Académique Documents
Professionnel Documents
Culture Documents
EMV
EASY MIGRATION GUIDE
Version 2
An impartial guide for Issuers and Acquirers looking
to migrate to EMV.
The key issues and technologies.
Some questions that must
be answered.
A reference for further information.
Produced in collaboration with other smart card
industry leaders.
www.thales-esecurity.com
Introduction
to
EMV
Introduction to EMV
The development of the smart card may well turn
out to be one of the most fundamental changes
yet seen by the global payments industry.
Despite concerted development, magnetic stripe card technology has reached a technical dead-end.
A magnetic stripe simply cannot carry the strong security needed to keep cardholder details secret.
Once criminals found out how easy it was to make copies, fraud grew rapidly and according to
European Card Review magazine now costs the EU alone over 3.5 million a day.
But the limited security does more than leave private information vulnerable. It also means magnetic
stripe cards have little scope for more than one or two simple financial applications on a single card.
Against this background the smart card is revolutionary. The smart card works by storing information
securely for use during a transaction and by performing checks and processes using its internal
microprocessor. Very much larger memory capacity enables it to hold multiple applications for
example an anchor debit card application, plus a number of others which do not have to be financial.
Early movers in the market have shown that smart cards reduce losses due to fraud while generating
new revenues and differentiation.
The move to smart cards is not a free-for-all. The major card associations have collaborated
to develop the EMV (Europay, MasterCard, Visa) standard, a mechanism by which the payments
industry is seeking to ensure that cards, terminals and other systems will successfully interact,
for debit and credit applications at least, wherever they are in the world.
The EMV specifications describe core attributes including physical and electrical characteristics, how
data and functions on the card are to be accessed, and how card security is structured, but they leave
the detail of individual financial applications to card associations to define.
For all card Issuers, the question is not: should we migrate to smart cards, but: when should we
migrate to smart cards? This is because the major card associations are setting dates by which
regions around the world must have completed migration to EMV cards. Beyond these dates liability for
fraudulent transactions will lie with magnetic stripe card issuers or acquirers, if it can be shown that
the use of smart card technology would have prevented the fraud.
Issuers need to bear in mind that the date appropriate to their region is not the starting gun for
migration it is the date by which the whole of their card base and its supporting infrastructure should
be EMV compliant. Testing and any pilot scheme should be completed well before this date.
Typical schemes with three-year replacement cycles mean that cards issued in February 2002 will still
be in circulation past the European January 2005 deadline.
Given this effective count down to EMV, it is likely that there will be a rush as the date looms nearer,
squeezing the amount of time technology vendors can devote to each Issuer. Better service and more
comprehensive support may be available to the early adopters.
There are, anyway, compelling differentiation and fraud prevention reasons why all Issuers should
consider moving quickly. American Express found that new customers in the US and the UK were
attracted by promised extra security and the novelty value of EMV smart cards. Early adopter market
advantage is therefore a reality.
Also a reality is the certainty that the last card Issuers to migrate will inevitably be the concentrated
target of fraudsters as the strong security of EMV smart cards closes the window of opportunity
for crime.
4
Further information
EMVco
JCB
MasterCard
Visa
Card
ISSUER
Challenges
Essential Issues
Financial Applications
EMV credit/debit applications
The EMV specifications are a framework of basic risk reduction measures. Issuers have the freedom to
select the strength of the further security parameters they apply to smart cards and this has led to
the development of different EMV banking applications by the global card associations. These
applications cover everything needed to produce a card, including functionality, card association specific
features as well as EMV risk management.
JCB (J/Smart)
MasterCard (M/Chip)
Visa (VSDC)
All of these are EMV-Compliant, but use slightly different additional risk parameters to manage the risk
of off-line transactions.
Most card associations offer SDA (Static Data Authentication), DDA (Dynamic Data Authentication)
and CDA (Combined Dynamic Data Authentication) *card authentication mechanism within their
credit/debit application.
e-Purses
Electronic purses have been developed and deployed by a significant number of financial institutions,
but they have serious drawbacks. Lack of interoperability between schemes, poor geographical
coverage and the fact that most purses only support a single currency are three factors that
have limited adoption.
Some experts believe that the business case for e-Purse as a global scheme is unproven and that
we will see instead the emergence of niche, closed circuit and national e-Purse products.
The migration to EMV smart cards may create an environment in which e-Purse applications will work
and be readily accepted.
*See section on Application Security.
Further information
10
Thales e-Security
EMVco
American Express
JCB
CEPSco
MasterCard
Visa
Discover Card
Proton
Non-financial applications
Multiple applications on a single Card
A multi-application smart card, in addition to providing debit or credit functionality, might also work
as a store chain loyalty card, a library card, a gymnasium membership card the possibilities are very
broad. Indeed, some industry commentators have suggested that there is no technical reason why a
single smart card should not securely carry all the personal information in the average persons wallet
including, in some countries, driving license and social entitlement details.
There is no doubt that the relative simplicity of a single application card provides the easiest and
fastest route to EMV issuing, with all the benefits of brand visibility, leadership and market penetration
that rapid deployment will generate for early adopters.
But it is unlikely to be as cost-effective as a multi-application card.
The more useful applications a single card holds, the more indispensable it becomes. The higher the
perceived value, the less likely the customer is to switch to an alternative card, even though it may
offer a lower interest rate. An Issuer that opens its card to applications from third-party providers
not only spreads card deployment and management costs but also generates further income streams
through its rental of card real-estate.
Small wonder that the overwhelming majority of industry experts expect multi-application cards
to eventually become dominant.
Over 50 companies, including all the major card associations, are now members of the GlobalPlatform
alliance that is working to establish standards for EMV multi-application smart cards and to promote
their deployment.
11
Further information
12
Catuity
Proton
Datacard
Welcome Realtime
Gemplus
Schlumberger
Many Issuers remain confident in SDA for on-line use because its mutual authentification checking
process is very secure. However, if smart cards are being used predominantly off-line the extra
security provided by DDA in this environment will make it the authentification scheme of choice for
many Issuers.
A further method is also specified in the EMV 2000 specifications. Known as CDA or Combined
Dynamic Data Authentication, the card generates the application cryptogram and the dynamic
signature. By verifying the dynamic signature the terminal is able to determine that the application
signature was generated by a valid card.
Further information
14
Thales e-Security
Aconite Solutions
EMVco
JCB
MasterCard
Visa
Schlumberger
Gemplus
Java Card
Java Card is not an operating system but a series of specifications, which defines how a Java Virtual
Machine can run on any vendors underlying operating system.
In most cases Java implementations are migrating toward support of the GlobalPlatform standards
and API described below.
15
GlobalPlatform Card
GlobalPlatform is a highly secure, open and comprehensive system architecture designed to enable fast
and easy development of globally interoperable smart card systems. The GlobalPlatform specifications
and companion documents are available royalty-free from www.globalplatform.org.
GlobalPlatform includes published Application Program Interfaces (APIs) and specifications that enable
any compliant card from any vendor to be issued, loaded with applications and managed in exactly the
same way. It also provides for the use of multiple card operating systems and allows the issuer to
retain total control of the card and its applications.
MULTOS Card
MULTOS is an open standard multi-application smart card operating system that has been developed by
the MAOSCO consortium. MAOSCO requires all MULTOS devices to have been independantly accredited
to the highest achievable levels of security assurance such as ITSEC E6 High. Hence MULTOS is
targeted at markets requiring high security such as finance, secure ID and other related applications.
The security of applications on a MULTOS card is provided by on-card firewalls that prevent memory
area intrusions, and a load/delete mechanism based on asymmetric cryptography which means card
issuers and application providers do not need to share secrets.
www.multos.com
Further information
Card platforms
I
GlobalPlatform
MAOSCO (MULTOS)
Card suppliers
16
Austria Card
ID Data Systems
Cardag
Incard
Schlumberger
DNP
Infineon
Setec
Fabrica Nacional
Iris Tech
Toppan
G&D
Novacard
Keycorp
Gemplus
Oberthur
Hitachi
Orga
17
Further information
18
ACI Worldwide
Cards etc.
Bell ID
Datacard
CardBASE Technologies
Proton
Schlumberger
B
A
name
age
D.O.B
name
age
D.O.B
Address
Expires
Code
Sort
Address
Expires
Code
Sort
19
Further information
See sections on Data Preparation and Card Personalisation.
20
D
C
B
A
name
age
D.O.B
ss
Addre
es
Expir
Code
Sort
Data preparation
Principal approaches to data preparation
Data preparation can be achieved with any of the three following methods:
D
C
B
A
name
age
D.O.B
ss
Addre
es
Expir
Code
Sort
Outsource
Outsourcing data preparation to a bureau is therefore seen by some as a better alternative. However,
it too has its potential downside. Todays bureaus offer a highly secure solution with the very highest
integrity. However, central to best practice in security is that the number of people handling
cryptographic keys is kept to an absolute minimum, outsourcing introduces more people
into the production chain and therefore introduces more potential points of weakness or attack. It also
requires Issuers to cede responsibility for managing the extra risk, and therefore ultimately the integrity
of scheme security, to a third party.
In-house with EMV data preparation solution such as Thales P3
Many, perhaps most Issuers, have a fundamental aversion to anything less than 100% control over
security. They have always generated the data for much simpler magnetic stripe cards in-house and will
wish to continue to do so for smart cards. They do not see in-house development of a data generation
system as an option because of cost and drain on IT resources.
Their solution will be the purchase and in-house operation of a data preparation system such as the
Thales P3.
P3 integrates with host systems and card personalisation devices to generate EMV smart card data
and keys from existing magnetic stripe card files.
A further reason for keeping Data Preparation in house is that an Issuer does not tie himself to one
personalisation bureau.
Bureaux may offer services for both Data Preparation and Personalisation. A one-off cost is typically
charged for setting up the keys required for Data Preparation, with an additional per-card cost for the
Data Preparation itself. Personalisation is also usually charged in a similar way.
If Data Preparation and the associated key management is ceded to one bureau, and six months later
another bureau is able to offer lower cost cards or personalisation services, then the resultant key
management costs at the new bureau may negate the potential savings by switching supplier.
One more consideration is that if Data Preparation is moved from one bureau to another, the
fundamental security elements (cryptographic keys) have to be shared with yet another party. Security
best practice dictates that cryptographic keys are shared with as few parties as possible.
EMV parameters
The process of data preparation includes the setting of EMV parameters for risk management
purposes. These parameters offer the Issuer options to tailor risk management to batches of cards, or
if required sometimes even on a per-card basis. With a potentially confusing number or combinations
of parameters the card associations offer recommended sets of parameters for Issuers to adopt.
21
Tools may also be available from the card associations to automate the selection of these parameters.
Key management
Rigorous key management is essential for securing data preparation.
The system must be able to generate cryptographic keys, be able to receive cryptographic keys and
certificates from organisations such as Visa or MasterCard and also manage the keys during the
personalisation process.
Unlike magnetic stripe data, EMV smart card data contains potentially sensitive information, such as
keys derived from Issuer master keys. This means that every step in the process needs to be secured
using cryptographic hardware.
The five main areas of key management that a data preparation system must be able to handle are:
Key generation for each application.
Storage of the master key and transport keys
Key distribution to secure the personalisation process
Key update of the existing keys
Exchange of the public keys with scheme certification authorities (i.e. JCB, MasterCard and Visa)
Further information
22
Thales e-Security
Bell ID
Cryptomathic
Gemplus
UBIQ
Visa
Schlumberger
Card personalisation
Card personalisation can be a costly and complex business, depending on the size of customer
cardholder base and the number of different card products that an Issuer offers.
The larger Issuers historically have employed their own in-house card personalisation bureaus for the
production and issuance of cards. High card volumes help justify the expense of secure premises,
card personalisation systems and skilled staff.
There are three options when considering personalisation:
In house bureau
It is believed that the majority of cards will be issued from central in-house bureaus for the foreseeable
future. Smart card personalisation is slower than magnetic stripe personalisation, mainly due to the
vastly increased amount of data and cryptographic keys to be loaded onto each card. However,
personalisation equipment providers have developed solutions to this problem including systems that
program multiple cards simultaneously.
External bureaus
Most bureaus are also card manufacturers who realised that they were missing out by not providing
a much needed value-added service.
There are over 90 Visa/MasterCard certified card manufacturers worldwide, and the majority of these
also provide personalisation services. Most bureaus are regional, but there are global players including
Schlumberger, Gemplus, Oberthur & G&D.
Post-personalisation
Multi-application smart cards can be re-programmed in the field. New applications can be loaded and
old ones removed when the cards are used at compliant terminals.
Called post-personalisation, this powerful feature gives card Issuers the unique ability to provide a card
product that better supports the lifestyle of their customers, promoting usage and providing
cardholders with greater benefit and perceived value.
In order to support this business model, Issuers need to deploy infrastructure (such as a Smart Card
Management System) that allows the generation and delivery of secure personalisation data, in the
correct format for the target card, to remote devices in a real time mode.
23
24
An Issuer should check with their card vendor to see if the card they are considering supports this
important new industry standard.
1) In house bureau?
2) Outsource to a 3rd party bureau?
3) Instant issuance at a branch level?
Do I want to consider post personalisation of new applications to my cards?
How do I manage the workflow?
Further information
Personalisation machine suppliers
Atlantic Zeiser
Gemplus
CIM
G&D
Datacard
Oberthur
Schlumberger
Fargo
FDR
Logika
TSYS
Mattica
Mhlbauer
Thales e-Security
NBS
Datacard
Orga
Ubiq
Schlumberger
Gemplus
25
26
Acquiring
and Terminal
NETWORK
Challenges
27
Interchanges
There are multiple interchanges (or switches) operating in most countries, with the most well known
being the international interchanges operated by Visa and MasterCard. They act as network hubs,
routing on-line authorisations from the Acquirer (acceptor) of a transaction to the Issuer for
authorisation.
To correctly route EMV transactions, interchanges like host systems will need to handle the
enhanced inter-bank transaction protocols required by smart cards.
Settlement
Currently most Acquirers and Issuers settle regularly with an interchange. This is normally
done through an exchange of batch files (for example Visa Base2) between the interchange and
its member banks. EMV impacts this process by adding chip-related data to the transaction records
within these files.
28
Further information
Transaction Processing
ACI Worldwide
Aconite Solutions
E-Funds
IFS
Logika
Mosaic Software
Nomad
S2Systems
Thales e-Security
Transaction authorisation
and Terminal Acquiring
ACI
Aconite Solutions
CR2
IBM
Mosaic Software
Nomad
Oasis
Schlumberger
Type approval
EMVco
MasterCard
Visa
JCB
29
ATM/EFTPoS networks
The change from magnetic stripe to smart cards will not happen overnight. Magnetic stripe cards will
be in use for many years to come. During the transition, terminals, payment networks and host
systems must support both types of card.
Type approval
For a terminal to be legitimately used for accepting EMV transactions it must have first been certified
(type approved) by a body appointed by the card schemes. EMVCo has worldwide responsibility for EMV
terminal type approval, but the testing itself is subcontracted to qualified test laboratories.
Certification testing is at two levels: Level 1 concerns mainly terminal hardware. It verifies
communications with the chip card and checks for correct electro-mechanical interaction.
Level 2 concerns mainly terminal software and ensures compliance with EMV specifications for
transaction flow and card/terminal interaction.
Any terminal used by banks for acquiring EMV transactions must be approved for both level 1 and
level 2. Terminal hardware and software may legitimately be from different vendors, independently type
approved by those vendors, respectively.
Terminals
The majority of ATM and EFTPoS terminals in current use only perform magnetic-stripe based
transactions, even though some support smart card functions but would require a software upgrade.
Others support smart cards, but typically older versions of the EMV specification. They will also
need upgrading.
A small number of ATM networks have been performing chip-based transactions for some years. Use
of the magnetic stripe is still anticipated although in the future it will mainly be used to establish the
correct orientation for the card, except of course for magnetic stripe transactions when a non-chip
card is used.
ATMs typically need a substantial software upgrade to cope with EMV cards. Many of the leading ATM
manufacturers have already released type approved software but to date there are few deployments.
The slow take-up is partly due to such software only recently becoming available, and partly due to the
enhancements needed at host systems to accommodate the new application protocols.
Hardware upgrades are also required on some ATMs. The size of the upgrade is very dependent on
the particular style of ATM but varies from a simple change to the card reader to a full upgrade of the
ATM Processor.
For stand-alone dial-up EFTPoS terminals already incorporating chip card readers, EMV acceptance
is simply a matter of upgrading the resident software application. Such terminals are usually owned
by Acquirer banks or processors, making upgrades the responsibility of those organisations and not
the retailer.
Such a software upgrade can often be made remotely over the terminal network. However, this will
also require an enhanced transaction protocol between terminal and host, necessitating an upgrade at
the host also. As the protocols involved tend to be simpler than those used with ATMs, such host
enhancements are not normally a major obstacle to EFTPoS smart card acceptance.
Those stand-alone EFTPoS terminals that do not currently accept smart cards require either a
hardware upgrade or replacement. The upgrade route may seem the most cost effective but the
owner must be aware that there are performance considerations to be taken into account. For
example an old generation product that has been upgraded may result in lengthy chip transaction times
due to increased processing requirements. This will only get worse in the future with the introduction
of longer keys for increased security.
30
Consequently, the short term cost advantages of hardware upgrades must be balanced against the
impact on customer satisfaction (longer waiting times at the checkout). The ideal solution is to replace
the entire estate with the latest generation products but this can be costly. For those markets that are
migrating to PIN customer verification (such as the UK) the situation is even more complex. Upgrades
will have to consider not only chip but also PIN acceptance.
The situation is complicated somewhat by a second category of retail EFTPoS terminal. Many large
multi-lane retailers like supermarkets and department stores use integrated EPoS devices that combine
payment and checkout functionality. Upgrades will require significant programming effort to integrate
the software applications that handle bar code scanning, inventory and other functions with the EMV
payment transaction process.
As these devices are owned by retailers themselves, upgrades (and in the UK, off-line PIN also) will be
their responsibility. In general, however, retailers are viewing the shift to EMV positively. There will, for
example, be simpler point-of-sale procedures with less reliance on paper signatures, reduced potential
for fraud, faster checkout times, higher floor limits, and more scope for unattended terminals through
the use of offline PIN.
Further information
ACI
Mosaic Software
Aconite Solutions
NCR
Thales e-Transactions
Ingenico
Verifone
31
Appendix 1
Contributors to this document
THALES
ACI
Thales, one of the globes leading suppliers of integrated security solutions, addresses the business
security needs of corporates and governments alike, protecting transactions, networks, identification
documents and sensitive sites. Thales security capability extends to security and payment technology
for financial transactions, networks and e-commerce. An acknowledged expert in smart card
technology and applications, Thales is a European leader in security critical electronic payments,
integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards, as well as being
the UKs leading supplier of electronic card payment terminals.
www.aciworldwide.com
ACI has been a leading company for more than 25 years with a worldwide presence in more than
80 countries focussing on payment engines for the financial industry and smart card management
systems. Amongst ACIs more than 2000 customers are the leading financial institutes. ACIs Smart
Card Division is based in Gouda, the Netherlands. It develops and delivers products to handle the
complete issuance, life-cycle management and workflow management for smart cards of any type
of card and purpose.
ACI views EMV migration as of prime strategic importance. Its wide ranging product suite (ACI Smart
Chip Manager, Base24) covering both the issuing and acquiring side of the business has already helped
over 50 banks to migrate to EMV. ACIs expertise in the EMV arena has been a key factor in successful
migration projects.
ACI Smart Chip Manager is deployed in the financial industry, health care, public transport, ID and
Government. Implementations range from small-scale single-application pilots to large-scale rollouts
of leading-edge multi-application schemes containing many millions of cards.
Banks aiming for the simplest form of EMV migration already reap the benefits of ACI Smart Chip
Manager. Legacy systems can be seamlessly integrated into the new chip-processes without the need
for extensive re-engineering. Any mix of card and chip types can be supported.
One of the strong features of EMV is the ability of parameter management. ACI Smart Chip manager
allows this capability as an additional module. It interfaces to ACIs acquiring systems or third party
payment engines and terminal management systems.
Its a challenge for most issuers to finally migrate to a full multi-application smart card scheme. ACI
Smart Chip Manager can easily be extended to full multi-app including additional post-issuing functionality.
ACONITE
www.aconite.net
Aconite is a business IT consultancy and software solutions provider with specialist expertise in smart
card systems, EMV, Security and e-Trust.
Aconite invests in solutions which address EMV migration, smart card systems management, business
IT and trusted computing.
Established in 2000, Aconite has expanded at pace, gathering a dynamic team with unique experience
in their respective fields. Aconite recruits experienced professionals with a combination of technical
skills and business acumen to apply technology effectively.
Working alongside leading financial institutions and retailers, Aconites client list includes Royal Bank of
Scotland, Standard Chartered Bank, Coutts & Co, Visa, LINK and Marks & Spencer.
32
Flexible, pragmatic and committed, Aconite provides clients with applied consultancy, inventive
technology and business understanding. Delivering focused assistance in strategic, technical and
operational areas, Aconite is a dependable partner for clients seeking to exploit innovative approaches
to complex business issues.
APSCA
www.apsca.org
The Asia Pacific Smart Card Association (APSCA) is a non-profit, independent association for
organisations in the smart card industry in the Asia Pacific region. APSCA is the only professional
association for smart cards covering the Asia Pacific and has over 60 members in Hong Kong, China,
Taiwan, Japan, Korea, Singapore, Malaysia and Thailand. The Association delivers information,
consultancy, guidance and networking to corporations and government organisations, including smart
card scheme operators and suppliers, providing an unparalleled opportunity to solve problems, facilitate
smart card initiatives and generate increased business development. Apart from organising more than
50 events, seminars, trainings and conferences covering all aspects of smart cards, APSCA has
assisted government smart card projects, national card payment policies and initiated real business for
APSCA members.
ATMEL
www.atmel.com
Atmel Corporation is a world-wide leader in design manufacturing and marketing of advanced
semiconductors, including logic, non-volatile memory and mixed signal and RF integrated circuits.
Atmel is also a pre-eminent provider of system level integrated solutions, enabling customers to lead
the markets they serve with electronic products that are smaller, smarter, less expensive and more
versatile than ever.
Atmel is a multi-national company employing over 7,550 people with world-wide revenues, balanced
between North America, Europe and Asia with significant development and manufacturing in each
region. Its headquarters are located in San Jose, California, USA.
It should be noted that Atmel is a semiconductor company only, providing Smart Card ICs in wafer form
or packaged in modules for the Smart Card and Security related markets. It is neither a vendor of
cards nor software integrated solutions. It partners with the worlds leading card vendors and system
integrators to support many of the leading Smart Card solutions in high volume production today
requiring secure microcontroller ICs for Payment, Mobile Communications, Health, ID, Pay TV and
e-Security markets.
BELL ID
www.bellid.com
Bell ID, a subsidiary of London-based Bell Group plc, has developed ANDiS, its open software platform
providing a complete spectrum of turnkey products and services for single and multi-application smart
card management schemes. In major Smart Card, Biometrics, and Public Key Infrastructure (PKI)
projects, Bell ID operates both as a main contractor and/or as a technology and software platform
provider. Bell ID operates from several main segments e.g. Finance, Government, Blue Chip, Education
and Telecom.
Bell ID is a client-focused company maintaining tight relationships with key accounts. Clients are
provided with superior quality, service, training and support around the globe. Furthermore, Bell ID
pursues and maintains strategic partnerships with clients and suppliers. All projects are carried out by
highly motivated, autonomous, teams with strong perseverance.
In order to guarantee interoperability and independency of the ANDiS software suite, Bell ID actively
contributes to the development of industrial standards and strives to comply with all common
standards relating to smart cards, tokens, PKI, biometrics, electronic purse, and debit/credit.
33
Bell IDs headquarters is located in Rotterdam, The Netherlands, providing support to client sites within
the Benelux. Sister company Bell Security with offices in London, Belfast, Dublin, Edinburgh, Glasgow,
Stockholm, Zurich, Eindhoven, Hong Kong, Melbourne and Paris provide local services, whereas sales
and delivery of turnkey solutions is coordinated from the office in Rotterdam.
Full global and around-the-clock support for the ANDiS product suite is provided from Rotterdam and is
enhanced through sales partnerships with a number of major companies. Sales Partners are trained in
all aspects of the ANDiS software and utilise their worldwide presence to provide installation, service
and maintenance of the ANDiS platform.
CardBASE
Technologies
www.cardbase.com
CardBASE Technologies is an independent software company offering smart card management and
smart card payment solutions. CardBASE offers MASCOT, a multi-application smart card management
solution and ChipPURSE, a complete CEPS Purse suite of software comprising Issuer and Acquirer
modules in order to help banks leverage the most benefit from the migration to smart cards and
ensure compliance with the EMV mandates laid down by the large payment organisations.
MASCOT, from CardBASE, is a multi-application smart card management solution. MASCOT enables
issuers to manage magnetic stripe cards, smart cards and multi-application cards on the same system
enabling issuers to adopt a phased yet comprehensive approach to EMV migration.
While MASCOT offers support for EMV and CEPS Purse it also supports non-payment applications
including Certificate Authorities to issue Digital Certificates and Loyalty solutions with the aim of
supporting the current and future needs of card issuers.
MASCOT is a Global Platform compliant solution and the product features include; Cardholder
Management, Card & Application Lifecycle Management along with Post Issuance support for
application downloads and application updates.
CARD TECH
LIMITED
www.ctl.com
Since its inception in 1989, CTL has become a market-leading provider of software solutions to the
payments industry. We pride ourselves in delivering the highest quality products and services on time
and to an agreed budget; we back up every installation with the very best support service, 24 hours a
day, seven days a week. Today, more than 150 clients, including some of the worlds largest banks,
use our systems in over 60 countries worldwide.
CTL builds software on an open platform, providing you with complete, yet modular solutions for any
card programmes you choose. One of the great advantages of our software designs is their flexibility:
they integrate with existing systems and can be quickly and cost-effectively adapted to take advantage
of the ever-increasing opportunities available to you in our fast-moving industry.
Payment card technologies are the foundation of our expertise. CTL systems support a wide variety of
magnetic stripe, chip and proxy card programmes with highly sophisticated functionality. They have also
been adapted to create the Web tools you need for a safe, profitable entrance into the e-business
arena. We invest heavily in research and development to ensure that our future proof systems remain
at the cutting edge of technology and secure your long-term investment in payments systems.
CTL guarantees compliance with the mandatory regulations of the payment associations American
Express, Diners Club, JCB, MasterCard and Visa.
34
CRYPTOMATHIC
www.cryptomathic.com
Cryptomathic is one of the worlds leading providers of e-Security, specialising in commercial
cryptography. Cryptomathic offers products and solutions, including systems for home banking, smart
card issuing and key management.
CardInk is a data preparation system for issuing multi-application smart cards. It uses Common
Personalization and integrates into the GlobalPlatform framework and supports VISA and
MasterCard applications.
DATACARD
www.datacard.com
Datacard provides customers in more than 200 countries with the systems, software, and consultative
expertise they need to launch and maintain profitable card programs. The company helped transform
the world for consumers and card issuers more than 30 years ago by enabling secure, high-volume
issuance of magnetic stripe-based financial cards. Today, more than 90% of the worlds financial
cardsand the majority of plastic cards used for other applicationsare personalised with Datacard
brand systems and software. Many of the worlds leading financial institutions and consumer marketers
plan to issue single & multi-application smart cards, and Datacards smart card infrastructure will be
used to personalise, distribute and manage a vast majority of these cards. Through industry
associations such as Global Platform and the Smart Card Alliance, Datacard is also helping to define
and then implement open standards and interfaces needed to issue cards and manage the data
needed within a comprehensive smart card issuance program. Datacard is a privately held company
owned by the Quandt Family of Bad Homburg, Germany. Datacard is headquartered in Minnetonka,
MN, with a sales and service network of direct sales organisations, dealers, distributors and value
added resellers in over 120 countries. Additionally, worldwide operations include software development
centres in the U.S., U.K., India and Japan. The company employs more than 1,600 people worldwide
and generates annual revenues of more than $300 million.
GEMPLUS
www.gemplus.com
Gemplus helps its clients offer an exceptional range of portable, personalised solutions that bring
security and convenience to peoples lives. These include mobile Internet access, inter-operable banking
facilities, e-commerce and a wealth of other applications.
Gemplus is the only completely dedicated, truly global player in the Smart Card industry, with the
largest R&D team, unrivalled experience, and an outstanding track record of technological innovation.
Gemplus offer in EMV: EMV Prime A suite of solutions guiding banks on the optimal path
to migration.
Whatever your EMV migration requirements, you will find that Gemplus has a solution that fits and
a team of experts to help manage your project. EMV Prime was built on three years of experience
in EMV migration and with assistance and feedback from clients all around the world. EMV Prime
covers migration planning, development, piloting and all stages of deployment. The EMV Prime modules
can be tailored to suit the needs of any client, whilst dedicated project management teams work with
you to ensure that EMV Prime lives up to its reputation.
Gemplus trades its shares on Euronext Paris S.A. First Market and on the NASDAQ Stock Market(tm)
as GEMP in the form of ADSs.
35
G&D
GIESECKE &
DEVRIENT
www.gdai.com
More than 30 years experience in smart security for payment cards have made G&D a leading
supplier of electronic payment cards. In 6 years only, 100 million banking cards have been issued using
smart card software developed by G&D.
G&D is an accredited technology partner of all major international payment organisations, such
as Europay International, MasterCard International, Visa International, Proton World and Discover.
With our technological edge in the development of chip card operating systems and applications,
G&D has successfully migrated from a manufacturer of high quality magnetic stripe cards
to a leading technology supplier of microprocessor and crypto processor cards.
G&D is represented on all important international standardisation committees, i.e. MAOSCO
Consortium, Eurosmart, ETSI SMG 9, JavaCard Forum, Peoples Bank of China Technical Subgroup,
ISO/IEC, Smart Card Forum, Global Chip Card Alliance, Global Platform Group.
Giesecke & Devrient (G&D) is an international technology group with 150 years of tradition. Founded
in 1852, G&D first specialised in banknote printing and security paper manufacture, later adding
currency automation systems to its product portfolio. Today, G&D is also a technology leader in the
fields of smart cards and system solutions for telecommunications, electronic payments,
transportation, health, ID, loyalty, pay-TV, multimedia and Internet security (Public Key Infrastructure).
The Giesecke & Devrient Group, headquartered in Munich, operates subsidiaries and joint ventures
all over the world. G&D employs around 7,000 people worldwide and generated a revenue
of 1.12 billion in fiscal 2001.
GLOBAL
PLATFORM
www.globalplatform.org
GlobalPlatform is the only cross-industry forum focused on the development, management and
promotion of specifications for multiple application smart cards, smart card applications, and enabling
devices. With support from its global Member organisations, GlobalPlatform promotes a standard
framework facilitating the implementation of smart card programs in any industry around the world.
GlobalPlatform allows flexibility in the choice of technologies and vendors through an emphasis on open
standards for cards, terminals and support infrastructure. GlobalPlatforms card, terminal and systems
specifications are the first open standards adopted by GlobalPlatform and will provide a solid foundation
from which the organisation will define the future of multiple application smart cards.
GlobalPlatform totals fifty-six Members from across Europe, USA, Canada, Australia, Japan and Korea,
including issuers, manufacturers, and vendors of multiple application smart cards, such as American
Express, Hitachi, MasterCard International, JCB, NTT Corporation, Proton World, Schlumberger,
Sun Microsystems, Thales, The Bank of Nova Scotia and Visa International, as well as several
government bodies.
HITACHI
36
About Hitachi
www. global.hitachi.com.
Hitachi, Ltd., headquartered in Tokyo, Japan, is a leading global electronics company, with
approximately 320,000 employees worldwide. Fiscal 2001 (ended March 31, 2002) consolidated
sales totalled 7,994 billion yen ($60.1 billion). The company offers a wide range of systems, products
and services in market sectors, including information systems, electronic devices, power and industrial
systems, consumer products, materials and financial services. For more information on Hitachi, please
visit the companys Web site.
JCB
www.jcbinternational.com
JCB is one of the international payment brands, such as Visa and MasterCard, and is also the
largest card Issuer and acquirer by itself in Japan. JCB launched its card business in 1961 and began
expanding overseas in 1981. Its merchant network includes 9.78 million merchants and spans
189 countries and territories, and serves 42 million card members worldwide. As part of its
international growth strategy, JCB has formed alliances with more than 320 leading banks and
financial institutions globally to increase merchant coverage. JCB has started the full-scale issuance
of smart cards in Japan from Dec. 2001, with J/Smart EMV application loaded, and has also been
very active in the smart card migration in the markets outside of Japan. For further information,
please visit the JCB International website.
LogicaCMG
www.logicacmg.com
LogicaCMG is a global solutions company providing management and IT consultancy, systems
integration and outsourcing services. With additional expertise in wireless technology, the company
supports clients across diverse markets including telecoms, financial services, energy and utilities,
industry, distribution and transport and the public sector. Formed in December 2002 through the
merger of Logica and CMG the company has offices in 34 countries and over 60 years of combined
experience in the IT services arena. LogicaCMG is the number two European quoted IT services
company and is listed on both the London and Amsterdam stock exchanges.
LogicaCMG has been at the forefront of providing EMV compliant open systems for a number of years.
With our knowledge of the third party product suppliers, we are able to offer consultancy, and provide
either full end-to-end card processing capability, or individual component solutions for the physical and
virtual payments world. Our solutions range from fault-tolerant systems, through high availability UNIX
configurations, to the latest Windows NT/2000 systems. Specific focus is placed on modern open
transaction systems, smart card solutions, EMV compliance and international operator-independent
mobile & card fraud alerting solutions and services.
LogicaCMGs vision for the next generation of card systems covers:
Core application components for Card Issuing, Card Transaction Acquiring, Merchant Management,
Transaction Switching, Smart Card Management, Settlement, Clearing;
Customer services and business process workflow, addressing issues and opportunities around the
richer functional and technological features of these systems;
Platform technologies, focusing on emerging interoperable and open corporate standards.
LogicaCMG already has a track record in implementing proven open systems that have similar reliability
levels to the legacy high availability systems, but with significantly improved cost of ownership and time
to market. An even more complex and critical issue is an appropriate migration strategy for replacing a
legacy system with a new, open variant. The migration strategy is the central part of the vision to
ensure that risk is contained, whilst ensuring that return of investment criteria are being achieved.
37
MOSAIC
www.mosaicsoftware.com
Mosaic Software develops leading-edge software solutions in the consumer transaction space.
The Mosaic Software offices in the USA, UK, Australia and South Africa support clients that include
financial institutions, retailers, telecommunications operators, transaction processors, Internet service
providers, card issuers and data processing service providers.
Mosaic Softwares product, Postilion, is a scalable, modular system designed to deliver consumergenerated transactions at every level of an EFT network. Postilion is currently installed in more than
30 countries, where it is used for ATM driving and monitoring, EFT switching and routing, EFTPoS
credit/debit card transaction processing, Internet/call centre payment authorisations and mobile
commerce applications. Postilion reduces transaction processing costs, improves analytical capabilities
of customer transactions and increases overall transactional revenues. Postilion is fully EMV compliant
and can support EMV migration with two specific solutions:
Postilion EMV Gateway is a low-cost, fast track solution for EMV smart card compliance. Both
Acquirers and issuers can achieve EMV compliance for online transaction processing by front-ending
their incumbent systems with the Postilion EMV Gateway. Magnetic stripe transactions are processed
by the existing system infrastructure while EMV transactions are routed directly from the Postilion
EMV Gateway, avoiding the need to upgrade the incumbent system to support EMV data fields.
Postilion for Chip and PIN offers multi-lane retailers a means to rapidly support EMV chip cards and
secure PIN processing at the point of sale. Further benefits are the ability to offer sophisticated
EFT services at the till such as staff discount and loyalty programmes; authorisation of transactions
at the till even when store systems are down; a faster settlement cycle and reports to meet all
store requirements.
Mosaic Softwares major partners include Thales, Stratus Technologies, Retail Decisions, MasterCard,
SmartTrust, Diebold, and NCR. Well-known companies such as 7-Eleven, Marks & Spencer, E*Trade, Bank
Leumi, TNS, ABSA, Retail Decisions, American Express and Cell-C are clients. The company is backed by
GE Equity and Comparex and is a selected technology provider to multiple GE Capital businesses.
MULTOS
www.multos.com
MULTOS is an open standard multi-application smart card operating system that has been developed by
the MAOSCO consortium. MAOSCO requires all MULTOS devices to have been independantly accredited
to the highest achievable levels of security assurance such as ITSEC E6 High. Hence MULTOS is
targeted at markets requiring high security such as finance, secure ID and other related applications.
The security of applications on a MULTOS card is provided by on-card firewalls that prevent memory
area intrusions, and a load/delete mechanism based on asymmetric cryptography which means card
issuers and application providers do not need to share secrets.
NCR
www.ncr.com
As the worlds leading ATM manufacturer, NCR has deployed self-service EMV solutions across Europe,
Asia Pacific and the Americas.
NCR Corporation (NYSE: NCR) is a leading global technology company helping businesses build
stronger relationships with their customers. NCRs ATMs, retail systems, Teradata data warehouses
and IT services provide Relationship TechnologyTM solutions that maximise the value of customer
interactions. Based in Dayton, Ohio, NCR employs 30,400 people worldwide.
38
NOMAD
SOFTWARE
www.nomadsoft.com
NOMAD Software supplies card payment solutions based around its NOMAD CORTEX product set.
NOMADs customers are innovative new generation banks who want to build strong and profitable
relationships with all their customers, be they private clients, merchants or businesses.
Flexibility, performance, reliability, availability and scalability are all at the heart of a NOMAD solution.
NOMAD CORTEX benefits from a well architectured 3-tier structure, which embraces the Internet and
smart card. Established requirements in areas such as Card Management, Authorisation,Switching and
Terminal Management are all available off-the-shelf, while the very latest business requirements can be
satisfied using ready-made components.
NORTON
CONSULTANCY
LIMITED
www.norton-consultancy.com
Norton Consultancy Limited is a provider of business and technical consultancy and training on the
implementation of EMV chip cards.
Norton Consultancy Limited has worked with many of the major high street UK Banks and third party
processors providing hands-on assistance with the implementation of chip cards. Norton Consultancy
Limited has experience with the full end-to-end EMV chip card implementation:
Establishing a suitable Project Team Structure
Defining Chip Business Requirements
Defining Chip System Design
Defining and Implementing Chip Keys
Upgrading Card Bureau to Support Chip
Interpretation of chip specifications (EMV, VIS, M/Chip Lite & M/Chip Select)
Defining chip MI requirements
Chip Testing
Delivery of Customised Training
Norton Consultancy Limited has gained a reputation for being able to translate the complex technical
world of chip into a more understandable business language, assisting organisations to climb the steep
learning curve of chip thus reducing project time scales and costs.
OBERTHUR
CARD
SYSTEMS
www.oberthurcs.com
Oberthur Card Systems, listed on the Euronext Stock Exchange (Code Euroclear 12413) since
July 2000, is one of the worlds leading providers of card-based solutions, software and
applications including SIM and multi-application smart cards and services ranging from consulting
to personalisation.
Innovative products and high quality services ensure Oberthurs strong positioning in its three main
target markets.
Payment : 52% of revenues in 2001. the company is the world leader and number one supplier
for Visa and MasterCard.
39
Mobile Communications : 31% of revenues in 2001, with open and interoperable solutions based
on Java technology.
Authentication and Network Security : emerging markets in which the company plays a pioneering
role, with strong expertise in security and a dominant position in e-commerce and Pay-TV.
Close to its customers, Oberthur Card Systems benefits from an industrial and commercial presence
across all five continents.
Oberthur Card Systems is a subsidiary of Franois-Charles Oberthur Group.
SCHLUMBERGER
Smart Cards
and Terminals
www.slb.com
Schlumberger Smart Cards and Terminals is the worlds leading provider of microprocessor cards the
key to digital networks and a major supplier of card-related terminals and transaction software. Its
5,000 employees serve customers in more than 100 countries, with worldwide sales exceeding 2.6
billion smart cards to date. The company possesses more than 20 years experience in smart card
innovation and leads its industry in security technology and open systems.
Schlumberger has an unparalleled track record implementing successful banking projects, whether its
leveraging smart card technology for nationwide EMV migration schemes, or designing payment systems.
Our technical expertise embraces security, payments standards such as EMV, chip card design, card
management and issuing systems, bank transaction processing and design of payment terminals
THALES
e-SECURITY
www.thales-esecurity.com
Operating in three main markets covering e-security, card payment and network security, Thales eSecurity addresses the business and finance industrys need for cryptographic security products and
solutions used to protect a range of critical information infrastructures. Over half of the worlds banks,
together with the majority of the busiest exchanges, currently use Thales technology. For more than 20
years the company has been at the forefront of security and payment technology, co-operating and
contributing to set the industry standards used for financial transactions and e-commerce globally.
Thales P3
Thales P3 lets issuers deploy EMV smart cards with minimal impact on their existing systems and with
minimum cost.
It integrates with host systems and card personalisation devices to:
Enable creation of EMV parameters for each card holder
Generate, store and manage cryptographic keys for each application
Output files of parameters and keys for personalisation machines
Generate an audit log of activities
Three levels of Thales P3 system enable issuers to deploy a Thales solution scaled to meet their
individual needs.
Thales HSM
The Host Security Module (HSM) is a physically secure, tamper-resistant security server that provides
cryptographic functions to secure transactions in retail financial applications including PIN encryption
and verification, debit card validation, stored value card issuing and processing, chip card issuing and
processing, message authentication and symmetric key management.
40
With the optional DSP-RSA Module, the HSM can also support public key cryptographic operations
including digital signatures, certificates, and asymmetric key management.
THALES
e-TRANSACTIONS
www.thales-e-transactions.com
Thales e-Transactions is a wholly owned subsidiary of the global electronics group Thales and provides
user-friendly secured solutions for card transactions. The company is a European leader in the fields of
portable, mobile and fixed electronic payment terminals, integrated Electronic Fund Transfer (EFT), epurse payment and secured keyboards. Thales e-Transactions expertise in smart card applications for
banking and commercial markets is highly acknowledged on a worldwide basis.
The solution that Thales e-Transactions proposes is a range of terminals that are appropriate for
a variety of card acceptance locations.
Artema Desk for standard retail where the customer attends the Point of Sale desk
Artema DECT for locations where the terminal needs to be taken to the customer away from the
Point of Sale desk
Artema Mobile where the terminal can accept transactions on the move.
These products have common core hardware platform and common software architecture which offers
the following advantages
Price benefits
Lower certification costs from common EMV Level 1 IFM to common Level2 Kernel
Faster to market with regional applications through the use of a simple to use software
development toolkit
The Artema Desk product can also be provided with a TSC+ PIN pad. The first in the world to achieve
Visa PED approval to the higher security required for chip transactions.
Thales also produce other terminals that are specific to local regions. Because of the nature of the
proposal these terminals have not been included in this offer but Thales would be happy to provide
further details on request.
With considerable expertise of developing EMV certified products in the main European markets, and with a
significant international presence both in and outside of the EU region, Thales e-Transactions believes its is
well qualified to be a valued partner of Visa International in the Global Cost Effective Acceptance Project.
VISA
www.corporate.visa.com
Visa is the worlds leading payment brand generating US$2.4 trillion in annual card sales volume. Visa
has unsurpassed acceptance in more than 150 countries. The Visa organization plays a pivotal role in
developing innovative payment products and technologies to benefit its 21,000 member financial
institutions and their cardholders. Visa is a leader in Internet based payments and is pioneering the
creation of u-commerce, or universal commerce the ability to conduct commerce anywhere, anytime,
and any way. For more information, visit www.corporate.visa.com.
41
42
Website
ACI
Aconite Solutions
American Express
Asia Pacific Smart Card Association (APSCA)
Atlantic Zeiser
Atmel
Austria Card
Bell ID
Cardag
CardBASE Technologies
Cards etc.
Card Tech
Catuity
CEPSco
CIM
CR2
Cryptomathic
Datacard
Datacard Gilles Leroux
Diners Club International
Discover Card
DNP
E-Funds
EMVco
Fabrica Nacional
Fargo
G&D
Gemplus
GlobalPlatform
Hitachi
ID Data Systems
IFS
Incard
Infineon
Ingenico
Iris Tech
JCB International
Keycorp
LogicaCMG
Logika
MasterCard
Matica
Mosaic Software
Muehlbauer
Multos
NBS
NCR
www.aciworldwide.com
www.aconite.net
www.americanexpress.com
www.apsca.org
www.atlanticzeiser.com
www.atmel.com
www.austriacard.at
www.bellid.com
www.cardag.com
www.cardbase.com
www.cardsetc.com
www.ctl.com
www.catuity.com
www.cepsco.com
www.cimitaly.it
www.bankworld.ie
www.cryptomathic.dk
www.datacard.com
www.gilles-leroux.com
www.dinersclub.com
www.discovercard.com
www.dnp.co.jp
www.efunds.com
www.emvco.com
www.fnmt.es
www.fargo.com
www.gdai.com
www.gemplus.com
www.globalplatform.org
www.hitachi.com
www.id-data.co.uk
www.ifsintl.com
www.incard.it
www.infineon.com
www.ingenico.com
www.iris-technology.co.uk
www.jcbinternational.com
www.keycorp.net
www.logicacmg.com
www.logika.it
www.mastercard.com
www.maticasystems.it
www.mosaicsoftware.com
www.muehlbauer.com
www.multos.com
www.nbstech.com
www.ncr.com
43
44
Company
Website
Nomad
Norton Consultancy
Novacard
Oasis
Oberthur
Proton World
S2Systems
Schlumberger
Setec
Thales e-Security
Thales e-Transactions
Toppan
UBIQ
Verifone
Visa
Welcome realtime
www.nomadsoft.com
www.norton-consultancy.com
www.novacardservices.co.uk
www.oasis-technology.com
www.oberthurcs.com
www.protonworld.com
www.s2systems.com
www.slb.com/smartcards
www.setec.com
www.thales-esecurity.com
www.thales-e-transactions.com
www.toppan.co.jp
www.ubiqinc.com
www.verifone.com
www.visa.com
www.welcome-rt.com
Financial applications
What payment schemes do I want to support with my cards?
Are there any other legal issues specific to my country that I need
to consider such as data protection laws?
Non-financial applications
My card will have an anchor financial application. But do I want
it to carry other applications such as a retail loyalty scheme?
Do I want the card to support Internet banking?
45
46
3) Outsource
Card personalisation
Where do I want to personalise my cards?
1) In house bureau?
47
ATM/EFTPoS networks
Have I upgraded my ATM/EFTPoS network to physically accept
EMV cards?
Have I upgraded my ATM/EFTPoS terminal software to accept
EMV cards?
Have I selected terminal and hardware that has already been
appropriately type approved?
Have retailers in my markets agreed to update retailer owned
EFTPoS terminals?
Have the retail outlets in my region been educated about EMV?
48
Host systems
What do you do with all your old terminals?
49
AMERICAS
THALES e-SECURITY, INC.
2200 N. Commerce Parkway
Suite 200
Weston, Florida 33326, USA
Tel:
+1 888 744 4976
or:
+1 954 888 6200
Fax:
+1 954 888 6211
e-mail: americas.sales@thalesesecurity.com
ASIA PACIFIC
THALES e-SECURITY (ASIA) LTD.
Asia Pacific
Units 2205-06, 22/F Vicwood Plaza,
199 Des Voeux Road
Central, Hong Kong, PRC
Tel:
+852 2815 8633
Fax:
+852 2815 8141
e-mail: asia.sales@thalesesecurity.com
DISCLAIMER
Thales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein.
THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER.
The Thales policy is one of continuous development and consequently the equipment may vary in detail from the description and specification in this publication.
All trademarks are acknowledged. U.S. Patent No. 4,405,829 licensed exclusively by RSA Data Security, Inc.
Publication Number: 0104/10596 2004.