Product Paper
Product paper
EMV compliant
ATM and debit card management solution
This paper provides a thorough description of CR2’s complete EMV compliant ATM
and debit card solution
Since the introduction of chip card technology, SmartCards have been seen as the
ultimate replacement for the magnetic stripe cards used for credit and debit
applications worldwide.
Magnetic stripe cards in the 21st century have been developed and enhanced to
the point that there is now little or no scope for further security enhancements for
the prevention of fraud. Subsequently the level of card related fraud continues to
grow globally and as a result leading card schemes, Europay, MasterCard and
Visa (EMV) have started looking at alternative technology.
Following their initial analysis, the concept of ‘chip and PIN’ card technology was
introduced. This simply requires the embedding of a computer chip on the plastic
card. This new approach offers a number of significant benefits to the
cardholders, retailers and financial institutions including:
In the late ‘90’s, an EMV mandate instructed that all financial institutions move to
chip card technology. Specifications were released for issuers, acquirers and
software suppliers. These specifications formed the basis for conformance to the
new EMV requirements. EMV, as the standard is now known, aims to ensure that:
All cards and terminals used globally are compatible with each other
The same terminal and card approval processes can be used worldwide
The standards are fully open and published
These basic provisions ensure that there is a global acceptance and compliance
with the standard.
Page 2 of 16
CR2 will work with banks to engage a vendor once the choice of personalisation
solution has been finalised.
Page 3 of 16
CardWorld Producer
• EMV chip card personalisation
BankWorld ATM
• ATM services
• ATM branding and software distribution
• EMV ATM network management
Solution Diagram
Page 4 of 16
HS
Certificate authority,
eg MasterCard, Visa
HS
Step 3: Card personalisation
Alternatively CardWorld Producer can prepare data in a format that can be used
by an external agency to personalise cards.
In order to personalise cards, data must be entered into the CardWorld Producer
module. This may happen in one of three ways:
Card file import
Online database import
Manual data entry
The preferred method of card detail entry is via import files. This requires a file to
be generated by the host detailing the accounts for which cards are to be issued.
1
Datacard Group is a leading card personalising solution provider, offering solutions for smart card
programs, card issuance operations and digital identity programs.
Page 5 of 16
The import file format is determined by CR2 and includes all fields required for
card personalisation. Once the import has been completed, a card personalisation
batch is processed, followed by card personalisation, PIN mailer printing and
letter printing. The last stage of a production schedule is to import details of all
successfully produced cards to CardWorld Card Manager. This is performed via
the Card Manager database.
Lost and stolen card management – once a card is reported stolen, the card
management system automatically updates the Card Gateway with this
information.
Card product definition – Various card products and brands can be defined
within the system. Examples of card products supported are:
o Visa - Electron
o MasterCard – Maestro
o Proprietary debit cards
o Various National Switch cards
For each card product defined within the system, the following configurations are
permitted:
• card limits
• service restrictions
• card status
• account types assigned
• number of cardholders
The parameters at product and brand level are also configured in CardWorld
Card Manager and may include card number format and generation, default
service code, key set, and currency/country codes. Product wide limits can
also be set, although these may be overridden at card level where required -
for example, a VIP card.
CR2 also supplies an Oracle data dictionary that can be used to modify
existing report templates. Alternatively, in house reports can be developed
by CR2 using the bank’s data dictionary.
Page 6 of 16
ATM Client
Presents banks with the opportunity to launch chip card services
Provides Financial Institutions with a high profile, image enhancing multi-
media ATM network which provides banks with a potential advertising
platform. EMV and XFS compliant ATMs and hardware will be required
The Web technology allows banks to deploy a wide range of media and feeds
as part of the customer interface. Of particular advantage is the fact that the
customer interface is specified purely in HTML and XML requiring no
proprietary languages or tools.
Provides banks with the option to offer secure standalone ATM services
through CR2 proprietary track three processing. In cases where
communication to the host is lost, BankWorld ATM Client is still able to offer
cash withdrawal services.
Supported services
The following services are supported by BankWorld ATM Client
Fast cash from the primary Account.
Cash withdrawal from any account linked to the card
Cash withdrawal in second currency
Balance enquiry for any accounts linked to the card
Statement request
Mini statements available on screen and hardcopy can be printed
Book request supporting paying in and cheque book requests
PIN change
Funds transfer between customer’s bank accounts held on a card.
Deposit by cash, cheque, mixed deposits and deposit by instruction.
Bill payment by cash, cheque, account transfer or using a combination of
deposits
Mobile top up
Page 7 of 16
ATM monitoring
ATM monitoring includes, but is not limited to:
Opening and closing ATMs
Controlling ATM services
Notification of changes in the ATM status
Configuration of the ATM, groups of ATM’s for differing products and service
Amount of cash dispensed and remaining per ATM
Total amount of cash dispensed and remaining for all ATMs
Number of each transaction types per ATM
Total number of each transaction type for all ATMs
Number of captured cards per ATM
Number of captured cards for all ATMs
BankWorld ATM provides complete control of the ATM network through a number
of visual indicators and configurable alerts both visually and through audio.
BankWorld ATM Controller is capable of driving large ATM networks from a central
location. New features have been built into BankWorld ATM Controller to simplify
network monitoring and fault diagnosis.
Page 8 of 16
These features include GUI applications that enable banks to drill down into ATM
details and examine components of individual devices. The ability to remotely
investigate device faults ensures that engineers are fully prepared before costly
maintenance trips to remote locations are undertaken.
Page 9 of 16
CR2 has a highly skilled integration team and have built up a vast amount of
experience to date in back office integration. To perform integration, a component
needs to be developed which typically converts from our API formats, to the
format used by the Back Office system. CR2 refer to this component as a BOIS
(Back Office Integration Service). There are already a number of BOIS available
for many of the core banking packages.
For the purpose of this paper, the connected parties will be limited to the Visa
International Payment Network. Additional parties such MasterCard can be
connected through deploying a MasterCard interface.
Sample List
Jonet – Jordan
Shetab – Iran
Cashnet – India
Benefits – Bahrain
NAPS - Qatar
Page 10 of 16
Transaction acquiring
BankWorld Card Gateway performs the core routing, recording and reporting of
transactions. When a customer uses the card, the transaction will be routed to
the banks Visa connection via the Visa network. It is then in turn, passed to
CardWorld Card Gateway where the message will be stored before routing to
CardWorld Car Manager.
CardWorld Card Manager will perform authorisation and forward any response
messages to the gateway. These will be converted into the format required by
the particular network before being recorded and sent back out to the payment
network.
The Gateway includes GUI applications for transaction investigation and reporting
and allows the user to search the database using key fields. Once a particular
message has been located, all related messages can be retrieved and viewed.
A second GUI controls and monitors the state of the interfaces connected to the
gateway. As well as allowing the operator to stop and start interfaces, the system
tracks uptime and usage of each interface.
Transaction authorisation
The Gateway routes transactions to CardWorld Card Manager for authorisation.
The first authorisation check performed by Card Manager is to examine the ARQC
or Authorisation Request Cryptogram. This is a secure value generated by the
card and processed by the payment network as part of the authorisation request
message. By decoding the ARQC, CardWorld Card Manager will verify that the
request originated with a valid card and that the details have not been tampered
with during the process.
CardWorld Card Manager then compares the transaction information against the
limits set for the identified card record. Card limits include
set of services enabled or disabled for the card
transaction limit
frequency limit
cycle limit
All transaction limits may be set separately for both cash and purchase
transactions. Individual cards may also have different limits from those of the
card product group to which they belong.
The system also checks the card status, valid dates and PIN. Once all of these
checks are completed successfully, the system will authorise the transaction
amount against the account balance.
Account Balance authorisation is carried out via BankWorld Channel Manager. The
Channel Manager connects to one or more banking host applications. Channel
Manager’s stand-in capability allows transactions to be authorised on behalf of a
periodically offline host. The Channel Manager maintains records for accounts
held on the host system. During normal online operation, these accounts are
synchronised so that a correct card balance is available, should the host go
Page 11 of 16
System requirements
ATMs
EMV Level 2 and XFS compliant ATMs
Processor - Pentium 500 MHz - 700MHZ or higher
Hard disk - minimum of 10 GB
Memory - recommend 256MB (128MB absolute minimum)
Monitor display - minimum 640 x 480 with highest possible resolution
One CD Rom drive
One Floppy disk drive
Page 12 of 16
This section provides additional technical background and details the processes
that take place when an EMV card is entered into an EMV terminal.
Page 13 of 16
Page 14 of 16
Reduce costs
US cost models show that magnetic stripe cards cost US $12 to deliver to
consumers and that credit cards are retained for 2 years. An issuing bank’s
ROI is 1.5 years, leaving only 6 months to profit from the customer. Smart
Cards cost US $16 to deliver, but the ability to update the cards without
reissuing, increases the length of time a card is retained, and so increases
the bank’s profitability.
EMV Smart Cards can be reconfigured after being issued. With the current
magnetic stripe cards, a new card must be issued in order to change a
customer’s offline limits. However, with an EMV Smart Card, a script can be
sent to the terminal which updates the configuration of the card. This allows
different limit rules to be stored and applied by the card in offline mode thus
saving the bank the cost of reissuing the card.
With these benefits in mind, card industries are pushing for issuers and acquirers
to become fully EMV compliant by offering incentives for early migration. Visa has
also introduced the EMV Visa Early Option scheme (Chip card data managed by
Visa), which is quicker and cheaper for organisations to participate in while they
prepare for full migration.
For markets where fraud is relatively low and hence the cost of EMV
implementation is difficult to justify, card organisations have a three pronged
approach:
EMV TIFT initiative: When the card is acquired at an EMV terminal, the
interchange rate payable by the acquirer to the issuer is decreased by 10
basis points of the transaction value
Liability shift to non EMV party: In the event of a disputed transaction, the
party who has not implemented EMV is liable for the cost of the transaction.
Financial incentives where each EMV region is offered funds to help banks
offset the costs of migration to EMV
Page 15 of 16
As with the advent of any new technology, there are some affects on
infrastructure and deployment:
Personalisation
Issuing institutions must have the capability to personalise chip cards and
load them with the payment application. This will typically require an upgrade
to the card embossing/encoding applications. An alternative for low volume
issuers is to consider outsourcing card production to a third party processor
or partner bank.
Payment network interfaces
EMV compliant systems need to process larger payment network messages
which includes the additional security information generated by the chip. This
may require an upgrade or reconfiguration of the interface between the
issuing system and the payment networks.
Card management
The card management system should be capable of interpreting and
performing authorisation based on the additional security information
(Authorisation Request Cryptogram) generated by a chip based transaction.
The card management system must also be able to generate post issuance
updates on the chip as well as issuer security information before performing
any post issuance updates.
Device upgrade
Institutions will need to upgrade their banking devices, such as ATMs and
POS terminals. ATMs with card readers will need to be deployed with EMV
compliant software. Similarly POS terminals that support chip cards will need
to replace all existing POS terminals.
Page 16 of 16