOCUMENT

HITACHI BIOMETRIC SOLUTIONS FOR RETAIL BANKING. Hitachi s digital security portfolio includes a comprehensive biometric solution for retail banking.

Ulster Bank debitcard Your guide to getting the most from your card

EMV: GET READY. Michelle Thornton, CO-OP Financial Services

Is Your Organization Ready for the EMV Challenge?

EMV * Contactless Specifications for Payment Systems

EMV is coming. But it s ever changing.

Online Payment Services

DIGITAL CREDIT for EMV QR Credit Card Apps

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

OceanPay. OceanPay Visa Prepaid Card. OceanPay Wire Services. Frequently Asked Questions

Securing Card Payments Challenges & Opportunities. Julie Hanson Senior Vice President, Card & Payment Products ICBA Bancard & TCM Bank, NA

Heartland Payment Systems

Tokens, Tokens, Tokens: What are the different kinds of tokens and what do they do?

EMV A Chip Off the New Block

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

Getting started with BPMe - FAQ

Credit and Debit Card Fraud

EMV in the U.S. Liability shift; what does this mean for the U.S.?

Frequently Asked Questions

CUSTOMER: LOCATION: INDUSTRY: OVERVIEW:

Finding the Best Route for EMV in the US

Frequently Asked Questions for Merchants May, 2015

POS User Guide Optimum T42xx/M42xx

Transcription:

Aconite Smart Solutions PIN Management Services

Contents PIN MANAGEMENT... 3 CURRENT CHALLENGES... 3 ACONITE PIN MANAGER SOLUTION... 4 OVERVIEW... 4 CENTRALISED PIN VAULT... 5 CUSTOMER PIN SELF SELECT PROCESS... 6 PIN ADVICE REQUEST PROCESS... 6 EMV CARD PIN MANAGEMENT... 7 OFFLINE PIN CHANGE AND PIN UNBLOCK PROCESS FOR AN EMV CARD... 8 WEB BANKING PIN BASED CREDENTIAL MANAGEMENT... 10 APM SOLUTION BENEFITS... 11 APM BENEFITS FOR EMV OFFLINE PIN CHANGE AND PIN UNBLOCK... 12 Aconite Technology Ltd., 2012 Version 1.0 Page 2

PIN Management For a number of years, in various parts of the world, banks have been issuing card products that are secured by an Online PIN (Personal Identification Number) to validate the card and cardholder. For the most part, these were debit cards which started life as ATM cards where PIN was the only means of cardholder verification, whereas credit cards were traditionally used in environments where cardholder identity was typically verified by a cardholder signature. Generally speaking, cardholders were issued with a generic PIN that they retained until the card expired. However, depending on the Issuer and their infrastructure, there were also mechanisms for Cardholder Selected PIN, either on issue or via a PIN Change facility on the Issuer s ATMs, in the branch or via their IVR service. Issuers are increasingly looking to reduce both the impact on Customer Services where customers forget their PIN and the costs associated with securely printing and sending PIN mailer advices. The card schemes have now paved the way for electronic PIN advices, for example via SMS but, clearly, this process needs to be done in a very secure way. Current challenges With the advent of the more secure chip-based cards, based upon the EMV specification, cardholder authentication has become far more secure and the PIN can also be enabled for the offline environment. This is achieved by storing the PIN securely in the chip application such that the terminal can challenge the card to validate the PIN that the cardholder has entered without needing to go online to the Issuer. To avoid cardholder confusion, the Online and Offline PIN have the same values and need to be synchronized when any postissuance PIN Change event happens. The Offline PIN Change is effected by sending an EMV Script to the application inside the chip. This requires an EMV Level 2 compliant device such as an Issuer s ATM or in branch PoS device that is under the Issuer's control, so that errors can be detected and resolved. Many banks offer their cardholders a facility to change their PIN through their ATM network, via IVR or in the bank s branch network and these mechanisms ensure that both Online and Offline PINs are kept in synchronization. However, the ability of the cardholder to change their PIN outside of their Issuer s ATM domain, for example when abroad, has necessarily had to be limited. Equally, Issuers with limited ATM and branch infrastructures there are few Aconite Technology Ltd., 2012 Version 1.0 Page 3

options unless, as in the UK, there is a reciprocal PIN Change/Unblock arrangement between banks. The result is that there are differing levels of services for cardholders and, in the worst case; this has lead to cardholder attrition where customers become frustrated as they are unable to use their cards, especially when abroad, because for one reason or another, the PIN cannot be used. Ultimately, this adversely impacts the profitability of the portfolio. Other challenges being faced by Issuers include raised customer expectation for more or easier access to control how their cards and accounts are managed and wanting more comprehensive cards supporting more than one type of application, whether financial or non-financial, maintaining competitive edge, all to be balanced with pressure to keep costs to a minimum. The decision is whether to embrace the inevitable need to change increasingly complex infrastructures or to avoid change and bear the potential consequence of losing competitive edge in the market. The ever present threat of ID theft and account takeover is a further area that challenges Issuers wishing to provide their customers with secure online banking services. For those with large portfolios, the costs associated with implementing and supporting complex credential management systems can be justified but for others it can be an expensive, if necessary overhead. Aconite PIN Manager solution Overview Aconite s PIN Manager (APM) solution provides a comprehensive suite of services that puts the Issuer back in control whilst enabling them to offer their customers the most flexibility to manage their PINs themselves regardless of whether they are in country or travelling and regardless of whether the Issuer has an extensive ATM and branch infrastructure or not. The solution is fully secure, employs the latest security techniques for both storage and delivery of PIN related data and is multi-issuer, multi-pin and multi-application capable. Key features of the solution include: A an optional PIN Vault that enables Issuers and processors to securely store all PINs centrally and separately from the associated card and account numbers using either PAN alias or encrypted PAN references; Aconite Technology Ltd., 2012 Version 1.0 Page 4

Pre-generation of PINs for one or multiple applications on a card; Dynamic PIN generation for one or multiple applications on a card; Support for PINs for both financial and non-financial applications; Support for multi-issuer environments; Support for single Issuer multiple back-office card management systems; SMS, web banking or PIN Mailer options for PIN Advices; SMS or web banking options for Customer PIN self-select, PIN Change and PIN Unblock; Support for EMV Offline PIN Change synchronisation outside of ATM and or branch environment; Web banking credential management linked to cardholder PIN. These topics are explained further below. Centralised PIN Vault For those Issuers and processors wishing to rationalise where their PINs, often generated via multiple back-office applications, are stored and maintained, at the heart of Aconite PIN Manager (APM) is a secure PIN Vault. As the name implies, all PINs whether pre-generated or dynamically generated on issuance are securely stored within the PIN Vault. PINs are never held with the associated card number, or application, in the clear. Issuers may adopt one of two options, a PAN alias or an encrypted PAN to reference the PIN. The value in the PIN Vault is used for sending out PIN Advices and for PIN regeneration and verification purposes. Where customers pre-select PINs ahead of issuance, these can also be generated and stored in the PIN Vault ready for use during the card/application issuance process. The PIN Vault serves as the database of record for the PINs and can be used for both PIN validation, regeneration and re-notification purposes. As indicated, however, this is an optional feature and for those not wishing to use such an approach, Aconite PIN Manager (APM) will simply interface to the required PIN location, for example the authorisation system card account file. Aconite Technology Ltd., 2012 Version 1.0 Page 5

Customer PIN Self Select process The Aconite PIN Manager solution enables the Issuer to provide a secure mechanism for customers to select their PIN ahead of card issuance using the Issuer s web banking service. The customer logs on to their web banking service, via the existing mechanism, and choose an option to select their PIN. The Issuer s Web Banking service then invokes the Aconite PIN Manager server, directing the customer session to APM server and sending the customer s reference and mobile number. The APM server will store the information in the PIN Vault and will generate a one-time password and send it via SMS to the customer s mobile. Aconite s user interface will be launched and will prompt the customer to enter the password sent via SMS to their mobile and, once this is done and validated, will ask the customer to enter their selected PIN. The PIN is then stored in the PIN Vault for use during the issuance process and APM will pass control back to the Issuer s Web Server. PIN Advice Request process The Aconite PIN Manager solution enables the Issuer to provide a secure mechanism for customers to receive immediate notification of their PIN. Where a customer forgets their PIN, they may request a PIN advice to be sent to them and the Issuer can choose to offer them any of the following options: Via web banking; Via mobile; Via PIN Mailer. Aconite Technology Ltd., 2012 Version 1.0 Page 6

Based upon the options offered by the Issuer, the customer logs on to their Issuer s Web Banking server, or alternatively they could call the Customer Service s Centre, and, subject to authentication, make the necessary PIN Advice request selecting the preferred method of delivery. The request is forwarded to APM which retrieves the PIN from either from the Issuer s CMS or, if used, the APM PIN Vault and sends it to the customer via the selected method of delivery. If this is via web banking, a secure session is set up to deliver the PIN to the customer s screen, if it is via SMS then the PIN is sent to the customer s mobile and if it is via mail, then the PIN will be sent via the existing tamperproof PIN Mailer system. EMV card PIN Management As indicated above, cardholders with EMV cards that have Offline PIN capability enabled provide a challenge for issuers wishing to allow them to change or unblock their PINs. Even those issuers that have enabled their ATM estate and / or branches to provide customers with such a service, are unable to support PIN change/unblock outside of this infrastructure, while others cannot justify the expense of enhancing their infrastructure. A few have adopted restricted approaches, for example: a new PIN can be generated and sent to the customer, typically via PIN Mailer; a cardholder can select a PIN Change and a new PIN via an IVR system. Aconite Technology Ltd., 2012 Version 1.0 Page 7

While these provide a viable proposition for Online PIN, neither will work where an Offline PIN is involved, as the card needs to be in an EMV enabled device to update the PIV stored inside the chip application. The best that can be achieved in the above scenarios is for the Online PIN to be changed on the Issuer s authorisation system and then: i. relying on the customer to take their card to a terminal to try and force an online transaction to apply a PIN Change script to synchronise the Offline PIN onboard the chip; ii. assuming that the customer s next transaction will be one where the Online PIN, rather than the Offline PIN is checked, such as an ATM transaction, in order that the Online and Offline PINs can be synchronised. Needless to say neither option offers guarantee of seamless PIN Change /PIN Unblock service proposition for the customer: customer s cannot find an ATM; the ATM they find is not EMV enabled; the customer doesn t bother to do as requested In any of these scenarios, there is a possibility that the card may be used in an offline capable terminal, the wrong PIN is entered (i.e. the new one) one or more times and the customer is, at best, confused and at worst ends up with a blocked PIN. A similar problem is encountered by Issuers of EMV cards when the PIN Try Counter is exceeded and the card becomes blocked. If the customer is in country and they can access an ATM, the PIN Try Counter can be reset during an online transaction. However, for those travelling this can be a real problem and at least one bank has suffered cardholder attrition as a direct result. Offline PIN Change and PIN Unblock process for an EMV card Aconite s PIN Manager solution is able to provide the Issuer with a far better alternative. APM will generate the PIN Change Script as required but instead of queuing it waiting for the next online transaction to deliver it at an ATM, in the branch or at a retailer, the cardholder can be provided with a small portable Chip and PIN card payment device that can be used to replicate the online PIN-capable terminal experience from anywhere. For customers that Aconite Technology Ltd., 2012 Version 1.0 Page 8

have such a device attached to their PC or laptop when they go on to their web banking service, as described earlier in the PIN Self-select process, but, in this case, they will select either a PIN Change or Unblock option. For a PIN Unblock option, when the Web Banking Server, subject to cardholder identity verification, invokes the APM Server, APM will generate the PIN Unblock Script and, once it has detected that the card is present in the device, send the PIN Unblock Script to the card to update the Offline PIN. Note that EMV Scripting is inherently secure, being protected by two forms of triple DES encryption. For a PIN Change option, when the Web Banking Server invokes the APM Server, APM will request the Old PIN and validate it against the stored PIN Offset or PIN Vault entry for the customer card. It will then request the New PIN and, once verified, will generate the PIN Block for the new PIN. It will then: i. send the encrypted PIN Block to the Issuer Authorisation Server to update the Online PIN; ii. store the new PIN as a PIN Offset or as an encrypted PIN Block in the PIN Vault; iii. generate the PIN Change Script and, once it has detected that the card is present in the device, send the PIN Change Script to the card to update the Offline PIN; iv. confirm the successful change to the cardholder. Where APM cannot detect that the card is present the PIN Change Script will be queued for delivery when the card next comes online. Aconite Technology Ltd., 2012 Version 1.0 Page 9

By extending the use of EMV Chip & PIN outside of the Issuer s infrastructure for PIN Change and PIN Unblock services the Issuer is able to offer their customer a comprehensive service using a safe and trusted transaction method. This will give them the peace of mind that they will not suddenly become stuck because they fear their PIN has been compromised or blocked when they are away from home or cannot wait the time it takes to get a new card to them. Web banking PIN based credential management Many banks today provide a web based, or online, banking service for their customers. In order to prevent malicious attack, robust and secure access needs to be provided by comprehensive credential management. However, it remains true that customers frequently forget their passwords and contact the bank s Customer Services department to get assistance. This is particularly true where the credential management mechanism is overly complex with multiple numeric and alphabetic password combinations. Where larger Issuers are able to provide such facilities and bear the associated costs, others are seeking alternative, simpler mechanisms that provide both security and a simpler customer experience without undue load on the Customer Services department. Aconite PIN Manager provides a mechanism that is PIN based in concept but uses the card PIN to manage an online banking password. The customer can enrol for the Issuer s online banking service by providing their customer reference and debit card PIN. APM is pre-loaded with the Issuer s details, Customer Reference, PAN alias or encrypted PAN, Mobile Number and encrypted PIN Block or PIN Offset. When the enrolment process is triggered in the Web Banking Server, control together with the Customer Reference and PIN is passed to APM. APM will validate the PIN entered and will generate a Web Banking Password for the customer to use. The Password will be sent to the customer s mobile phone and APM will advise the customer to log in to the Web Banking Server again using their Customer Reference and the Password that has been sent to them. APM will then return control back to the Web Banking Server. The issuer s Web Banking Server can optionally store the generated password for validating the customer when they log in to the service. Where the password is not stored in the Issuer s Web Banking Server, when the customer logs in, using their Customer Reference and Web Banking Password, the Web Banking Server will pass control to APM to validate the Web Banking Password. If correct, APM will return Aconite Technology Ltd., 2012 Version 1.0 Page 10

control to the Web Banking Server together with the validation result for the customer to be able to proceed. APM will also provide a facility to enable the customer to change their PIN to one they have selected themselves. Where the Customer Reference / Web Banking Password combination is incorrect, APM will launch a user screen requesting the customer to try again. If the customer fails to enter the correct value, they will be asked to enter their PIN. Assuming this is correct, the password will again be sent to their mobile phone for them to enter. If the PIN is incorrect, APM will return control to the Web Banking Server advising that the credentials have failed. The advantage of this mechanism, rather than just using the customer s PIN as the access credential, is that the PIN is not commonly used at the customer s keyboard. Keyboards are not tamperproof and thus should be considered as a potential point of compromise. The APM approach requires the PIN to be entered only when enrolling or when the password has been forgotten. Where customers forget their Web Banking Password more than an Issuer nominated number of times, APM will block the Web Banking access and send an advice to contact Customer Services. APM Solution Benefits Customers using Aconite PIN Manager services can expect to achieve the following benefits from the solution: Aconite Technology Ltd., 2012 Version 1.0 Page 11

Centralised PIN management for all card products regardless of back-office card and account management systems; Centralised PIN Manager support for financial and non-financial applications; Centralised PIN Manager support for all applications regardless of form factor (plastic, mobile, tablet); Centralised support for multi-application products with multiple PINs; Cost savings in PIN advices and customer services via provision of a customer enabled service; Improved customer service proposition via cardholder enablement for PIN Self Select and PIN Advices; For processors, enhanced service proposition. APM Benefits for EMV Offline PIN Change and PIN Unblock Using APM together with a small portable Chip and PIN card payment device has the following benefits: Ensures integrity of PIN Change for cards with Online and Offline PIN deployed; Provides a comprehensive PIN Change service for Issuers deploying cards with Offline PIN but not having an extensive ATM or branch infrastructure; The proposed device has the added benefit of providing a comprehensive PIN Change service for customers using their card when travelling abroad; Provides a secure mechanism Chip and PIN transactions over the internet and overcoming the Card Not Present challenges present in e-commerce Copyright Notice Copyright 2012 Aconite Technology Limited. All rights reserved. All information contained in this document is confidential and proprietary to Aconite Technology Limited. Customers and prospective customers of Aconite Technology Limited are permitted to electronically store, retrieve and copy this document and to print and copy this document, for the purpose of evaluating the suitability of Aconite Technology Limited s products and services for their business. Such electronic and printed copies may be distributed only to customers or prospective customers, employees or consultants working on its behalf. Aconite Technology Ltd., 2012 Version 1.0 Page 12

Trademarks Notice Aconite and the Aconite logo are trademarks of Aconite Technology Ltd. Aconite 2012 All Aconite Technology Limited products and services mentioned in this document are trademarks and service marks or registered trademarks and service marks of Aconite Technology Limited. EMV is a trademark of EMVCo LLC. Any other companies' or organisations products and services mentioned are trademarks and service marks or registered trademarks and service marks of the relevant companies or organisations. Aconite Technology Ltd., 2012 Version 1.0 Page 13

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback