2008 MAY / STANDARDS

News in connection with bank card forgery and cloning are appearing in the different media from time to time. Due to the several press news and the communication of the card issuers, nowadays most of the card users are aware of the fact that the data stored on the magnetic stripe of the card can be copied. The illegally taken data not only cause damage to the bank card owner but to the issuer financial institution as well who credit the damage caused by thieves for the aggrieved persons. To keep the increasing popularity of bank card use, the largest card issuer organisations raise stricter and stricter security requirements and the technology used for cards is continuously developing.

Changing principles: information security in focus

The world's two largest bank card issuing organisations published their new Logical Security Requirement System for the world's card producers in 2007.The change in the system of requirements focused on the same areas according to similar principles both at MasterCard and Visa. Two key areas of the modifications were the extension of the audit of magnetic striped bank cards and the stricter examination of IT systems.

The ground philosophy of security audits needed to acquire certificate (manufacturing license) has changed. Previously, only the Physical Security certificates were needed to produce magnetic striped cards while the Logical Security certificate is compulsory for these cards according to the new requirements. This is a fundamental change as the Logical Security Requirement system referred only to the logical security requirements of cards with EMV chips so far.

The more extensive examination of IT systems can be described by the change in the requirements connected to them. The previous system of requirements placed less emphasis on such nowadays very important topics which influence the security of a bank card fundamentally. As a result, the control of supporting and contributing IT systems, the inspection of the security of data flow and data handling, the assessment of human risks and the stricter and deeper examination of logistic and transport processes received key role among the aspects of the audit.

The MasterCard and Visa requirements also confirm that IT developments which support information and data security are of strategic importance for card manufacturer security printing companies.

The future is about bank cards with chip

In spite of the fact that the audit of magnetic striped car manufacturing is continuously getting stricter and stricter, the technology itself used in them is rather limited, and does not ensure by far such security like the system used in the case of newer cards with chip. The so-called EMV (Europay Mastercard Visa) cards store the data needed for payment and identification in the embedded chip. The applied technology, the complicacy of supporting systems, the higher level controllability than previously ensures the protection of data and the decrease of possible abuses. EMV cards represent a much higher technological level regarding the access to data, authentication (examining the competency and authorization of a person who tries to process a certain operation), and data protection.

The justification and continuous development of EMV technology's objectives is confirmed by the fact that the security and the application of the chip is being developed continuously. When cards with chips appeared, the technology had key importance regarding the change in the storing place of data and their accessibility and the operational, technological and security development of supporting systems. Compared to magnetic stripe, the development opportunities of chips were fairly narrower. Chip manufacturers became interested in the continuity of developments as market demands required securer and more widely applicable devices. The starting point of the technology was the so-called 'static data authentication' which enabled higher security and functionality compared to magnetic stripe.

By now, the EMV technology itself has also developed for higher security and its application possibilities has been expanded. As a result, a new, more secure chip module was launched which contribute to a higher security level. The former 'static data authentication' was changed for 'dynamic data authentication' (DDA) which brought significant modifications in the field of data handling. Dynamic data authentication is supported by a crypto processor (device which does encrypting) appearing in the new chip type which raises the confidentiality, inviolability, authenticity and security of transactions during card use to a higher protection level. Another advantage of the processor is that it limits the access to the data content of the chip and only permits access after strict control.

With DDA, it is possible in the case of several platforms to execute post-issuance card and application handling. The functions of the technology like risk management parameter setting, on-line/off-line limit setting, PIN change etc. require the strong authentication between the chip and the remote system in every case and the establishment of a secure channel. Due to the crypto processor, the appropriate instructions and transactions can be executed faster and securer than previously. In case of the former static authentication, the only device which protected the data content of the chip during the chip access was the PIN code.  So the chip ca be cloned by having the PIN code. So in the case of offline terminal and transaction, the card use cannot be authenticated (the acceptor network -POS, ATM - operating in Hungary requires online transaction handling in every case). In case of dynamic data authentication, the sensitive part of the chip's data content is either not accessible or is encrypted during the whole of the communication, and every transaction happens with separate authentication with keys generated in the chip.

State Printing House Plc has performed several costly technical, technological developments lately and as a result, it has successfully met the changed system of requirements. The Company met the audits of both certifying organisations again in 2007 so it has MasterCard and VISA card manufacturing licenses for several years now. The complex, audited protection system enables State Printing House Plc to supply EMV bank cards.