2.5 Focusing on the magnetic stripe card


2.5 Focusing on the magnetic stripe card

There are several coexisting possibilities for storing financial data on the plastic card:

  • Data is embossed on the front side of the card and some data items are printed on the back side of the card.

  • Data is laser engraved or is printed with indent printing machines, or is even thermal printed and displayed on the front side of the card.

  • Data is encoded according to the bar code system and is displayed on the front side of the card.

  • Data is encoded and recorded on a single magnetic stripe, which is applied on the back side of the card.

  • Data is written in the permanent memory of an integrated circuit embedded in the card.

A payment card is basically a carrier of financial data. The ICC, however, provides active processing power in addition to passive storage facilities. In this chapter the encoding of financial data is explained in the case where data is embossed on the card or is recorded on a magnetic stripe attached to the card. The techniques of encoding financial data in the permanent memory of an ICC are described in Sections 3.3.1 and 3.4.1. The techniques of encoding the financial data according to the bar code system are not presented in this book.

2.5.1 Embossed financial data

Data is embossed on the front side of the card, according to the standard ISO/IEC 7811 [10], and some data items can be printed on the back side of the card.

Among the financial data items embossed on the card is the identification number of the card, which consists of a series of digits used to identify the card issuer and cardholder according to the standard ISO/IEC 7812 [11]. Note that that the identification number of the card is equivalent to the PAN, as introduced in the ISO/IEC 4909 [12]. Therefore, in the remainder of the book we will refer to the PAN whenever the identification number of the card is concerned . The PAN consists of a string of digits, divided into three items: the issuer identification number (IIN), the individual account identification, and a check digit.

  • The first digit of the IIN specifies the major industry identifier (MII). It designates the branch of activities in which the issuer of the card is involved. The MII differentiates between cards issued by airline, travel and entertainment, banking and financial, or petroleum companies. The remaining digits of the IIN, which are referred to as the issuer identifier, designate a specific issuer in that branch of activities.

  • The individual account identification is an individual number assigned by the issuer for the purpose of identifying an individual account related to the cardholder. It encodes the identity of the bank managing the account, in case this bank is not the issuer itself, and the number of the account kept by the cardholder with this bank.

  • The check digit represents redundancy information computed as a check sum on all the other digits of the PAN.

Besides the PAN, the other data items embossed on the card are the expiration date, representing the year and the month after which the card is no longer valid, and the cardholder's name .

On the front side of the card is the logo of the card association's brand, the logo of the issuing organization, if this is different from the card association, and a hologram, which is an efficient visual method for card authentication.

On the back side of the card, beneath the magnetic stripe, there is a tamper evident band that stores the handwritten signature of the cardholder, which serves for the cardholder's verification. On this tamperevident band the issuer can print supplementary security data for card authenticity verification. During an on-line validation of the card made by the operator at the point of service, this code is communicated on the telephone line to the issuer's operator, who can assess the authenticity of the card. This process is also referred to as voice referral at the point of service.

The embossed and printed information on the payment cards allows the manual capturing of financial data. Manual capturing is continually decreasing in face-to-face transactions at the point of service. This is determined by three factors:

  1. The financial infrastructure of issuers , acquirers , and card associations is rapidly expanding, offering the possibility of electronic processing at the point of service, even in developing countries in Africa, Latin America, Asia, and Eastern Europe.

  2. The price of electronic terminals and network connections to acquirers has become affordable even for small retailers.

  3. The last (but not least) determinant factor is the liability of parties in case of fraud. The example below illustrates the concept of liability, since the liability policies applied by card associations are too complex to be explained here. In case a fake card was captured manually, the merchant or his acquirer is liable, whenever the issuer can prove that the corresponding genuine card was carrying a magnetic stripe, which could have avoided the fraud.

However, the manual capturing of financial data is still practiced for the mail order (MO) transactions, as well as e-commerce transactions. In these cases the cardholder fills in the card data in appropriate fields in printed orders or in Hypertext Markup Language (HTML)/Common Gate Interface (CGI) forms, which are then sent to the merchant's mail dispatching center or Web server. Nonautomated capturing of card data is performed by the cardholder when communicating the financial data of the payment card to an operator of the merchant taking the cardholders' orders by telephone ”these are telephone order (TO) transactions. Then, the operator manually captures the financial data communicated by the cardholder. In fact, the possibility of manually capturing the card's financial data made the payment cards one of the earliest payment instruments that can be easily used in remote payment transactions. The transactions triggered through mail orders or telephone orders are generically referred to as MO/TO transactions.

2.5.2 Financial data on the magnetic stripe

Data can be encoded and recorded on a single magnetic stripe that is applied on the back side of the card. The details are described in the standard ISO/IEC 7811 [10].

The magnetic stripe can store up to three tracks of recorded data: track 1 and track 2 are read-only magnetic tracks, and track 3 is a read/write magnetic track. The formats of tracks 1 and 2 are specified in the standard ISO/IEC 7813 [13], while the format of track 3 is detailed in the standard ISO/IEC 4909 [12].

The tracks contain extensive financial data about the cardholder, the issuer, as well as the financial parameters that serve in the process of terminal risk management.

2.5.2.1 Track 1 and track 2

Track 1 includes information similar to that embossed on the front side of the card ”namely, the PAN, the cardholder's name, and the expiration date ”to which some supplementary information is added. This information consists of the service code, the country code (which is included only for certain categories of PAN, the encoding of which is country-dependent), and the discretionary data. A check digit is added at the end of the first track as a verification of the correctness of all information recorded on the track.

The service code gives an indication about the type of business environment in which the card is authorized for use in a financial transaction. It consists of a code of three digits:

  • The first digit specifies the type of interchange permitted: international, national, or restricted to bilateral agreements between issuers. Besides the interchange information, the encoding of the first digit specifies whether an alternative technology than the magnetic stripe is available on the card for conveying the financial data, like the integrated circuit, for example.

  • The second digit of the service code specifies the authorization processing indicator associated by the issuer to the card. This indicator decides whether the positive authorization by the issuer or the agent that is acting on its behalf is mandatory for the successful completion of the transaction. Otherwise, it can be that only an off-line checking is acceptable, like the verification as to whether the transaction amount is lower than an agreed upper floor limit.

  • The third digit indicates the range of services available to the card product and the cardholder verification method required for providing that service. Several examples are: cash only/PIN required, goods and services only, and no restrictions/PIN required.

The discretionary data allows the issuer to enforce some security protections for providing the card authenticity and cardholder verification services. These security protections are implemented with security mechanisms using symmetric cryptographic techniques (see Appendix D, Sections D.5.2 and D.6.1). The rationales related to these security protections will become evident when discussing threats associated with magnetic stripe cards (see Section 2.6). In addition to security protections , discretionary data can include other operational information needed by the issuer for the authorization processing according to its own needs ”for example, the starting date that the payment card can be used. Another example is the card sequence number, which is a number that distinguishes between separate cards linked to the same PAN. The discretionary data can also contain a language selection parameter that can instruct the terminal regarding the preferred language of the cardholder when displaying the messages.

Track 2 includes the same information as track 1, except for the cardholder's name. It is important to notice that the length of the discretionary data conveyed by track 2 is smaller than that carried on track 1, while the content of this data is also proprietary to the issuer.

In the case of credit card products, the name of the cardholder is printed on the receipt of the transaction, which is signed at the point of service by the cardholder. Therefore, credit card products designed for international interchange usually encode financial data on track 1, or sometimes on both track 1 and track 2, since the name of the cardholder is stored on track 1. Debit card products designed for international interchange usually encode the financial data on track 2, since the name of the cardholder is not printed on the receipt delivered at the point of service.

2.5.2.2 Track 3

Track 3 includes the PAN, the country code for certain categories of PAN (the encoding of which is country-dependent), and the expiration date. The interchange control parameter indicates whether or not the card can participate in international interchange or not. In case the card cannot be used in international interchange, the interchange control parameter points out whether the card is restricted to national use or can be used within the boundaries of a consortium of card issuers. The type of account (TA) specifies whether the account identifier in the PAN is associated to a current account, a savings account, or a credit account. The service restriction (SR) provides for control of interchange and control of debits, credits, and transfers applied to the account identifier specified by the PAN.

Track 3 can encode, in addition to the PAN (which designates the principal account of the cardholder), two optional subsidiary account numbers : SAN-1 and SAN-2. These accounts can provide the fallback authorization facility in case authorization is refused in connection with the account pointed by the PAN. Thus, when a debit card aims for authorization and the balance of the account associated with the PAN is smaller than the transaction amount, the authorization is not refused . The issuer checks whether the transaction amount can be supported from the balance of the SAN-1 or SAN-2. A separate set of type of account and service restriction parameters characterizes each SAN, in a similar way that the homonym parameters explained above characterize the PAN. The card sequence number encoded on track 3 distinguishes between separate payment cards associated with the same PAN. These cards can be issued concurrently or consecutively. The field is set at original issue or at the renewal of the card following expiration. It is incremented each time an additional or replacement card is issued.

Not only can track 3 be read, but there are also fields that can be updated.

  • The issuer can statically update fields at dedicated terminals. In this case the updating of fields is performed in a separate transaction than a financial transaction.

  • The interchange partners (e.g., acquirers having bilateral agreements with issuers) can dynamically update some of the fields directly at the point of service terminals. In this case the updating is performed inside the current financial transaction.

Track 3 offers the possibility of storing and updating financial parameters that control the cardholder's spending in a period of time. The parameter cycle length designates the duration of this period as established by the card issuer (e.g., 1 week or 10 days). The parameter cycle begin specifies the beginning of each new cycle period. This field is dynamically updated to the current date whenever the value of the field cycle begin plus the value of the field cycle length is less than or equal to the current date. The card issuer also establishes the amount authorized per cycle period, which is an upper floor limit for spending during a cycle. At the beginning of the cycle, the amount remaining this cycle parameter is dynamically set to the value of the amount authorized per cycle period. Each time a transaction is performed, the amount remaining this cycle is dynamically updated to a new value, reflecting the subtraction of the transaction amount. The type of currency, in which the parameters amount authorized per cycle period and amount remaining this cycle are expressed , is specified on track 3. The currency exponent specifies the number of times the content of the fields amount authorized per cycle period or amount remaining this cycle must be multiplied by 10 to express a value in the major currency unit of the currency type. For example, an amount of 1,000 Belgian francs can be expressed as the amount 1,000 and the currency exponent 1, or as the amount 100 and the currency exponent 2.

Track 3 offers a set of parameters that can be used for providing security protections:

  • The personal identification number control parameters (PINPARAM) and the retry count parameter can be used locally at the point of service in connection with the cardholder verification by means of a PIN. The retry count parameter can be dynamically updated at the point of service to reflect the outstanding attempts available to enter the PIN associated with the card. The issuer can also statically update the PINPARAM following a PIN changing procedure started by the cardholder at a dedicated terminal in the branch bank.

  • The card security number is also a parameter on track 3 that can be dynamically updated, providing the possibility to relate the data contained on the magnetic stripe to the physical card. In Section 2.6.4 we present a method for using this field, together with a synchronous value kept in the issuer host, to detect counterfeit cards.

  • The crypto check digits (CCD) can be dynamically updated on the card. They can provide a means of verifying the integrity of the data elements recorded on track 3 that where dynamically modified during the current transaction.

  • The additional data field can store other data customized according to the card issuer's policies to provide security protections for improving card authenticity and cardholder verification.

  • The transaction date , which is a parameter specifying the date of the last cash dispense transaction, can also be dynamically updated on track 3. This parameter can be used in the terminal risk management process for determining the frequency of cash dispensing required by the cardholder, which could reveal a suspect account activity.

Track 3 offers the possibility of dynamically updating fields on the magnetic stripe right at the point of service, which confers certain advantages concerning the security of the payment card. To this end, only acquirers that have interchanged some cryptographic material with the issuer of the card can legitimately perform the updating. This security feature limits the interoperability of payment products using this track. Therefore, track 3 serves as storage support for proprietary implementations on a national scale or restrained to a group of issuers/acquirers having enforced bilateral business agreements.

Using the storage space on tracks 1, 2, and 3, a payment card can simultaneously accommodate debit/credit applications used both internationally (track 1 and 2) as well as nationally (track 3).