cyber security

Payment card security

Payment card security

Modern payment cards are equipped with a number of technological solutions that increase the level of security of their use. On the one hand, these security features should protect the card well, and on the other hand, they should be easily verified by the merchant, buyer, and issuer of the card (the bank). They need to ensure that:

  • The card is original and has not been forged by criminals;
  • Its owner is the one who claims to have already been treated.

Therefore, to reduce the possibility of fraud, card organizations and banks use a multi-level security system. It is built in such a way that its individual areas are complementary to each other. This system includes:

  • overt and covert visual security;
  • electronic security built into the card;
  • Security measures protect data transmission during the payment authorization process.

visual security

The primary protection of a payment card from counterfeiting and unauthorized use is personalization, that is, the assignment of the card to a specific customer, the bank and the card organization. This security suite includes:

  • 16-digit card number (embossed at the bottom of the face);
  • Card expiration date, specified in MM / YY format – the old card must be reserved automatically or rejected by the ATM or at the point of sale;
  • name and surname of the card holder – the card can only be used by the person whose personal data appears on the plastic;
  • The three-digit CVC2/CVV2 code, which is a security feature in remote transactions where a PIN cannot be used. It is placed only on the back of the card and in the information technology system of the bank;
  • The signature of the owner (and in the case of business cards – the name of the company engraved). Unsigned cards are considered invalid;
  • Each payment card must also contain the system logo (eg VISA, Eurocard/Mastercard, PolCard, American Express).

An interesting fact is that another form of security is the exact order of all the items that appear on the card. Each seller, along with the device, receives instructions from the operator, in which the order of individual details is described. For example, in the PaySquare Guidelines for Sellers, there is information that in the case of Masterdcard-branded cards, “The four digits below the card number must match the first four digits of the card number and begin with ‘5’, the card number” must be in order in quadrangular blocks and correspond in size and shape.

Of course, personalizing the card isn’t its only security. In addition, card issuers put on them special markings that make it difficult to counterfeit plastic. This set of security features includes the following elements: holograms, graphics, fine prints, plus characters that are only visible under UV light.

hologram

A hologram is a three-dimensional optical tag, engraved on a thin laser light-sensitive foil. The contents of the hologram appear in the correct light and in the correct card position. The hologram cannot be removed or modified because it is melted into the card material using a method known as hot stamping foil.

Hologram is one of the best open security features of payment cards. A huge advantage is the possibility of quick verification by the merchant that does not require additional devices at the place of the transaction, for example in a store, restaurant or gas station.

The use of holograms is quite expensive (due to the very high cost of the matrix), but – paradoxically – it is this factor that prevents fraudsters from creating “fakes”. Unfortunately, there are cases when criminals invest in an expensive printing press and are able to produce cards with a seemingly original hologram.

Fun fact: a few years ago, the Polish police dismantled a gang that had formed more than 2,000 in this way. Credit cards, then with their help, the goods were cheated for at least 1.5 million PLN.

Security graphics and fine prints

These items are classified as rated safety features because they are difficult to see with the naked eye. These are very complex, irregular and small graphics that are applied to the card in the process of printing with a specialized tape.

Microprints become visible only in the right light and at high magnification, so card dealers are not required to verify them. They are often used to validate the card at a specialized research level during investigations by law enforcement agencies.

Safety features visible in UV rays

As a rule, these are graphic symbols of payment organizations, but not always. Sometimes the letters are also single letters that the viewer places in an unexpected place, for example in the corner of a card, under the coating covering the magnetic strip, etc. A special ink is used to make ultraviolet printing, which has chemical properties that make it impossible to read such a sign with the naked eye.

Fun fact: In UV light, an extra letter V appears on the Visa card between the letters “I” and “S”. On Mastercard cards – the abbreviation MC is on the left side of the card.

If the card merchant has reservations about its authenticity, he can independently check this guarantee (however, it is not a mandatory obligation). However, terminal operators in their merchant instructions always state what the UV component is on a particular type of card, so merchants know where and what mark it should appear.

Signature Tape – Special Protection

One of the exceptionally protected elements of the card is the strap on the back, on which the plastic card holder puts his signature. This place is equipped with a number of different security features such as UV printing and/or interlocking embossing.

 

In addition, under the miniature print is a layer of white paint, which is the signature background. Fraudulent attempt to remove or scratch the name on the bar automatically removes the support, and the damaged field shows ‘VOID’ (Mastercard) or ‘Invalid card’.

The use of many security features is dictated by the fact that in the case of offline transactions, it is the signature that allows sellers to verify the identity of the owner of the plastic. However, as we well know, sellers rarely look at our card when we pay with it. First of all, because a thorough verification of each card will take a very long time, and secondly – the first time they try to do this, they are likely to lose the customer forever. For this reason, banks rely more on remote security.

cyber security

However, how to remotely check if the person using the card has the right to do so? In the case of online transactions (such as cash withdrawals from ATMs), visual security becomes less important, and electronic security becomes more important. Thanks to them, the card issuer (the bank) can make sure that a certain operation was ordered by the real cardholder and not a fraud.

The card’s primary security is a PIN (Personal Identification Number). It is a kind of “electronic signature” of the owner of the plastic and is treated by financial institutions on an equal footing with a handwritten signature. This four-digit code allows you to make transactions in stores and withdraw money from ATMs, and at the same time protects our savings – of course only if we properly care for their safety and do not recklessly share it with thieves.

Electronic security also includes a magnetic strip and/or chip. It is in these places that the encoded data set is located on the plastic holder. The information stored in the processor chip is complementary to the visual security of the card and is used to allow remote transactions.

Magnetic stripe card vulnerable to fraud

The magnetic tape consists of three paths, that is, parallel magnetic fields, which are read by a magnetic header located in an ATM or terminal. The first track contains the name and surname of the card holder as well as details of the country and bank that issued the card. The second track contains the card number, its expiration date and the service code needed to complete the transaction correctly. On the other hand, the third path is used to record private bank information.

Unfortunately, the security features used in this type of card are very easy to crack. Using a device called a programmer, fraudsters can easily copy the contents of the tape and transfer the sensitive data of the card to its copy. A cloned card works just like the original card and transactions are made with it for the benefit of its rightful owner.

More copy-resistant chip cards

Smart cards that have replaced magnetic stripe cards are equipped with a much better security system. In addition to the microprocessor, it also contains a permanent ROM on which the operating system is loaded. We excel in:

  • free reading area – contains the encrypted data of the card holder: his name, surname, card identification number, expiration date, as well as the name of the financial institution that issued it;
  • Secret area – can be accessed after entering the PIN number. In this area, information about the card manufacturer and confidential data about the user are stored;
  • Workspace – where variable data is stored (eg card transaction list, bank account balance, transaction counters, etc.).

In addition, the chip is equipped with a coprocessor for coding, which works on the basis of complex algorithms. Moreover, the communication between the program and the processor can also be encrypted, which is an additional protection against advanced hacker attacks.

In short, the chip embedded in the card uses multi-stage encryption techniques and generates unique dynamic data for each transaction (the so-called message signature). As a result, it is almost impossible to copy the information on the smart card.

Security covers the authorization process

When we pay with a card in a store or with its help we withdraw cash from an ATM, our bank must make sure that we have the right to do so and not pretend to be the rightful owner of the plastic. This process is called authorization and the online transaction goes like this: an ATM or terminal device reads the data from the chip or magnetic strip and sends it to the buyer who verifies that the card is valid. If this is the case, the buyer is required to enter the PIN code, which is still encrypted in the device and send it to the bank in this form (so even a person working in the authorization center cannot read it). If the PIN is correct, the billing center computer allows the transaction.

It should be noted that banks’ authorization systems have additional security measures built in to help detect fraud, i.e. unconventional and suspicious card transactions. If a particular payment differs from the typical transaction algorithm that a particular customer makes, for example at 1 pm he pays with a card in Żabka, and after a few hours buys a Mercedes in Florida, the bank may decide to fall into the wrong hands and interrupt the authorization process (or even without the knowledge of the card holder to block the card).

Offline transactions are allowed somewhat differently, for example with a contactless card. In this case, the ATM or the terminal does not contact the authorization center of the bank and checks the data necessary to complete the transaction itself. As an additional security measure, the device automatically checks whether a particular card is not included in the so-called vacation cessation, that is, the list of stolen and restricted cards. In this case, the device stops authorizing and displays a message to the dealer who should keep the card at this point.

We have discussed the path of the licensing process in detail in this article.

Online payment security

The situation regarding securing online transactions is less clear, during which the seller is not able to visually assess the authenticity of the card, and the only form of verification of the identity of the owner of the plastic is the three-digit CVC2 / CVV2 code. If a thief steals our card, he doesn’t need to know the PIN – all he needs to do is provide sensitive card details and payments for purchases will be charged to our account.

A solution to prevent this type of fraud is the 3D Secure service offered by most Polish banks. It consists of an additional confirmation of the transaction using a one-time password. Depending on the authorization tool we use, it could be a code from a text message, a scratch card, or a token. After confirming that the person who made the purchase is the actual card holder, the bank forwards the transaction to get the normal authorization.

It is worth noting that online store owners are also obligated to ensure the security of transactions. First of all, they must ensure their customers that the transfer of data between their home computers and the server where the website and database are hosted in the store is resistant to hackers. The primary tool that enables such protection is an SSL (Secure Socket Layer) certificate. It has three important functions:

  • Enables to encrypt data, thanks to complete confidentiality;
  • protects data integrity in transit – data cannot be changed by third parties or this change is detected automatically;
  • Users are guaranteed that they landed on a secure page and were not redirected to a fake but confusingly similar site.

Information that the online store has an SSL certificate appears in the website address: the “https” prefix indicates that the website is using an encrypted connection. The additional icon is the padlock icon or the green address field.

However, many large online stores use a very strict additional security system, jointly developed by the largest payment organizations. The so-called PCI DSS (Payment Card Industry Data Security Standard) standard covers 12 important areas related to the storage, shipment and processing of data that identify individual cards. Failure to comply with PCI DSS requirements may lead to serious commercial and financial consequences for the Company, and may also result in its exclusion from participation in the payment card service.

future security

However, perhaps – in the rather distant future – security measures will be implemented that will reduce attempts at card fraud to almost zero and will make it easier to verify the identity of the plastic user.

Today, the largest payment organizations are already working on biometric cards that allow a specific person to be identified based on unique physiological features, such as fingerprint pattern, vascular arrangement, iris pattern or hand geometry.

An alternative solution might be bank cards in the form of a chip implanted under the skin with an NFC unit, which is now used in contactless cards. These cards cannot be forged or impersonated in any way, so their only weak point will be data transmission.

You can read more about cards with a biometric PIN in this article.

Summary

True, the introduction of optical security and chips prevented the cloning of payment cards, but the criminals did not give up. Today, the real battle for the security of payment cards is taking place in cyberspace, and the places most vulnerable to attack are the transmission channels used to transmit the data needed in the authorization process. Intercepting the information stored in the card processor still allows you to impersonate the owner of the plastic and make payments on his account.

However, sometimes criminals do not have to put much effort, because we ourselves – recklessly – provide them with this data. Payment card fraud currently accounts for 92% of all crimes against bank customers. Therefore, in the end, it is worth noting another very important security component of the card, which must be our common sense. We must also take care of the security of payment cards ourselves, and use them wisely and carefully.

see more

Online card payment

Related Articles

Back to top button