Card Security For Republic Bank Customers
There is no doubt that most organisations today are becoming essentially dependant on the use of credit cards, arguably its most strategic asset, is to support existing business operations.
However, credit card fraud and identity theft has continued to plague the banking and retail industries as there seems to be no feasible solution to these crimes. Advances in technology have opened a gateway for hackers to restructure their position of attack, intruding on one’s personal life.
The basis of this project is on the new Chip and PIN technology introduced on credit cards. I’ve considered this to be an interesting topic because of the ‘publicity’ this technology has been receiving across the world and it has even reached to our shores, here in Trinidad and Tobago. Hence, Republic Bank Limited one of the local banks would be the case studied in this research.
Chapter two would encompass the existing literature on credit card history and Chip and PIN. This chapter would outline how credit cards have become ‘smart cards’ and how the Chip and PIN cards are used.
Chapter three gives the entire design of the project and the objectives to be obtained for the research. Moving to chapter four, the research framework adopted for this study on Chip and PIN and how it relates to the model undertaken in the research.
The findings from this research would be summarized version of the data collected, with the analysis of the theory and research framework the author undertook in this study.
In concluding, the author would report on the learning aspects of the research and provide an assessment of achievements, giving a position on the research question.
Literature REVIEW
This section is intended to place the scope of the project with literature surrounding the components of the research question.
The Credit Card Transaction Process Discussed
This payment mechanism was formally introduced in 1958, when the BankAmericard card, now known as Visa was franchised across the global community. By introducing an electronic authorization system, the BankAmericard was able to be used globally. Now by partnering with banks across the globe, Visa has been able to provide an international processing system for the exchange of money. The workings of a credit card transaction are such that it comprises of four main steps. These are:
- Authorization
- Batching
- Clearing
- Funding
The cardholder requests a purchase from the merchant, which is then submitted to the acquirer by the merchant. The acquirer then sends a request to the issuer to authorize the transaction. Once the authorization code is sent to the acquirer verifying that credit is available, the transaction is authorized and the cardholder receives the product. (This is further explained in detail on page 9 of this document)
This simple process of electronic transacting has opened up a world of e-commerce opportunities. From an information system perspective the processing workflow of an online credit card transaction is shown below:
Figure 1: Online Credit Card Processing Workflow Diagram (Hubbard, 2003)
Because of the vulnerabilities that lay in a transaction, more so the networks across which the information is exchanged, various security breaches can occur.
Types of Credit Card Fraud
There are many different types of credit card fraud. Fraudsters are very innovative in finding new ways of committing credit card crime and as technology changes so does their crime tactics. Security issues surrounding the card fraud has moved from the traditional ways of committing credit card crime (Application Fraud, Intercept Fraud and Lost/Stolen Card Fraud) to the modern techniques namely, Skimming, Site Cloning and most recently Triangulation.
Skimming is the fastest growing type of credit card fraud around because of its simplicity. Pocket Skimming devices can be easily carried around and the cardholder’s data can be obtained by merely swiping the card through the battery-operated magnetic card reader. This technology has also evolved so as to read the data of Chip and PIN cards, with the use of a scanner. These scanners, which can write or even re-write the data on the Chip cards, are fully portable and have high storage capacities. Because some of these devices are not illegal, they are easily accessible to hackers and can be bought over the internet.
Site Cloning involves cloning an entire site or just the pages where customers make purchases. Since the web pages are identical customers are not aware that their personal information is being compromised. Also, confirmation details are sent to the customer just as the official company’s website would, so the crime goes undetected. The details entered on the cloned site are then used by the fraudster to commit credit card fraud.
Another method of credit card fraud is Triangulation. Goods are presented on websites at discounted prices, which can be shipped to the customer before payment. Again, just as with site cloning, the site appears to be legitimate then the customer proceeds to enter their personal data. With this captured information the fraudster can then order goods from legitimate retail websites using the credit card number obtained.
Due to these security issues surrounding credit card information security, there has been global industry-wide concern for the protection of cardholder’s data. Since security management is a systematic issue, a serious look at what can be done to prevent security breaches is necessary-whether it may be legislation, the use of fraud detection system monitors or the application of data encryption/ authentication techniques.
Chip and PIN Technology
Credit cards have been a feasible solution for making payment processing simple and efficient. The history of the credit card dates back to the 1900’s when oil companies and proprietors created their own credit card as a means of obtaining customer loyalty and improving customer service. However, as with advances in technology, the credit cards have evolved from having just encoded magnetic stripes to modern day Chip and PIN cards, with embedded microchips, which can store and transmit data. These Chip and PIN cards were developed to provide an inter-operative system that would combat card fraud (counterfeit and plastic cards). This transaction processing infrastructure has enabled the cash-less revolution, whereby consumers, governments and businesses benefit from the electronic payment network, which has shifted payments by cash and cheques to an efficient electronic payment system.
The mechanics of a credit card transaction is such that the merchant acquirer, usually the bank processes transactions on behalf of the merchant. This payment by credit card represents an offer for issuance of payment in exchange for the goods or services provided by the merchant, (Transaction Processing). There are two parts to this type of transaction processing: the first is front end processing which involves the capture of data messages across communication channels to the point of sale devices; and secondly the back end processing which involves the balancing of accounting information by acquirers and issuers and the submission of the payment to the acquiring merchant’s bank.
As a result of the rapid advances in technology, data security continues to be a major concern as every transaction that involves the transmission data across networks is open to external attacks. Attacks on a consumer’s card information can come from any angle, whether it may be data thieves or network intruders. The Payment Card Industry Security Standards Council (PCI SSC), which comprises of major payment brands namely VISA, MasterCard, Discover and a few others, have created global compliance standards to protect cardholders’ data. These set of standards help govern and educate all merchants and organisations that process, store and transmit data, as well as the manufactures of the devices used in transaction processing.
The PCI SSC (2010), Data Security Standard Quick Reference Guide, as summarized below, outlines the best practices for protecting cardholder data:
Develop and Maintain a Secure Network
Install and maintain firewall configuration to protect cardholder’s data.
Do not use vendor-supplied defaults for system passwords or other security parameters.
Protect cardholder’s data
Protect stored data
Encrypt transmission of cardholder’s data across open public networks
Maintain a vulnerability management program
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Implement strong access control measures
Restrict access to cardholder data by business need to know
Assign a unique ID to persons with computer access
Restrict physical access to cardholder data
Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and resources
Maintain an information security policy
Maintain a policy that address information security for all personnel
Nevertheless, despite these procedures in place, there has been amplified instances of the various types of credit card fraud, namely Intercept Fraud, Skimming, Site Cloning as well as Triangulation. This propelled an industry and government–led initiative in the UK to embark on the introduction of Chip and PIN card technology.
Based on the EMV standard (Euro pay, MasterCard, Visa) Chip and PIN technology was launched in the UK on February 14th 2006. This programme was introduced to combat credit and debit card fraud, and to provide an ideal way of validating the cardholder’s identity. By utilizing smart card technology a microchip is embedded with the customer’s information which includes their unique four digit PIN. For transactions to be accepted, the customer PIN entered must match the one encoded on the microchip. These steps are further explained below:
The card is inserted by the customer into the card reader.
The card reader would then prompt the user to insert their PIN.
A four-digit PIN is then entered by the customer. Once the reader accepts the PIN entered the transaction would be approved. Note the PIN entered is not displayed on the reader but rather represented by asterisks.
The customer is issued a receipt as confirmation of the transaction process.
This process removes the responsibility and accountability from the merchant to the customer for point of sale transactions. The card never leaves the customer’s hand and as such prevents skimming of one’s card information. One of the benefits of the Chip and PIN cards is that the Chip itself is encrypted with a range of security features, which the transaction processing system uses to identify the cardholder. These security features are said to be virtually impossible to replicate.
The terminals used for Chip and PIN transactions, use secure transmission technology to ensure the privacy of the cardholder’s data and can operate over a range of connectivity environments, such as wired, wireless and cellular networks. The PCI Security Standards Council also developed a framework of standards which is legally enforced through a merchant/service provider/card brand agreement. These include requirements that support the encryption of the cardholders’ account data and the point of sale terminal integration.
Figure 2: Outline of the process of a Chip and PIN transaction
The PIN entered replaces the request for signature as verification of the transaction. This is why the banking industry in the UK has campaigned for this technology, because signatures can be forged, however the PIN is unique to that person.
Although the United States is yet to convert to this technology, countries such as Japan, China, Canada, Mexico as well as the majority of the European Countries have all introduced Chip and PIN technology and it is gaining momentum in various other countries including Trinidad and Tobago.
Republic Bank Trinidad and Tobago Limited is the first local bank in Trinidad and Tobago to introduce Chip and PIN technology to make the concept of paying by credit card safer for cardholders. The bank adopted this type of technology because this is now an industry-wide conversion from the magnetic-stripe cards and it is also in keeping with the EMV standard.
Conversely, a potential security issue with Chip and PIN card terminals is its capability of processing cards with the magnetic stripe as well. Because of this the request to enter the customer’s PIN can be bypassed by the merchant, with a receipt generated to be signed by the customer. Now because this option is still available it poses an added security threat to card transactions.
So, unfortunately skimming still remains a huge problem for cardholders and sadly enough this includes Chip and PIN cardholders as well. Although this practice is slowly migrating from EMV compliant countries, once a card has been skimmed it can still be used in countries where the magnetic stripe is still prevalent, for example some Asian Countries and the United States. This is why many fraudsters can still create a fake card with stolen magnetic stripe information which can be used in for example the United States.
The United States believes that although Chip and PIN has reduced fraud for face to face card transactions, there are a still a number of issues surrounding the security of the system used for this these transactions. Now as with any new system introduced, there have been a number of studies on whether Chip and PIN cards are really secure. So the question is has Chip and PIN technology impacted on the activities of overall card fraud or has the activities of fraudsters shifted from retail crime.
In a study by Emily Finch (2010) The Impact of Chip and Pin Technology and The Activities of Fraudsters, it was recognised that since the implementation of Chip and PIN technology participants involved in card fraud made varying decisions when it came to their crime of choice.
The Decision to Desist
The Decision to Continue
To work with others
Shift to Distance Transactions
Diversification of Theft into Identity
The study also shows that there is a shift in the attack strategy of fraudsters from point of sale card fraud to Internet and Card Identity Fraud. In an analysis of Internet and Card Identity Fraud, we can note that Chip and PIN technology was not designed for preventing these types of card fraud. So, the question remains, was Chip and PIN successful at what it was set out to achieve……reduce card fraud? This too can be argued further as there are other limitations. How can one link a particular card to a specific owner? Once the PIN is known by the individual a transaction can be completed with ease. Other studies have shown that the card readers used for Chip and PIN transactions can be modified.
In a study by a team of University of Cambridge Computer Scientists, they have uncovered a series of fatal flaws in the Chip and PIN system. One example is where the internal hardware can be replaced without external evidence of this. This new terminal could then be programmed and modified so that it performs just as a typical terminal, where the card details can be collected and allow criminals to make cards with a fake magnetic stripe, which along with the PIN would enable a fraudster to make ‘valid’ purchases. Another example is that fraudsters can insert an electronic wedge between the stolen card and the terminal, which tricks the terminal into believing that the PIN was correctly verified.
Further, with this wedge inserted, any PIN can be entered and the transaction would be verified. This type of fraud makes it difficult for the victims of the attack to be refunded by the bank as the receipt given is authentic and would state verified by PIN. The bank in turn would be accurate in stating that no refund is required as their records show verified by PIN. This type of complaint appears as an act of negligence by the cardholder as he/she allowed their PIN to be compromised. So based on this study the point of sale attacks are much more prevalent, since before the introduction of Chip and PIN cards, consumers only entered their PIN at ATMs. Now with the introduction of Chip and PIN, consumers are using their cards at various other public areas. To combat the compromising of the consumers PIN a shield over the keypad has been used as added security but in many public areas there are video cameras and a person’s PIN can still be captured on footage.
So, although the UK banking industry has claimed to have rolled out this new technology successfully in 2006, there seems to be some negative aspects of this technology. The architecture surrounding Chip and PIN technology is questionable and the onus is on the banking industry to ensure that cardholder’s information is protected.
Additionally, it also seems that Chip and PIN terminals offer no difference to what the magnetic stripe terminals offered. These terminals can be tampered with, which is a clear indication that there needs to be accurate configuration of these terminals so as to secure the cardholders data when transmitting transactions and that is not vulnerable to incident of attack. So the intent of Chip and PIN technology has more so opened a new marketplace for fraudsters than prevent/reduce fraudulent activity.
PROJECT DESIGN, OBJECTIVES AND RESEARCH METHODS
The scope of this project is to outline the features of Chip and PIN technology and whether its implementation thus far has been beneficial. This section of the project would provide the methods involved in achieving the data for the project as well as the results based on the data collected. The chosen approach to this design is online research (journals/scholarly articles) along with a case study on the implementation of Chip and PIN technology in Trinidad and Tobago, with the case being Republic Bank Limited.
Objective 1
A good foundation for this objective would be the interpretation of the credit card’s history. How has this cash-less mechanism moved from a local innovation to a global payment mechanism by use of digital communication across networks? In gaining a clear understanding on the reason for the implementation of this technology, a wealth of research would be conducted on credit card technology and digital security.
Objective 2
A holistic understanding on the basis of credit card fraud and the types of fraudulent activities and the steps taken to prevent credit card crime. What technologies have been implemented and the effects/benefits drawn from these approaches.
Objective 3
Expanding from objective two also discussed would be whether or not since the introduction of Chip and PIN technology in the UK, has there been a cascading effect of this new technology across countries. Analysing the increasing number of fraudulent activities reported from statistics, which compelled the global banking industry to find a seamless solution for the protection of cardholder’s data.
Objective 4
An assessment on the introduction of Chip and PIN technology by Republic Bank Limited, which would include sourcing information on its implementation and the benefits derived. Further research would be on the acceptance (or non-acceptance) of the technology by customers.
Objective 5
Lastly, from the feedback received from the interview conducted and by analysing the incidents of attack on Republic Bank credit cardholders, what was the determining factor in the bank aligning themselves with the UK standards set by EMV?
CONCEPTUAL FRAMEWORK
In identifying the framework to be adopted that can be referenced to the literature in this research, the author considered the Delone and Mc Lean IS Success Model. Using this model, the author would explain the net benefits of adopting Chip and PIN technology, relating it to Republic Bank’s implementation of this technology.
DeLeone and McLean IS Success Model
In evaluating the success of Information Systems, the D&M IS Success Model, ‘systems quality’ measures the technical success, ‘information quality’ measures semantic success and ‘organisational impacts and user satisfaction’ measures the effectiveness of the system. The processes in the model are inter-connected by links, across the dimensions of the system.
Figure 3: Depiction of the Updated Information Systems Success Model (DeLeone & McLean 2002, 2003)
The updated D&M Model interprets the evaluation of a system in terms of the information, system, and service qualities and how these characteristics attribute to user satisfaction. As a result of using the system, certain benefits will be achieved and the net benefits will in turn (positively or negatively) influence user satisfaction and the further use of the information system. So, therefore three basic components make up this model, the creation of a system, its use and the consequences of its use.
Case study as it relates to the ISS model.
Republic Bank has been providing banking and financial solutions to individuals and businesses for over 160 years. Their mission is not only to provide efficient and competitively priced services but also to implement sound policies which will be beneficial to their customers. These factors presented provide clarity and influences the net benefits of the implemented Chip and PIN system at Republic Bank thus far.
By use of the ISS model to map the research done in this project, the author would complete a step by step relay of the framework discussing the implementation of Chip and PIN by Republic Bank.
Information Quality-Information quality refers to the accuracy/protection of the content of the data in transacting. How secure is the personalized data being transmitted across networks. When a customer presents their card to make a purchase, are they confident that their card information is protected because of the added security enabled on this card.
System Quality-The system quality refers to the reliability of the network and the response time in transacting, notwithstanding the approved devices that accept personal identification numbers for all PIN based entries (the ease of use of the system functionalities). Therefore in rolling out this new technology the bank along with their partner merchants would train staff so that they are familiar with the best practice guidelines when using Chip and PIN.
Service Quality-This refers to the back-end support systems that assist in usage of the technology. How reliable are Republic Bank’s servers and IP networks?
User Satisfaction- This encompasses measuring the user’s entire experience-the purchase payment, receipt and service (the ease of purchasing without the fear of being a victim of fraudulent activity).
Net Benefits -This is the most important success measure and it encapsulates the cost savings and the decrease in the value of fraudulent transactions arising from stolen credit card data. Was the implementation of this technology beneficial in reducing the incidents of card fraud? Are Republic Bank cardholders satisfied that their bank is on par with global industry changes?
The focus of this success model lies in determining the impact the features of technology (information, system, and service quality) have on the variables user satisfaction, use, and net benefits. The main objective for using this ISS model is to establish the ultimate benefits derived from the use of information system both in individual and organizational terms.
FINDINGS
This chapter will illustrate the findings from the questionnaires submitted to a sample of the Republic Bank’s credit card customers as well as a formal interview conducted with an employee of Republic Bank Credit Card Centre. The aim of the chapter is to source an awareness of the topic area Chip and PIN by cardholders and the personnel interviewed.
Primary Data Collection
For the basis of the findings of this research the author conducted a formal interview with a middle management employee at Republic Bank and also distributed questionnaires to a sample of the bank’s credit card customers. A summarized version of the responses from the interview is represented in this chapter, based on the interviewee’s knowledge.
The questionnaires distributed were mostly closed questions so as to deliberately avoid open-ended respondent answers. Approximately 120 questionnaires were distributed to Republic Bank Customers. Only the answers to the key questions are represented in this chapter.
Summarized responses from the interview
This interview was conducted with the Supervisor, Card Services, which prove to be very insightful. The Supervisor spoke about the bank’s vision for their credit card market, and how they plan to continuously innovate so as to maintain their customer base and attract new ‘profitable’ customers. Since the credit card industry is a highly competitive one, the bank is constantly reviewing their interest rates and looking for new ways to give customer returns from the use of their credit card. Due to his long tenure at the bank and having the customer service background, the supervisor was able to give insight on what infuriates a credit card customer. He explained that customers become frustrated when they see added charges and puffed up late fees placed by the bank on their card statements. In view of the fact that most customers do not read the fine print when completing a credit card application, they are not totally aware of all the charges that can arise from delinquent payments. He further added that although queries like this can be explained by representatives at the bank who can provide valued solutions to the cardholder’s problem, the most infuriating of all queries from customers are unexplainable purchases on their account. At Republic Bank, fraudulent activity on a card can be detected from the use of their state-of-the-art security systems and their experienced fraud expert team that are in place to monitor and detect any unusual activity on a customer’s credit cards, but even with these measures in place, fraud can occur.
The supervisor expressed that by implementing Chip and PIN technology for credit cards, the bank was able to be a step ahead of the competition and most importantly the card criminals. He also stated that although credit card fraud is not as prevalent in Trinidad and Tobago as in the developed countries, continuous education in counteracting fraudulent activities for their customer base is an effective method of addressing credit card fraud. He explained that Republic Bank has not had many eye-opening occurrences of notified credit card fraud but they believe that Chip and PIN technology is an innovative solution to the likelihood of this problem.
He was also truthful in expressing that this technology is still new to the industry and all merchants have yet to convert to Chip and PIN enabled machines, therefore there is a window of opportunity for fraud until merchants are mandated to have these Chip and PIN enabled machines. He used the term mandate, because eventually all Republic Bank debit cards would also be chip enabled.
In summing up the interview the author probed the supervisor on the bank’s position on the studies done by the University of Cambridge team on Chip and PIN technology and the tested flaws of the system. His response was quite interesting, because it ventured into a thought-provoking discussion on research. He lamented that the sphere of research done on any topic would result in the researcher seeking out the positive and negative aspects of it. How the data is interpreted, reflects the real value of the research done.
Questionnaire Findings
Question 5: How often and where do you frequently use your credit card to make purchases?
Aim: To assess how often the average Republic Bank cardholder uses their credit card.
Findings: Most Republic Cardholders in this study used their credit card regularly, at least five times per month. Credit Cards are used for purchases at the supermarket, restaurant and retail clothing stores.
Question 6: Has your credit card information ever been compromised? If yes provide details.
Aim: To determine the number of incidents of attack on Republic Bank credit card holders.
Findings: Less than 50% of the respondents have never had their credit card data compromised.
Question 7: Do you understand the workings of Chip and PIN technology introduced to Republic Bank credit cardholders and the value to be derived from using this technology?
Aim: To determine the extent of the customer’s perception of this technology’s value and how the card is used.
Findings: Although some customers are guarded about the use of their credit cards, most of the respondents are confident in the service that Republic Bank provides and believes that implementing Chip and PIN gives them that added security against fraudulent activities, especially those customers that frequently travel abroad.
Question 8: How do you think by using Chip and PIN cards for making payments will make it easier in transacting?
Aim: To establish the efficiencies in the use of Chip and PIN cards, on the time taken to complete a transaction.
Findings: Many customers applaud this technology as it reduces the time taken at the cash register when making purchases. It is simple, easy and convenient and most customers are truly happy as there is no need to write their signature. For this reason they find the system most efficient as it prevents their signature from the likelihood of being forged.
ANALYSIS
The main objective for the research completed on this topic, was to show how and to what extent the adoption of Chip and PIN technology has improved credit card security for Republic Bank cardholders.
At a glance, before Chip and PIN technology was introduced in the UK, there was nation-wide educational literature on the benefits of the technology for banks, merchants and most importantly, the customers. However, it seems that this programme led by EMV, created more enthusiasm in the build-up to its implementation rather than the actual usage of the system. From the research, the mounting negative features of the technology and use of the system is outweighed the decreasing positive ones. It seems that the card theft criminals were focused on a solution to obstruct the successful use of the technology before the intention to use.
The question remains, which facet of credit card fraud has Chip and PIN really reduced? The research show that for point of sale transactions Chip and PIN has been useful in the prevention of skimming one’s card information, however the fraudsters have found alternative ways to improve on that tactic. Chip and PIN technology can only be used “successfullyâ€? for point of sale transactions and not online transactions, so fraudsters have modified their techniques as with the modifications of the technology.
Based on the research framework adopted, Republic Bank has measured their net benefits of adopting the Chip and PIN technology by encircling the information, service and system qualities to deliver user satisfaction and usage of the system with this technology. The success of any information system is multi-dimensional and the relationships among the constructs relate to the comprehensive evaluation of the system. The variable dependent on these constructs are the net benefits of this system, and for whom?
This local company has app