Part III: Remote debit and credit with EMV(TM)


Part III: Remote debit and credit with EMV ¢

This part of the book, consisting of Chapter 8, is concerned with the analysis of the EMV ¢ Chip Electronic Commerce framework. In this framework, EMV ¢ chip cards can be used for remote payments, both in the electronic commerce (e-commerce) and mobile commerce (m-commerce) environments. Both types of remote payments build on top of the Secure Electronic Transaction ¢ (SET) specification, jointly developed by a consortium including MasterCard and Visa. SET is a secure protocol for using credit cards for conducting electronic payments over the Internet. This leverages the EMV ¢ functionality with the SET payment mechanism to provide the modality of a secure and cost-effective chip card transaction over the Internet.

The presentation order of the payment instruments in these three parts follows a ranking based on their proven business success at the moment, on their potential in conjunction with e-commerce and m-commerce, and on their possible evolution in the industry of retail payments.

In the last decade , credit and debit payment cards proved to be a big commercial success all over the world. Actual implementations with magnetic stripe cards, however, showed vulnerability to fraud, which generates significant financial losses. The migration towards chip cards is seen as a natural technological improvement that offers higher protection against fraud, better decision support at the point of service, and enhanced cardholder verification methods . In the European Union the issuing and acquiring banks that are members of Europay, MasterCard, and Visa card associations are migrating from the magnetic stripe cards to the EMV ¢ chip solution; the transition period ends on January 1, 2005. It can be expected that member banks of MasterCard and Visa located worldwide will also undergo the EMV ¢ chip migration path , but probably within a larger transition period.

Within the last few years , payments over the Internet have shown a big increase in number of transactions and value. The dominant payment mechanism at the moment is the transmission of financial data embossed on the front side of credit cards via a secure socket layer (SSL)-enabled browser, which securely communicates with the merchant's server. Whereas the SSL protocol offers confidentiality, authenticity, and integrity of the financial data during its journey from the consumer's browser to the merchant's Web server, it does not provide the nonrepudiation security service, which would protect the merchant against a potential denial of the consumer. Once the financial data arrives at the merchant's site, it is stored in clear in the merchant's Web server. This renders the SSL powerless against subsequent attacks that target the financial data on the Web server itself, which is often the case. The use of SET, even though it offers enhanced security features compared to SSL, is still uncertain . One explanation could be that people consider the SET protocols too complex and expensive to process using dedicated software that must be bought by both consumers and merchants , while SSL offers a reasonable level of security to participants without the need to buy supplementary software. A strong business interest of participants already using SSL-enabled browsers and servers for migrating towards SET implementations would have to exist. The ability to use the same EMV ¢ debit/credit card products used in face-to-face transactions in remote payments over the Internet can increase the interest for SET as secure payment technology. Moreover, the SET infrastructure can be also used for processing financial transaction details captured in mobile payments.

Mobile payment instruments are, at the moment, highly ranked from the point of view of future potential rather than proven business success. It has become commonplace for people to click their mobile phone handsets while walking, driving, or traveling. The financial services industry has recognized this reality and hopes to increase the volume of retail financial operations using the mobile phone handset. This allows the triggering of a payment application based on a virtual card or simply facilitates the use of an EMV ¢ debit/credit card over public wireless networks.

MasterCard and Visa have made a significant effort in developing the SET and EMV ¢ specifications, as well as all the corresponding certification procedures for assessing software and hardware devices implementing these specifications. Therefore, it is foreseeable that they will also commercially promote their EMV ¢ integrated circuit card (ICC) solution as a means for payment for conducting e-commerce and m-commerce transactions over the Internet and mobile networks.

Considering the proposed content of this book, its target audience includes payment system designers, technical and business managers dealing with payment card products, card and terminal developers, as well as test engineers . These categories of specialists could be involved in ongoing projects based on the EMV ¢ , SET, and wallet server technologies in face-to-face and remote payments. Researchers, graduate students, and undergraduate students will find an overall picture of the debit and credit payment instruments actually used in the industry of retail financial services. This can represent a starting point for potential improvements and innovations of payment instruments and payment mechanisms.