Our colleagues at ANY Security Printing Company are all really proficient in their job. They are simply good at it, they have gained huge experience for the years spent in ANY and they have great knowledge. Gábor Simon, project manager, is one of our colleagues and knows everything about banking cards, and will share a part of this huge knowledge with our readers in a clear and readable manner. Please, welcome his series that is just starting and if you like it, share it, let others read it, too.
… about my work
I was also surprised when I realized that I have been ’playing cards’ for more than 20 years. You might say it is a serious dependence even if I don’t do it in a casino as a gambler waiting for a royal flush. My cards are described in standards, and if you want to be precise about them, look for information around the standards ISO/IEC 7810, 7811, 7816 or in 14443.
I have been a project manager for some time, and I have nearly been all in card-related area, almost even a hanged man, when we managed to start a considerable project on schedule with photo-finish only. In addition to projects management, I also consider it an important part of my work to support our partners who find themselves in this area that is unknown to them. It must be admitted that it is not easy to obtain the knowledge related to my plastics. I often meet people who would be glad if someone explained to them simply what was worth knowing about these cards and what was behind each mystical or mysterious or a deliberately over-mystified detail.
Recently I have had the idea to write in the series ’Simply…’ about some topics that can be interesting for people dealing with this area, or it may also be read by people who are interested in their banking card just in general. I have a hunch that the latter ones are more.
I have to add that I believe in using official communication forms because, in my opinion, they enrich our language, but this time I do not think that these texts should be the forum to serve this purpose. I hope you can excuse me for it.
I do not promise to publish with clockwork accuracy, since it is not my key activity now, but I will try to achieve some sort of regularity. In addition, I will try to comply with the title and to write about some interesting things in relation to the cards in a simple manner. If you find my articles interesting, please, simply share them.
Let us start it. This time, in an unusual way, I would start with not just one but with two articles; please, find some thoughts about banking cards next below.
… about banking cards
I don’t want to be too ‘scientific’. Banking card, in my writing, is a small plastic card we use for payment almost every day and that’s all. Its use is very simple, but the background technology is rather sophisticated. This is the reason why it is secure but also mystic, as we can spend even a serious credit limit, using a small plastic card with a size of 8.5 x 5.5 centimeters. It is really shocking.
Fortunately, nowadays there is a complex protection system to provide the security of the transactions, which is very hard to deceive. It is most likely to live in the neighborhood of a person who won the lottery than a person whose banking card was ‘hacked’. However, card frauds still exist, but they are almost entirely based on human factors and not on that the data were stolen out of the chip.
Besides the human side, the weak link in this field is the magnetic strip which is luckily a disappearing technology. If we want to find an analogy in case of banking cards, it may be most like the tail bone of the human being, which is a vestige of the evolution. There are some facts, however, that are worth clarifying in relation to magnetic strip.
- Firstly, the magnetic strip does not include either the PIN or any data of the account linked with the card. But there are (could be) some values on it, which help us to check the correctness of the PIN or to show that who created the data on the magnetic strip are really those who were authorized to do so. Unfortunately, checking the latter cannot guarantee whether the card was not copied, but if the data are correct, they could still have been written by an unauthorized person on the magnetic strip of another card.
- Secondly, the magnetic strip is a data storage including constant values, on which the data are written during the production process of the card and there are no changes in them under legal circumstances. Though the operation principle is very similar, it is not a VHS cassette where the next film can be recorded by deleting another one. Card acceptance terminals (such as POS – Point of Sale, or ATM – Automated Teller Machine) only read the data but do not write them, so data are unchanged during the lifecycle of the card, after having been written in the ‘bank card factory’.
- On the magnetic strip there is a value, i.e. the service code, which recommends the card acceptance device to force the use of the chip in case of chip cards. Fortunately, throughout the world there are fewer and fewer terminals which ignore this force, thus attempting to drive the user of the cards in a much more controllable direction, towards the chip.
If we want to provide for active protection against copying our card, we need a much smarter device than the magnetic strip which is little safer than a note written by a pencil on a paper. Fortunately, the technological development allowed moving in a more secure direction, when very small chips appeared on the market, even at an affordable price, that could be integrated in plastic cards too. The first generation chips were still not perfect, because they could also be copied, although it is true, that by much more difficult methods than the magnetic strip. But the development of semiconductors soon resulted in devices that really became uncopiable. Herewith I have to reassure you all that in Hungary the banking cards have been producing only with these uncopiable chips for many years.
This chapter was rather the history, as the magnetic strip itself is also a history and it will fully disappear sooner or later. I would not waste more words on it, because the following topics will only be newer and, in my opinion, more interesting than those mentioned above. Find below a bit more details about the chips of the bank cards.
… about banking card chips
Nowadays almost everything contains a chip, maybe even the wooden butterfly with flapping wings, if we order it from China. Why wouldn’t it just as well be present in banking cards, and why is it such a great thing? Moreover, if we examine the pins of the chip, we may also find that these chips usually have 8, or rarely 6 pins. I must tell you that two of eight are only decoration (using a nice ‘IT’ expression RFU, i.e. ‘reserved for future use’). Compared to this, for example, a standard Core i7 processor has more than a thousand pins.
Therefore, we might think that this chip is pretty dumb. Luckily it is not true, and we don’t have to think about the bank card chips as a component constructed from semiconductors, but the chip itself is a complex minicomputer. These many legs are just enough for it to keep contact with the outside world, indeed! When we use the card in contactless operation mode, it only communicates with the terminal through the antenna of the acceptance device and receives its power supply from there too. That is why we don’t have to charge our banking card with power at night, like our phones, and batteries don’t need to be replaced in it either.
Let’s compare the bank card chip with a real computer and we shall have surprising experiences with it:
- Our bank card chip is also able to run programs like our laptop. Certainly not so many and not the ones that a PC is able to run, but the principle is very similar. The program we use for shopping or money withdrawal is called as payment application. However, it has a different name at different card corporations, but it is irrelevant to the result. Nevertheless, it is used by many people when they say at the cash desk: ’I want to pay with PAYsomething’.
- In addition to the payment application, bank card chips could also run other programs, for example, they could be used for secure identification in the banking administration, or for collecting points, but only a few banks make use of this possibility. It is simply due to that other technologies and devices are widespread for them.
- Running the programs requires an operating system such as Windows. Well, bank card chips also have their own operating system and it is ‘placed on them’ during chip production.
- The operating systems protect themselves, the programs and the users through their own security system. Our chips can also do it and they are vigilantly resisting to any unauthorized intrusion. They will never allow, for instance, that anyone rewrites important values by which he can unduly affect the execution of the transactions. If bank card chips detect that someone tries to misuse them, they will simply interrupt the connection, or they will block themselves in some cases.
- Inside the chips there are storages which store temporary data created during the transaction as a PC RAM memory does, and there are also some which carry out permanent data storage similarly to the hard disc. In contrast with magnetic strip, here we do not use constant data only, and it allows increased security.
- Our chips don’t have peripherals, such as monitor, mouse, or keyboard, but why would they have any? Let’s consider these small minicomputers as if they were, for example, a remote Web server! For these servers, our PC performs the displaying and the data entry, and the server just carries out the operations initiated by us, and compiles and transmits the webpage we want to visit. In this case, interaction with the user is left to the terminal.
- Additionally, in this field, bank card chips are even ahead of most of the PCs. They have secure storage cells, where they can store cryptographic keys in a way that these can never be obtained by anyone. The card corporations do not allow using a chip that is not capable of this, since each type of chips has its own unique authorization from the card corporations. Using these securely stored keys, the chips are able to duly identify themselves, to encrypt data and to protect transactions. Our phones use a similar technology, but surprisingly, in this area the chip of a special card, the SIM, performs most of these functions too.
We can see from this brief overview that these chips are really smart small things, but their operation is focused on a very special task: controlling the bank card transactions. In order to ensure that all bank cards and terminals in the world can operate together in a same way, the standardization was required in this area too. The basic rules can be found under the name EMV, which is the acronym created from the names of the large card schemes of that time, who realized that it would have been advisable to come up with a common solution to the use of chips, and they founded an organization for this purpose. Then, based on the specifications issued by EMVCo, the two large card schemes that are the most well-known in Hungary today prepared their payment applications, and one of them operates in our bank card chip too.
Well, for now that’s enough about the chips, and next time I would present you what the chip transactions are.