Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page c2
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page c3
The European financial management and marketing association (Efma) is the leading association of banks, insurance companies and financial institutions throughout Europe. On a non-for-profit basis, Efma promotes innovation and best practices in retail finance by fostering debate and discussion among peers supported by a robust array of information services and numerous opportunities for direct encounters. Efma was formed in 1971 and gathers today more than 2,000 different brands in financial services worldwide, including 80% of the largest European banking groups. 16, rue d’Aguesseau 75008 Paris TÊl. : +33 1 47 42 52 72 Fax : +33 1 47 42 56 76 www.efma.com
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 1
Cards and payments
1
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 2
Books in the series Keys to... Online finance security (April 2007) Keys to... La performance des rĂŠseaux bancaires French issue (septembre 2007) Keys to... Banking network performance English issue (September 2007)
2
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 3
INTRODUCTION Card World will be celebrating its 20th anniversary in 2008 and we have begun the planning process for a special edition. This has led to much browsing through past issues, looking at which initiatives and technologies have succeeded and which have failed, and admiring the personalities who are still driving the industry 20 years on. The number of companies whose names have vanished from the scene is a long one, not least because of name changes and mergers, and there have been some interesting technologies that failed to really establish themselves and are no longer talked about. In the early 90s for example, the electronic purse looked set for sure success. Virtually every country in Europe had one, from the advanced smart card versions, such as Mondex; the ubiquitous, such as the German GeldKarte and the unassuming, such as Chipknip; but few managed to gain wide acceptance and all failed to make a solid return on investment. Today the search for a substitute for cash continues and European initiatives such as Sepa and less expensive products including prepaid cards may well prove the drivers this segment needs. Again, this was first mooted by the now merged Europay, together with MasterCard and Visa, when they were all bank owned associations. The plan was to replace the insecure mag-stripe card with a more secure chipped version in order to halt the rise in card fraud, especially counterfeiting. Banks are increasingly aware of the importance of retail payments to their businesses. They are examining new products such as pre-paid, contactless, corporate and business payments, not to mention Cards and payments
3
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 4
government and ID cards, as a way to drive their brands into new areas. For marketers, the plastic card has provided many new opportunities to develop retail payments and deepen the relationship between bank and customer. In recent times, the card associations have relaxed the rules on branding of cards and the positioning of information, making it easier for banks to differentiate their products. There have also been new materials such as translucent and sparkling to choose from, and the opportunity to let customers design their own cards. The internet itself has changed the card business, because customers can more easily compare products, and also move to a new offering quicker. These are the challenges. The positive side of the card business is that at a time when people are entering the bank branch less frequently, the card can act as a reminder of the banking relationship and of its usefulness to the customer. Card marketing today can be intensively segmented, with offers honed down to groups of a handful of suitable customers. This makes it possible for the innovative banks to offer relevant loyalty rewards, and intelligent offers of additional services. In some markets the debit card has remained the chief method of payment, while in others the credit card has provided a useful and a profitable product. Loyalty cards fill most wallets, and in many, there are also plastic ID cards, passports, transit cards, and small value payment cards. New players will try to enter this business, facilitated by Sepa rules and technologies that make reaching the customer and completing back office functions so much easier. This gives banks new challenges, but it also provides exciting opportunities. Prepaid cards are a major revenue
4
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 5
source already for retailers. With a bank partner, the merchant can offer wider acceptance and so increase the use of the card. This is especially welcome for employee salary cards and for welfare cards. The partnership with a bank can enhance the benefit to all parties. In 20 years, Card World has never been short of stories to cover, trends to watch and interesting new arrivals to analyse. There have been many surprises and some satisfaction when developments have been anticipated. But this business is not a predictable one, which makes it all the more interesting to report on. No doubt it will continue to surprise and intrigue us all. For nearly two decades, Card World has produced an annual User Guide, aimed at those who are new to the business, or who want to refresh their minds on the major events and developments in this fast moving industry. Included each year has been an updated and increasingly comprehensive glossary of terms. Card World is pleased to share this with Efma to use in this publication. We hope you find it useful. Annich McIntosh Managing Editor C&M Publications
Cards and payments
5
Cards and payments_V4:Mise en page 1
6
27/08/07
11:38
Page 6
Cards and payments
A
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 7
AADS (Account Authority Digital Signature). A payment mechanism where smart cards and PIN numbers interact to generate a unique digital signature for each transaction. ABM (Automated Banking Machine). North American term corresponding to Automated Teller Machine in the UK.
ABS (Acrylonitrile Butadiene Styrene). Plastic material used to make many integrated circuit cards. Unlike PVC it is formed through injection moulding, which allows the dimensions of the card and the hole into which the chip module is inserted to be precisely controlled.
ACB. Automatic Clearing Bureau. Access card. A machine readable card used to achieve computer access, physical entry or passage.
Access control. Any measure designed to ensure that access to a resource is obtained only by the authorised users. Account number. See identification number. Account aggregation. The practice of collecting account data from all a person’s online accounts (including financial) and making it available on one website with one login and password.
Cards and payments
7
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 8
ACH (Automated Clearing House). A facility that electronically processes payments of funds and government securities among financial institutions and businesses. Acquirer. A financial institution such as a bank which has a contractual agreement with a merchant to process debit and credit card transactions. The acquirer reimburses the merchant for the amount of the sale and charges a commission for the service.
Activation. To prevent lost and stolen card fraud issuers ask cardholders to confirm arrival of a card and prove identity before activating it. Address verification system. An additional point of reference to authenticate card use, for telemarketing purposes, by confirming the cardholder’s address.
ADE (Angewandte Digital Elektronik). European contactless card association. ADPU (Application Data Protocol Unit). The fundamental data unit exchanged between a terminal and a card. Contains a command from the terminal or response from a card.
ADS (Automatic Debiting Systems). EC project aimed at reducing traffic flow on motorways.
ADSL (Asymmetric Digital Subscriber Line). Always on technology which allows a telephone line to carry data at up to 2 M bits per second. AES (Advanced Encryption Standard). A security algorithm which is used as an alternative to DES.
AFC (Automatic Fare Collection). As in contact or contactless smart card public transport schemes.
Affinity card. A form of loyalty card where the co-branding partner is a charity or organisation which benefits financially from card use.
8
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 9
AFNOR (Association Française pour la Normalisation). The French standards body responsible for the early smart card standards. Chips in the Afnor position are in the top left hand corner of the card rather than in the ISO position lower down. AI (Artificial Intelligence). The term used for computers that appear to “understand” spoken language or display reasoning.
AID (Application Identifier). Code which allows a terminal to select the correct application within a card for a given operation.
ALC (Application Load Certificate). Used to authenticate an application being loaded onto a card.
Algorithm. A mathematical sequence used, for example, to encode and decode data in encryption.
Alpha test. The initial trial run of a new programme, system or hardware within the organisation that developed it. See beta test.
ABA (American Bankers Association). The trade association of American banks.
American Express. A global travel organisation and one of the oldest travel and entertainment charge card and credit card issuers.
ANSI (American National Standards Institute). The US national member body of the International Organisation for Standardisation. AMESA (Asia Mobile Electronic Services Alliance). A Visa-backed initiative representing an Asia-Pacific partnership to integrate smart cards, mobile phones, public key infrastructure and open standards.
Amplifier. A device for strengthening the voltage or power of electronic signals.
AMPS (Advanced Mobile Phone System). First Generation (1G)Cellular Radio(g) standard developed in the USA.
Analogue. Signals that can represent an infinite range of numbers, as opposed to digital which can only be distinct whole numbers. Cards and payments
9
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 10
Annual fee. A fee paid by a cardholder for the privilege of holding a financial transaction card. With some cards the cardholder pays interest and no fee. Some cards charge both fees and interest.
Antenna. Aerial on a contactless card, tag or reader. Anti-collision. Feature used in contactless cards to prevent conflicts between different signals.
Anti-tearing. Feature which protects the memory contents of a card if it is removed before the end of a transaction.
APDU (Application Protocol Data Unit). Basic command unit for a smart card. Contains either a command message or a response message.
API (Application Programming Interface). Definition of calling conventions allowing an application programme to access other services such as the OS, drivers or middleware layers. Applet. Compact programme that may be downloaded quickly and used by a remote device. For smart card applications can also be called cardlet.
Area 1. Part of the embossing area reserved for identification of the card issuer and cardholder (defined in ISO 7811).
Area 2. Part of the embossing area provided for cardholder identification data such as name and address (defined in ISO 7811). ARPU. Average Revenue Per User. ASCII (American Standard Code for Information Interchange). The protocol used by most small computers. It assigns a seven-bit code to 96 printable characters and 32 control characters.
ASIC (Application Specific Integrated Circuit). A computer chip with special features designed to meet particular requirements.
ASP (Application Service Provider). A company that offers remote access to application programmes or services that would otherwise have to be located on their own computers.
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 11
Assembly language. Computer programming language that uses mnemonic codes.
APACS (Association for Payment Clearing Services). Umbrella body for the UK payments industry.
Asymmetric key cryptography. A security system where the algorithms used to encode and decode data are different: the encoding algorithm is usually a “public key” and the decoding one a “private key”. Asynchronous. Not synchronous. The most common data transmission method for small computers. Asynchronous Password Generation. A method of generating a unique one-time password for a computer user based on a challengeresponse sequence between a host and a device possessed by the user. ATB. Automated Ticket and Boarding pass machine at an airport which accepts a financial transaction card to pay for an airline ticket and issues ticket and boarding pass.
ATM (Automated Teller Machine). A computerised self-service device permitting holders of an appropriate card and PIN number to withdraw cash from their account and access other banking services. Also known as cash dispensers.
ATM (Asynchronous Transfer Mode). A new communications protocol for the transfer of data (any type) across a network.
ATM reciprocity. An arrangement between ATM operators under which they accept each other’s cards in their own ATM machines. ATR (Answer To Reset). Information from a card, sent as first data after the reset. Indicates basic information such as card type, communication, protocol, etc. Attack. An attempt to decode in the field of cryptography. ATZ (Access Tracking Zone). Part of the card memory reserved for registering secret keys or cardholder codes.
Cards and payments
11
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 12
Audit/journal printer. The printer which records all transactions as they occur and provides an audit trail.
Audit trail. Chronological record of activity that can be used for security purposes.
Authenticate. To provide identity or origin. Authentication. The process of validating a message or a user’s access authorisation.
Authentication (external). The process of authenticating the external world (e.g. terminal) to the card. Authentication (internal). The process of proving that the card is genuine by means of an algorithm, a random value and a secret key. Authentication routine. A process used to validate a user, card, terminal or message contents. Also known as a handshake, the authentication uses important data to create a code that is verified in real time or by batch processing.
Authorisation. A card issuer’s undertaking to a card acceptor that it will honour a transaction.
Authorisation code. Specific value issued and stored with the transaction data to allow confirmation that a valid authorisation occurred.
Authorisation message. Within a payment system, any message between a card acceptor and a card issuer serving to establish whether the issuer approves for a transaction to proceed. Authorisation processor. A financial institution that processes and validates transaction requests for its cardholders.
Authorisation service provider. A financial network or individual financial institution that authorises requested monetary transactions, e.g. stored value, credit, debit or ATM transactions.
12
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 13
Authorisation terminal. A terminal permitting authorisation of a transaction but not necessarily capturing the transaction data into a payment system.
Automated issuing machine. A machine which records information on a blank identification card before its issue to the cardholder. Some issuing machines only write information on magnetic tracks, others carry out embossing too. Avant. Finnish EP (Electronic Purse) scheme.
Cards and payments
13
B
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 14
B2B (Business to Business). Term used to describe the exchange of products, services or information between businesses.
B2C. Business to Consumer.
BACS (Bankers Automated Clearing Services). An organisation of UK clearing banks which bulk-processes payments between the bank’s account holders. BACS is heavily used for employees’ salary payments.
Backend database. An application running on a server that stores data and responds to requests for those data from front-end applications running on workstations and networked PCs.
Bad accounts. Generic description of feature which holds a negative file of account numbers in the system’s storage. Balance enquiry. A transaction offered by an ATM or ABM enabling a cardholder to determine the balance of one or more of his financial accounts.
Bandwidth. The amount of data that can be sent through a connection. Banking window. Merchants with online terminals have a banking window (e.g. 16.00-19.00) allocated, and during this time they are expected to perform the end-of-day reconciliation on the terminal.
BankNet. The MasterCard US communications network.
14
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 15
Barcode. A machine readable graphic representation of alphanumeric characters for rapid data input to a computer system. BasicCard. A smart card operating system. Batch processing. A mode of data processing in which data is gathered over a period of time and aggregated for subsequent sequential processing.
Beta test. The first public test of a new programme, system or hardware, under controlled conditions with selected users. See alpha test. BIC. Bank Identifier Code (SWIFT). BiCMOS. Bipolar Complementary Metal Oxide Semiconductor. BIN. Card issuer Identification Number. Binary. A numbering system using only the values 0 and 1. Biochip. A chip of synthesised organic molecules for use in quantity in an extremely fast computer. They are expected to be a thousand times faster than silicon chips and use 100,000 times less power.
Biometric authentication. Any method of verifying the identity of a person by measuring an individual biological characteristic (e.g. fingerprinting, retinal scanning, iris scanning, voice recognition).
Bit. A binary digit. The smallest possible unit of information in a digital code. Bit density. The number of bits per unit length recorded on a magnetic medium. On ISO standard identification cards track 1 and track 3 are recorded at 8.3 bpmm and track 2 at 3 bpmm.
Bit rate. The rate of transfer of information in bits per second on a communications channel. Bluetooth. Technology that allows an array of devices to communicate over short distance wireless communications.
Bpmm. Bits per millimetre, a measure of bit density. Cards and payments
15
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 16
Bps. Bits per second, a unit in which bit rates are expressed. Broadband. A communications medium capable of transmitting a relatively large amount of data over a given period of time. A communications channel of high bandwidth.
Brute-force attack. Method of cryptanalysis in which every possible cryptographic key is tried. Bugbear. A computer worm that can copy data on an infected computer including online account and credit card details by logging keystrokes. Buffered data. Decoded data from a magnetic stripe held in temporary memory until needed. Bus. The pathway, in the form of copper foil lines or traces, over which data travels on a circuit board. Switching is directed either by dip switches on the equipment or by software.
Byte. A sequence of eight bits usually operated on as a unit.
16
Cards and payments
C
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 17
CA (Certification Authority). A central authority within a public key cryptographic system that is trusted to digitally sign the public keys belonging to all participants of that system and return the results in the form of public key certificates.
CADs. Card Acceptance Devices. CAFE (Conditional Access For Europe). A European project, carried out by a consortium of companies active in electronic payments together with leading research organisations.
Calling card. A telephone card providing authority to charge calls to a specific credit account set up for the purpose.
CAM. Card Authentication Method. Cancellation notice. A notification from a card issuer giving details of financial transaction cards which have been cancelled. See hot card.
Capacitive card. A card constructed by applying thin laminates of metallised polyester to standard card stock which is then encoded by micropositioning laser markers. This non-interactive stable data format can be stored and read contactlessly via capacitive coupling. CAP file. Converted Applet File. The standard file format representing application code to be loaded into the EEPROM of a JAVA Card. Capture date. The date on which a transaction is processed by an acquirer. Cards and payments
17
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 18
Card acceptor. A party accepting a financial transaction card and presenting transaction data to an acquirer. Card acceptor identification code. Within a payment system, a code identifying the point at which a transaction takes place. Card acceptor terminal identification. Within a payment system, a code identifying a terminal at a point of service. Card blocking. A system for securing a smart card so that unauthotransacrised users cannot gain access. Card bureau. A contract service to card issuers, whereby printed blank cards can be embossed and encoded with cardholder and other data and, in some cases, dispatched to cardholders. Card duality. Issuing and acquiring activities conducted with more than one payment system. Card-emulator. A tool to emulate chip card ICs in late development state. Card encoding. The original recording of information on an identification card by the card issuer. Cardholder. An individual to whom a payment or other card has been issued.
Cardholder accounts transfer. Movement of funds between a cardholder’s accounts held by the same financial institution. Cardholder billing conversion rate. The conversion rate used to convert the value of a transaction from the transaction currency to the cardholder billing currency.
Cardholder billing currency. The currency in which a cardholder is billed, especially in contexts where this differs from the currency in which his transactions have been denominated. Card base. A marketing term to describe an actual or potential market, e.g. the card base of American Express is mainly T&E (travel and entertainment). 18
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 19
Card issuer. An individual or organisation that issues identification cards to individual or corporate cardholders. Card jitter. Poorly aligned recording on the magnetic tracks of the identification card.
Card payment system. A payment system supporting payments made by financial transaction cards. Card reader-writer. Equipment that can electronically read the information on one or many types of cards and modify specific data fields. Card registration service. A service to cardholders which registers cardholders’ identification cards and notifies card issuers if the cardholder advises the service of card loss, theft or destruction. Card scheme. Organisation or payment system which manages and controls the operation and clearing of transactions through their rules. Banks and building societies must be members of the appropriate schemes to issue cards and acquire card transactions. Examples of schemes are MasterCard, Visa, American Express, Diners Club, Switch.
Card unblocking. The reverse procedure to locking a card. Also known as rehabilitation.
Cash advance. The obtaining of cash which is posted against the cardholder’s account. Cash dispenser. The simplest form of ATM, which permits only cash withdrawal.
Cash transfer. See Cardholder accounts transfer. CAT (Credit Authorisation Terminal). See Authorisation terminal. CCMS. Crypto Chip Management System. CD ROM. Information using Read Only Memory (ROM) that is loaded onto computer using a compact disc.
Cards and payments
19
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 20
CDMA (Code-Division Multiple Access). Refers to any of several protocols used in 2G and 3G wireless communications. CDMA allows numerous signals to occupy a single transmission channel, optimising the use of available bandwidth.
CEN (ComitĂŠ EuropĂŠen de Normalisation). European Standards Association.
CENELEC. CEN standards body for electrical systems. Certificate. A file which is digitally signed by a certification authority. Of the many different types of certificates, the most common is X.509V3. Certification authority. Trusted third party that establishes a proof linking a public key and other relevant information to its owner.
CEV (Cardholder Expenditure Volume). The amount of money spent or withdrawn using a payment card.
Challenge-response. A means of authentication in which one device replies in a predetermined way to a challenge from another device, thus proving its authenticity.
CHAPS (Clearing House Automated Payment System). British entity.
Character height. The maximum permitted height of embossed characters on an identification card. For ISO standard cards this is 4.32mm (defined in ISO 7811). Character spacing. The nominal spacing of embossed characters on an identification card. For ISO standard cards this is 3.63mm with a minimum spacing between two consecutive characters of 3.48mm (defined in ISO 7811). Chargeback. Return of a financial transaction by an issuer to an acquirer because of a perceived violation of rules or procedures.
Chargeback dispute. A disagreement between parties to a transaction over whether or when the transaction actually occurred or what amount was involved. 20
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 21
Charge card. A plastic payment card, the terms of which include the obligation to settle the account in full at the end of a specified period of time. Examples are American Express cards and Diners Club cards. Many gold payment cards operate as charge cards. Check digit. A digit calculated from the digits of a number and appended to it as a form of integrity. Check digits on ISO standard identification cards are calculated using the Luhn formula.
Checking account. US term corresponding to “current account� in the UK.
Checksum. A procedure used by applications to verify the integrity of a card.
Cheque guarantee limit. The maximum amount for which a cheque may be made out under the conditions of use for a cheque guarantee card.
Chip. A piece of silicon etched with electronic circuit. Chip and PIN. Any card transaction at the POS or ATM which is protected by a combination of an EMV chip card and a personal identification number.
Chip card. Also integrated circuit card, microprocessor card and smart card. A card which holds details on a computer chip embedded in the card and can process as well as store those details.
Chip module. The chip is placed and bonded on a contact plate to protect the chip with a special kind of resin. The chip module is then implemented into the cavity of the plastic card.
Churn. Customer defection. Cipher. A system of code that substitutes one character for another.
Cards and payments
21
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 22
Ciphering. An encryption technique that uses keys, algorithms and protocols to change a non-coded text into a coded text (ciphered). This coded text cannot be understood or used by anyone who does not have the key to turn the text back into its original non-coded form. Ciphertext. Encrypted form of data, also known as encrypted text. Cirrus. The MasterCard brand of ATM only card. Citycard. A multi-application prepayment card for use within a specific urban area. Also known as town card. CKS (Checksum). A control procedure used by applications in verifying the integrity of a card. Clearing. The processing of financial transactions between the acquirer and issuer for reconciliation, billing and statement use. CLEF (Commercial Licensed Evaluation Facility). Group licenced to carry out security evaluations using ITSEC criteria.
CLK (Clock signal). An electronic signal presented at contact C3 (see contact) of an integrated circuit card for synchronisation between the card and its external interface device. Closed pre-paid system. A system where the issuer and acquirer of the card are the same party. The card is issued by the party that provides those services that can be accessed by the card e.g. a university card.
CMOS (Complementary Metal Oxide Silicon). A semiconductor material used to make integrated circuits with very low power consumption. Without it IC cards would not be possible.
CMS (Card Management System). Tools and services used to deploy and manage smart card based applications.
CNP (Card Not Present). Transaction where the merchant does not have physical access to the card, for example, telephone or mail order and the internet.
22
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 23
Co-branding. A card issuing agreement between a bank and a commercial organisation, such as between HFC and General Motors. Coercivity. A measure of the strength of magnetic field. Collecting banker. A bank acting as an acquirer. Collection. The process of transferring data or transactions either from load devices to the purse provider host or from purchase devices to purchase provider hosts via acquirers. Collusive merchant. A merchant who knowingly compromises charge, credit or debit cards and/or knowingly accepts lost, stolen or counterfeit cards.
Coloured cards. Completely counterfeit charge, credit or debit cards. Combi card. Use of both contact and contactless technology on one card.
Common criteria. An international standard for evaluating the security of IT products.
CMS. Chip Management System. CNP (Card Not Present). A term used to describe transactions such as mail, telephone or internet as opposed to fact-to-face transactions.
Connectivity. The ability or facilities of data processing systems to connect and interwork with each other.
Contact. A point of electrical connection between an integrated circuit card and its external interface device. ISO standard integrated circuit cards have eight contacts designated C1 to C8 (defined in ISO 7816).
Contact card. A smart card with a visible module cover (usually gold coloured) which has five or six contact points which transfer information. Contact cards may be memory only or microprocessor.
Contactless card. A smart card with no visible module, which transfers data using radio frequency technology. Cards and payments
23
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 24
Conversion date. The prevailing date of the conversion rate at which a transaction amount is converted to a settlement currency. Corporate charge card. A charge card provided by a company to its employees for business expenses. Usually the company is the account holder and the employee is the cardholder.
COS. Card (Chip) Operating System. Counterfeit card. A card which has been printed, embossed or encoded so as to appear to be a legitimate card, but which is not genuine because the issuer did not authorise the printing, embossing or encoding. Country code. A numeric code identifying the country of origin of a party in the payment system.
Coupler. Device between the electronic and logical interface of the card and the host computer.
CPS (Custom Payment Service). Visa's regulations for the information that must be submitted with each transaction. Transactions must meet CPS criteria in order to qualify for lowest transaction processing fees available. Similar to MasterCard's Merit system. CPU. Central Processing Unit. CQL. Subset of SQL implemented on a smart card. Credeuro/ICP. “Interbank Convention on Payments” the convention, which establishes the pan-European interbank principles for basic crossborder straight through processing (STP) credit transfers in euro.
Credit authorisation. Authorisation of a transaction under which credit is granted to a cardholder. Credit card. A plastic payment card which enables the cardholder to pay for goods and services and to obtain cash advances up to a prearranged credit limit. The holder may settle the outstanding balance in full or in part by the end of a specified period, or “roll it over“ to the next period, whereupon an interest payment is due. 24
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 25
Credit life insurance. Life insurance which discharges a cardholder’s credit card debt in the event of his death. Credit loss. Amount charged off as a result of failure by the cardholder to repay the amount owed on the account.
Credit scoring. Using a points system to assess a cardholders credit worthiness.
CRIS (Cardholder Risk Identification Service). A neural net based risk identification service that provides participating Visa members with early warning information about unusual and suspect card usage.
CRL (Certificate Revocation List). Also known as Black List, list of digital certificates that have been revoked and are no longer valid. CRM. Customer Relationship Management. Crossborder fraud. Fraud perpetrated on a plastic card, or using a card number, in a country other than the country of issue. Crossborder transaction. A transaction where the issuer is based in one country and the acquirer in another. Cryptanalysis. Decryption by analysing data without knowing the key used for its encryption. Cryptogram. Result of a cryptographic operation. Used in transactions involving chips. Allows chip to exchange data with the issuer securely.
Cryptographic key. A parameter used with a cryptographic algorithm to transform, validate, authenticate, encrypt or decrypt data. Cryptography. The methods and practice of transforming confidential information to make it unintelligible to parties not authorised to know it. Crypto-processor. Arithmetic unit for execution of asymmetric algorithms.
Cryptosystem. A system which encrypts and decrypts information.
Cards and payments
25
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 26
CSM. Clearing and Settlement Mechanisms. Customer-activated terminal. See Unattended terminal. CTI. Computer and Telecommunication Integration. CVC and CVV. Card Verification Code from MasterCard and Card Verification Code from Visa. Encrypted numeric value contained in the data on the magnetic stripe, which can be checked to ensure that the information has not been altered in any way.
CVM. Cardholder Verification Method. The means to verify the authenticity of a cardholder. CWG. Cards Working Group. Cyberspace. Networked computers/ the Internet.
26
Cards and payments
D
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 27
D-AMPS (Digital Advanced Mobile Phone System). TDMA(g)based second generation (2G) cellular radio standard originated in North America. sometimes referred to as TDMA(g). Used widely throughout the Americas.
DBMS (Data Base Management System). A system used to store, retrieve, and manipulate data in an organised (modelled) fashion. Usually consists of dictionary, manipulation, security, and access components. Data capture terminal. An electronic payment terminal which captures transactions for later offline processing. Data integrity. Data with integrity has not been altered or destroyed in an unauthorised manner. Data mining. A generic term for the process of analysing data in a data warehouse according to a predetermined set of priorities. Data warehouse. A repository madeup of databases of data extracted from a variety of sources, with a view to analysis to reveal additional information.
DCC (Dynamic Currency Conversion). A service which some merchants offer to foreign cardholders, where a currency conversion to the cardholder’s home country currency is conducted at the POS.
Cards and payments
27
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 28
DDA (Dynamic Data Authentication). A more advanced version of SDA for presenting a smart card at a chip-enabled POS and proving it has not been cloned or counterfeited.
DDP (Distributed Data Processing). Data processing carried out by a system of computers connected in a network and sharing tasks among themselves. DEA (Data Encryption Algorithm). The encryption algorithm specified in the Data Encryption Standard.
Deactivation. A secure procedure under control of the card/secure application module (SAM) issuer, switching a card or a SAM from its active life state to a permanently disabled state which only allows unprotected data to be read. Debit card. A plastic payment card linked to a bank or building society account, used to pay for goods and services by automatically debiting the holder’s account; usually also combined with other functions such as ATM operation and cheque guarantee (multi-function cards).
Debit transaction. A transaction resulting in a debit to a cardholder’s account.
Decrypt. To effect decryption. Decryption. Reversing the process of encryption to recover the original text of confidential information. To do this easily the recipient must possess the key used for the original transformation.
DECT (Digital Enhanced Cordless Telecommunications). A digital wireless telephone technology that uses TDMA to transmit radio signals to phones. Whereas GSM is optimised for mobile travel over large areas, DECT is designed especially for a smaller area with a large number of users, such as in cities and corporate complexes. Dedicated network. A communications facility established for a specific purpose, such as servicing POS facilities.
28
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 29
Deferred debit cards. Something half way between a debit card and a charge card. The cardholder settles his entire balance for every billing period, but there is a delay between the date when a transaction is charged to his account and the date by which the payment must be made. Degaussing. Magnetic stripe data erasure. Delta. A sub-branding of the standard Visa card indicating that the card debits a bank account rather than giving the cardholder access to credit. Derived key. A cryptographic key obtained by using an arithmetic function in combination with a master key and a unique identification value such as a card serial number.
DES (Data Encryption Standard). A US standard defining a cryptosystem for use by the US Federal Government. Popularly known as DES, this cryptosystem is widely used in payment systems. DES is a type of encryption algorithm using a single key cipher. The encryption/decryption method is called symmetrical because the same key must be used to “lock“ and “unlock“ the data.
DES cryptosystem. A cryptosystem complying with the Data Encryption Standard.
Device card. An integrated circuit card that carries information (logic and data). Used to configure, operate, and supervise a work station that accepts integrated circuit cards or contains integrated circuit card functions. DPA. Type of attack against smart cards. It uses error correction and tension and radiation variation statistical analysis techniques observed directly on an active smart card to obtain its data. Digital certificate. A system used to authenticate a message or transaction over the internet.
Digital key. Strings of unique bits that allow messages to be scrambled and unscrambled.
Cards and payments
29
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 30
Digital optical laser card. A portable card that passively stores information in the form of highdensity marks or bars.
Digital signature. A system used to authenticate a message or transaction by the sender. The digital signature is generated using a cryptographic algorithm and information that identifies the user, including a cryptographic key. Digitising. Conversion of non-textual data to digital form, especially in graphics and image processing.
Diners Club. Franchise-based card scheme which invented multi-use charge cards in 1950.
Discount merchandise. An enhancement service available with some financial transaction cards when the card issuer has an arrangement with suppliers of goods to offer discounts to cardholders paying with their cards.
Discount rate. The fee a merchant pays the acquirer to process a purchase charged to a card payment system. Disintermediation. A process whereby a third-party intermediary in a transaction is removed, allowing the two primary participants to interact directly.
Disposable card. A card discarded by the cardholder when its value has been used up. Not all exhausted cards are disposed of. At least one prepaid scheme captures empty cards and recycles them.
DMZ (De Militarised Zone). A network added between an internal and external network to provide added security.
DNS (Domain Naming System). Process by which the internet converts a site name from an alphabetic name to a 32 bit IP address. Double-copy voucher. A sales voucher or receipt printed in duplicate on an EFPOS or EFTPOS terminal. The cardholder keeps one copy and the card acceptor keeps the other.
30
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 31
Down-line loading. Loading of data from an acquirer’s computer system to a card acceptor’s terminal via an intermediate network facility (eg to transmit hot card files).
DPA (Differential Power Analysis). Method of hacking any type of microprocessor chip. DPA attacks characteristic behaviours of transistor logic gates and software running on smart cards and other cryptographic devices. Performed by monitoring the electrical activity of a device, then using advanced statistical methods to determine secret information (such as secret keys and user PINS) in the device.
DRAM (Dynamic Random Access Memory). Random access memory which needs its contents to be refreshed on each memory cycle (compare static random access memory).
DSA (Digital Signature Algorithm). A US government standard. DSS (Digital Signature Systems). A type of asymmetric encryption/decryption system used for remote authentication.
Dual interface cards. Cards that enable contact and contactless communication between the smart card and different types of terminals
Dual slot. Smart card reader that can accommodate two cards simultaneously.
Dual-standard terminal. A terminal supporting both DES and RSA cryptosystems.
Dumb. A plastic card that only stores information and has no processing capability. Dump. To copy data to a screen, printer or another storage medium.
Cards and payments
31
E
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 32
EAC (External Authentication Cryptogram). Signal created by an external source such as a terminal or smart card host.
EAI. Enterprise Application Integration. EAP-SIM (Extensible Authentification Protocol-Subscriber Identity Module). A smartcard-type authentification method enabling a user of Wi-Fi network to utilize the existing GSM roaming infrastructure. The credentials embedded in the SIM card are used to mutually authenticate the user and the network.
EASCIL (Easy Smart Card Interpretive Language). A language interpreter developed by Bull CP8.
Eavesdropping. The illegal interception of data. EBA. European Banking Association. EBCDIC (Extended Binary Coded Decimal Interchange Code). An IBM system for encoding characters that accommodates twice as many symbols and functions as ASCII by using eight-place binary numbers instead of seven-place numbers.
EBPP (Electronic Bill Presentment and Payment). Refers to online electronic bill presentment and payment. Bill presentment involves the online delivery of bills to customers, with electronic payment instead of through paper cheque.
32
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 33
e-cash (Electronic cash). Authenticated value that is represented by an electronically stored code. EC. European Commission. ECB (European Central Bank). The central bank of the eurozone, in charge of the countries that use the euro currency.
ECC (Error Correcting Code). A combination of bits resulting from a calculation under a set of given rules used to detect and correct errors. ECC (Elliptic Curve Cryptography). Cryptographic solution requiring less bandwidth to offer increased security for online transactions. Twice as much power is needed to crack a 97-bit ECC key than a 512- bit RSA key. e-Commerce. Electronic commerce. Transactions which are conducted over an electronic network where the purchaser and merchant are not at the same physical location.
e-CML (Electronic Commerce Modelling Language). A universal format for wallets and merchant websites.
e-CRM. Electronic Customer Relationship Management. ECSAs. European Credit Sector Associations. EDDWG. Electronic Direct Debit Working Group. EDGE (Enhanced Data GSM Environment). A faster version of the GSM wireless service, is designed to deliver data at rates up to 384 Kbps and enable the delivery of multimedia and other broadband applications to mobile phone and computer users. The EDGE standard is built on the existing GSM standard, using the same TDMA frame structure and existing cell arrangements. EDI ( Electronic Data Interchange). Structured electronic messaging that converts data into agreed formats for transfer between parties.
Cards and payments
33
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 34
Edge burr. Roughness on the edges of identification cards. For ISO standard cards they must be less than 0.08mm in size (defined in ISO 7810).
EEPROM. Electronically Erasable Programmable Read-Only Memory which can be re-used many times, unlike EPROM, as in the re-loadable EP (electronic purse) card.
EF (Elementary File). Used to define a file within a smart card filing system.
EFT (Electronic Funds Transfer). The technology and practice of making payments by payment instruments embodied in the functions of computer systems.
EFTPOS (Electronic Funds Transfer at Point Of Sale). The technology and practice of making payments for goods and services by means of electronic funds transfer initiated at the point where the goods or services are purchased. Electronic benefits transfer. Payment of social security benefits by electronic funds transfer.
Electronic commerce. Transactions which are conducted over an electronic network where the buyer and merchant are not at the same physical location. An example is plastic card transactions via the internet.
Electronic draft capture. Capture by an acquirer by electronic means of data for transactions not originally processed electronically by a card acceptor. Usually this involves optical character recognition of sales vouchers.
Electronic number plate. A device that transmits an electronic signal containing vehicle identification information, can be used to charge tolls without requiring vehicles to stop. Electronic payment terminal. A terminal accepting a payment instrument which results in electronic funds transfer.
34
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 35
Elliptic curves. A public key encryption system based on mathematical difficulties (discrete logarithm problems) different from those at the heart of the RSA (prime number factorisation).
Embedding. The process of implementing the chip module in a plastic card.
Embossed hologram. A holographic image is embossed on special foil that can be affixed to a plastic card. Embossing. Characters raised in relief from the front surface of an identification card or the process of forming such characters. Embossing area. The area on an identification card within which embossing is located (defined in ISO 7811). Emulator. Tool for development and testing of application software.
EMV (Europay, MasterCard Visa). A collaboration between Visa and MasterCard to develop and implement a global security standard, and interoperability for chip based payment cards. Encipherment. The reversible transformation of data by a cryptographic algorithm to produce ciphertext. Encoder. System or equipment designed for the encoding of magnetic- striped plastic cards used to activate an ATM.
Encoding. Recording electronic information on to a magnetic stripe. Encrypt. To effect encryption. Encryption. A transformation of information, based on a key, to make the information unintelligible to unauthorised parties. The authorised recipient possesses the key and recovers the original text by the reverse process, decryption.
Cards and payments
35
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 36
Enhancement services. Services offered to cardholders of financial transaction cards in addition to the basic service of providing a payment instrument. The most common ones are card registration, lost card replacement, travel and life insurance, and reservation guarantees. EP (Electronic purse/e-purse). Loadable smart card scheme for small value purchases e.g. VisaCash, Mondex and Proton. EPC (Electronic Product Code). Smart tags that are set to replace bar codes on packaging in the present supply chain. EPC (European Payments Council). A decision-making body that was established by the European banking industry to support and promote the creation of a Single Euro Payments Area (see SEPA). EPOS (Electronic Point Of Sale). A point of sale or point of service equipped with electronic equipment for pricing and recording transactions but not necessarily incorporating functions for electronic funds transfer.
ERM. Enterprise Relation Management. ERP. Electronic Road Pricing. Error correcting code. An error detecting code designed so that certain classes of detected errors can be corrected automatically.
Error-detecting code. A digital code in which redundant bits are incorporated to allow transmission errors to be detected (see also parity). ESCB. The ESCB comprises the ECB and the NCB’s of those countries that have adopted the euro. ESD (Electro Static Discharge). High voltage, but low current, ESD can be harmful to electronic devices.
ETSI (European Telecommunications Standard Institute). ETSI card standards are based on ISO standards.
36
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 37
ETU (Elementary Time Unit). The clock “tick� on which all chip card timings are based.
ETTM. Electronic Tolling and Traffic Management. EVA kit. Evaluation kit to operate sample cards. Extranet. An intranet link to external organisations, such as suppliers.
Cards and payments
37
F
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 38
Fallback. As used in stand alone off line fall back, this concept calls for the intelligence to allow an ATM to run independently of its host computer and communications link. This means the ATM is totally operational except for the balance inquiry functions when phone lines, modem and host computers are not. FAR (False Acceptance Rate). The percentage of illegal users incorrectly accepted as valid users by a biometric device (sensor and matching software). There is a strong mathematical relation between FAR and FFR.
Farrington 7B. A type font comprising letters and digits only and used for embossing text on identification cards (defined in ISO 7811).
Fat client. All processing and intelligence sits on the desktop. FEP (Front-end processor). A computer which handles communications processing for another usually larger computer. FERAM. See FRAM. Ferrous oxide. The metal “rust“ particles that are used to make magnetic stripes. The controlled rusting (oxidation) determines the recording characteristics of the magnetic material. FFR (False Rejection Rate). The percentage of valid users that are incorrectly rejected by a biometric device (sensor and matching software). There is a strong mathematical relation between FFR and FAR. 38
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 39
Fibre optic cables. A transmission medium in the form of fibre made of optical glass which conveys coherent light on which digital signals are transmitted at close to the speed of light.
Filtered data. Data or functions that are loaded into the memory of a smart card. Masked data and functions, by comparison, are hardwired into the card's chip. Fine line security pattern. A printed pattern of finely spaced lines used to prevent counterfeiting of printed matter (see also infill printing). Fingerprint reader. A device which forms a digitised image of a human finger print for the purpose of biometric authentication.
FINREAD. Financial transaction IC card reader. Established by the EC to achieve Europe-wide high level security standards for the use of smart card readers and terminals with PCs. Firewall. A method of defence against electronic intrusion into the corporate computer network. Flash. A type of memory based on EPROM which offers all the usual reliability attributes of EPROM, but is in-system, electrically erasable/rewritable on a whole chip or block basis with low power consumption. Fleet fuelling card. Charge card used most by transport drivers to pay for fuel on the road.
Float. The value of funds tied up in the payment process reflecting the value of payment processing time. Also funds from pre-paid cards. Floor limit. The maximum value for which a card acceptor accepts a transaction without obtaining authorisation.
Flux transition. A reversal of magnetic polarity on a magnetic track (see two-frequency recording). FOMA (Freedom of Mobile multimedia Access). First commercially available 3G service. Provided by NTT DoCoMo.
Cards and payments
39
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 40
Footprint. Space taken up by the OS, an application or data in the smart card memory. Four-party system. Payment systems, such as Visa and MasterCard, which involve four separate participants. The issuer, the acquirer, the cardholder and the merchant. FPGA (Field Programmable Gate Array). Semiconductor device which generates its outputs directly from its input states according to a user defined programme.
FRAM. Ferroelectric RAM (patented by RACOM). A system using memory cells containing a layer of crystals of zirconium/titanium, oxygen and lead which form a tiny transistor. FRAM is said to be 20,000 times faster than flash memory and costs 25% less than battery backed SRAM. Frame relay. An ANSI and CCITT defined LAN/WAN networking standard for switching frames in a packet mode. FSA. Financial Services Authority. FTPMM (Flux Transitions Per Millimetre). A measure of the density of recording on a magnetic track, but not the same as bpmm (see two frequency recording).
40
Cards and payments
G
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 41
GAUDI (Generalised Advanced Urban Debiting Innovations project). Sponsored by European Community, it involves smart card projects in five European cities.
Gateway. A device which interfaces two dissimilar computer networks to each other and performs internet work protocol conversion. Gigabyte. A billion bytes. GND. The ISO standard designation for the ground circuit presented on contract C5 of an integrated circuit card (defined in ISO 7816).
GMPC/MyKad. Government MultipurposeaCard multifunction ID card in Malaysia. Gold card. A prestige issue of financial transaction cards with upmarket enhancement services. They are usually coloured gold and aimed at well-off cardholders. American Express introduced them first, but other card issuers have followed suit. GPRS (General Packet Radio Services). A packet-based wireless communication service that promises data rates from 56 up to 114 Kbps and continuous connection to the internet for mobile phone and computer users. GPRS is based on GSM communication and will complement existing services such as circuit- switched cellular phone connections and SMS.
Cards and payments
41
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 42
GPS (Global Positioning System). The satellite navigation system set up by the US government.
GSM (Global System for Mobile communications, originally Groupe Systeme Mobile). The worldwide digital mobile phone network with more capacity and better transmission quality than analogue networks.
Guard data. Check data included in integrated circuit cards as a countermeasure against loss of integrity due to electromagnetic interference.
GUI (Graphical User Interface). Reading the full capacity of a magnetic track.
42
Cards and payments
H
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 43
Hacker. A person who attempts to gain unauthorised access to a computer system. Hardwired. Electronic circuits that perform fixed logical operations, rather than a stored programme. Hawala. Asian system of money transfer. HCMOS. High power CMOS. Technology used in most smart card microcontrollers. Hologram. A flat optical image which looks three-dimensional when viewed with the naked eye. To produce it you need sophisticated, expensive equipment which takes pictures using coherent light (see hologram card).
Hologram card. An identification card bearing a hologram as a security measure against counterfeiting.
Holographic foil. The foil used to carry embossed holographic images. Honour-all-cards rule. A rule often imposed on a card acceptor that whenever he accepts one card of a card family (e.g. Visa/ MasterCard) he must also accept all others. Host. Central computer with which an on-line terminal communicates.
Cards and payments
43
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 44
Host-to-host authorisation. A method of seeking authorisation using a merchant’s main computer via the BMS host computer. Hot card. A card which is no longer valid but has not been returned to the card issuer and whose attempted use is likely to be fraudulent.
Hot-card file. A file listing hot cards which is distributed by a card issuer to other parties in a payment system (see cancellation notice).
Hot list. A compilation of lost, stolen, over limit, or counterfeit cards, which may be used to verify the legitimacy of the transaction during authorisation. HPC (Health Professional Card). A card suitable for physicians which is capable of computing PKI.
HSDPA (High-Speed Downlink Packet Access). A cellular data technology promising speeds of between 1 Mbps and 2 Mbps that is scheduled to appear on the market in 2006. HSM (Hardware Security Module). The system in a smart card’s infrastructure that securely manages the encryption and transmission of data.
HTML (Hypertext Markup Language). Page description language used by designers of web pages to create information content for the world wide web. HTTP (http). Hypertext Transfer Protocol for transferring between web servers and subscribers. Humidity. A measure of moisture in the air. ISO standard identification cards are supposed to stay useable in the humidity range 5% to 95% with a maximum wet bulb temperature of 25 degrees Celsius (defined in ISO 7810).
Hybrid card. Cards combining more than one technology e.g. a card containing both magnetic stripe and chip.
44
Cards and payments
I
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 45
IBAN. Internatinal Bank Account Number. ICA (Interbank Card Association number). A unique four-digit number assigned by the payment system to a financial institution, third party processor, or other type of customer allowing them to identify the customer.
ICAC (Independent Commission Against Corruption). Based in Hong Kong.
ICC (Integrated Circuit Card or IC Card). An ID 1 format card into which one or more integrated circuits have been incorporated. Capable of performing processing and/or memory functions. IC memory card. An integrated circuit card containing memory but no processing elements.
ICMA. International Card Manufacturers Association. ICS. International Card Schemes. ID card (Identification card). A card identifying its bearer and issuer. It may also carry other data to facilitate financial transactions in which case it is also a financial transaction card. ID-1. The most popular of identification card formats in which the length and width are in the ratio 3:2 (hence the term 60:40 format). ISO 7810 prescribes the actual dimensions as 85.60mm by 53.98mm. Cards and payments
45
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 46
ID-2. An ISO standard identification card format having a length of 105mm and width 74mm (defined in ISO 7810).
ID-3. An ISO standard identification card format having the length of 125mm and width 88mm (defined in ISO 7810).
Identification number. On an identification card the number that identifies the cardholder.
Identrus. A global banking consortium established to "trustenable" every stage of a transaction through to actual payment. Promotes the use of PKI systems within the financial industry. IFD. Interface device into which an IC card is inserted. IFMG. Infrared Financial Messaging Group, developing standards for use of infrared technology to make secure financial transactions. IKE. Internet Key Exchange. Image processing. See Electronic imaging. i-mode. Proprietary application developed by Japan’s NTT, and used by its mobile phone division, NTT DoCoMo. Enables mobile phones to download internet sites without having to reformat HTML. Imprinter. A device used to print embossed details from financial transaction cards on to sale vouchers.
IMSI (International Mobile Subscriber Identity). ID of a GSM subscriber.
Individual account identification. A personal or individual number assigned by a card issuer to identify an individual or account. Inductive coupling. A technique that delivers power to contactless cards allowing communication with the outside world. Infill printing. Filling otherwise blank areas of printed material with fine detail printing as a countermeasure against counterfeiting (see also fine line security pattern).
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 47
Initialisation. First stage of the card issuing process. The goal is to load all the data common to one application into the smart card’s EEPROM. Instruction set. Set of commands for using the operating system available to the application.
Insult rate. Percentage of occasions a valid user is rejected for a service as in the erroneous rejection of valid users by biometric methods. Also known as false rejection rate. Intaglio printing. A printing process in which the ink-bearing areas of the printing surface are hollows below the surface. Integrated circuit. An electronic circuit fabricated whole on a single piece of semi conducting material. Integrity. Guarantee that a message has not been modified in transit. This is an essential role of cryptography systems.
Interactive message. In a payment system, a message sent and responded to while a transaction is taking place, especially messages to and from electronic payment terminals in online operation.
Interbank transfer. A transfer of funds between banks. Inter-bank routing and switching. Term used in connection with the processing of card transactions. Using the information within a card account number, processing systems such as VisaNet will automatically send authorisation requests and clearing and settlement messages to the cardholder’s issuing bank.
Interchange fee. In a payment system, a fee charged by a party who receives transaction data and forwards it to a card issuer.
Interface device. A device providing an electrical interface to an integrated circuit card to enable its functions to be activated. Intermediate network facility. The system of computing and telecommunications equipment which supports the transmission of transactions between the parties in a payment system.
Cards and payments
47
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 48
Internet payment gateway. A centrally managed service that offers merchants the ability to process credit card transactions into the card networks. Interoperability. The ability of a system to handle transactions on cards of a different type (e.g. VisaCash/Mondex/Proton).
IKP (Internet Keyed Payments). Part of the internet based safe payment protocol which combines public and private key technologies. Implies intervention bank or cc company in order to complete the transaction.
IP. Internet Protocol. IP address. A unique number assigned by an internet authority that identifies a computer on the internet.
IrDA. Infrared Data Association. IPO. Initial Public Offering. ISDN. Integrated Services Digital Network. The immediate alternative to the public service telephone network. Enables high-speed transmission of digitised data. ISO (International Standards Organisation). Central body, located in Switzerland, for the formation and dissemination of standards for all national standards bodies. ISO 10536. Key standard for contactless smart cards. ISO 1073. Alphabetic character sets for optical character recognition. The ISO standard defining the OCR-A and OCR-B character sets for embossing on plastic cards. OCR-A is defined in Part 1 of the standard, OCR-B in Part 2. ISO 1831. Printing specifications for optical character recognition. The ISO standard specifying requirements for ink-printing on documents intended for OCR.
48
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 49
ISO 4909. Bank cards. Magnetic stripe data content for track 3. The ISO standard defining the content of track 3 on ISO standard financial transaction cards.
ISO 7810. Identification cards. Physical characteristics. The international standard defining formats and general physical characteristics for identification cards.
ISO 7811. Identification cards. Recording technique. Part 1: Embossing. Part 2: Magnetic stripe. Part 3: Location of embossed characters on ID-1 cards. Part 4: Location of read-only magnetic stripes, tracks 1 and 2. Part 5: Location of read-write magnetic track, track 3. The ISO standard defining how information is recorded on ISO standard identification cards. ISO 7812. Identification cards’ numbering system and registration procedures for issuer identifiers. The ISO standard which lays down the international numbering scheme for ISO standard identification cards. ISO 7813. Identification cards/financial transaction cards.The ISO standard which lays down specifications for identification cards which are also financial transaction cards. Specifications include structures for information recorded in track 1 and track 2.
ISO 7816. Identification cards. Integrated circuit cards with contacts. Part 1: Physical characteristics. Part 2: Dimensions and location of the contacts. Part 3: Electronic signals and transmission protocols. Part 4: Command set for microprocessor cards. Part 5: Numbering system and registration procedure for application identifiers. Part 6: Inter-industry data elements. Part 7: Inter-industry commands for Structured Card Query Language (SCQL). Part 8: Security related inter-industry commands. Part 9: Additional inter-industry commands and security attributes. Part 10: Electronic signals and answer to reset for synchronous cards. The ISO standard defining the characteristics of the most commonly used integrated circuit cards.
ISO 8583 (EMV Additional Fields). One of the most widely used host protocols to transmit transaction details from a POS terminal to a host authorisation system is the ISO 85. The EMV specifications do not
Cards and payments
49
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 50
include how to communicate across this critical link. ISO 8583 is a bit map protocol which includes various discretionary fields that can be used to carry additional data within a transaction message.
ISP. Internet Service Provider. Issuer. A member of a card payment system which issues cards. Also known as the issuing bank. Issuers’ clearing house service (ICS). A system developed by MasterCard and Visa designed to alert issuers to possible fraudulent and high-risk card applications.
Issuer identification number. A number identifying the major industry and identity of a card issuer and which forms the first part of the identification number. Issuer identifier. A number identifying a card issuer within his industry. ITSEC (Information Technology Security Evaluation Criteria). A set of criteria for evaluating computer security, which was originally published in 1990. It represents a single uniform standard adopted across Europe and Australia.
ITSO (Integrated Transit Smart Organisation). Responsible for developing interoperable standards for smart card based mass transit schemes.
IVR. Interactive Voice Response. IVU (In Vehicle Unit). Used in road tolling for the electronic carbased unit that communicates with roadside beacons or gantries.
50
Cards and payments
J
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page 51
Java. A programming language developed by Sun Microsystems based on C++ which turns smart cards into a standard platform for running software programmes. Java is widely deployed on the internet.
JCB (Japan Credit Bureau). Japan’s domestic credit card company established in 1961 by Sanwa Bank. JCRE (Java Card Runtime Environment). The runtime environment under which a Java Card executes. It is in charge of all the management operations, such as loading and initialising the applications. It also maintains observation on the current state of the card. Jini. A consumer computing product that enables devices using Java to communicate and work with each other. J2ME. A version of Java designed for smart cards. JMSG. Joint Moneylaundering Steering Group. JVM (Java Virtual Machine). An area (or dedicated hardware) on a remote computing device on which can run Java applets. Most major internet browsers have a JVM.
Cards and payments
51
K
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 52
KBS. Knowledge-Based System.
Key. A value used as part of a process of encryption or decryption to transform confidential information. Decryption is easy if you have the key, otherwise it is very difficult. Security depends on keeping the key secret.
Key escrow. Storage of a private key by a neutral third party. Key length. The number of bits comprising a key. Key management. The secure generation, allocation, distribution and replacement of keys for a cryptosystem.
52
Cards and payments
L
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 53
Lamination. A clear plastic is placed on the top and bottom of a card and fused to the printed core with heat and pressure. LAN (Local Area Network). A distributed data processing network serving a single site or group of co-located users and not using public telecommunications networks.
Language. System of symbols and rules for combining in understandable forms, e.g. Basic, Fortran.
LaserCard. See optical memory card. LCD. Liquid Crystal Display. LCR. Least Cost Routing. Technology which searches for the cheapest carrier for a call.
Lenticular pattern. A visual pattern resembling fish scales created by the intersection of fine line security patterns.
Lifecycle management. The updating and tracking of multi-application dynamic smart cards from issuance to the end of their service life. Light-sensitivity. ISO standard identification cards are supposed to resist deterioration from exposure to light during normal use (criteria defined in ISO 7810).
Cards and payments
53
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 54
Limited purpose prepaid card. A prepaid card which can be used for a limited number of well-identified purposes.
Lithography or offset printing. The most common plastic card printing process, based on the concept that oil and water are not compatible.
Load. Process of securely loading an IEP with value. Load log. Transaction data held in an electronic purse recording the latest load details.
Local transaction date. The time of day at which a transaction takes place between a cardholder and a card acceptor.
Locking. A system for securing a smart card so that unauthorised users cannot gain access. Also known as card blocking.
Loop. Typically used to refer to the hardware interface and communications protocol utilised to interconnect controllers.
Lost card replacement. An enhancement service to cardholders of financial transaction cards under which they can quickly obtain a replacement for a lost card by applying to a local agent of the card issuer.
Lost transactions. Transactions that would historically have occurred during a down.
Loyalty card/loyalty programme. A magnetic stripe or chip cardbased programme, which collects data on customer shopping habits in exchange for discounts or other benefits in order to better target the customer offer. Low-co. Colloquial term for magnetic recording material of low coercivity.
54
Cards and payments
M
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 55
MAC (Medium Access Control). IEEE 802.11 defined media specific control protocol.
Maestro. Global brand of electronic debit card owned by MasterCard. Magnetic shielding. Enclosure of electronic components to prevent electromagnetic interference or emanation.
Magnetic stripe. The strip of magnetic recording material on which the magnetic tracks of an identification card are recorded.
Magnetic stripe reader. A device which reads information recorded on the magnetic tracks of an identification card.
Magnetic stripe writer. A device which writes information to magnetic tracks on an identification card. Note that track 1 and track 2 are read-only on ISO standard cards.
Magnetic track. A linear path on a magnetic stripe along with data recorded. Positions of magnetic tracks are defined in ISO 7811. Major industry identifier. A number identifying the major industry of a card issuer.
MAN. Metropolitan Area Network. Manual reversal. Reversal of a transaction effected by manual entry of data and often offline processing. Cards and payments
55
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 56
MAOSCO. Multi-Application Operating System COnsortium which developed the Multos operating system.
Marks panel. A high security print area used in card design. Mask. The specification which defines the physical and functional properties of the IC chip, effective during manufacture.
Masked ROM. ROM in which data is installed at the time of manufacture and which cannot subsequently be erased and reprogrammed (compare PROM, EPROM, EEPROM). MasterCard. An international payment scheme, formerly owned by the world’s banks, now a public company.
MEL (Multos Executable Language). The intermediate code form by which MULTOS programmes are loaded and executed. MEPS. Malaysian Electronic Payment System, a joint venture established by Malaysian banks. Operator of the country's only payment gateway which does not itself secure online transactions, so the consortium is promoting the SET protocol. Merchant accounting. Accounting for funds owing between a card acceptor and an acquirer.
Merchant acquirer. See Acquirer. Merchant agreement. Written agreement between merchant and acquirer outlining rights, duties and warranties.
Merchant authorisation. Means of receiving sales validation to guarantee payment to the merchant.
Merchant fraud. Fraud perpetrated against other parties in a payment system by a card acceptor.
Message authentication code. In a payment system, a code used to validate the source of integrity of the message.
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 57
MF (Master File). Used to define the root directory within a smart card filing system.
Micropayments. Electronic payment values for example between UK50p and UKÂŁ5.
Microprocessor. A chip that serves as the central processing unit controlling a computer. A microprocessor is the result of an electronics miniaturisation technique and computer technology which provides programmable intelligence in a small package at relatively low cost. Microprocessor card. See Smart card. Middleware. Software that interprets requests between a PC or workstation application and a legacy database running on a mainframe. Also used to describe software that helps an application communicate with an underlying operating system. MIFARE. A technology developed for contactless communication between cards and readers.
MIME (Multipurpose Internet Multimedia Extension). An internet protocol for sending e-mail and attachments.
MIS (Management Information System). Database dev eloped by APACS to record and analyse data from UK payments industry. MMS. Multimedia Messaging Service. Modem. Acronym for modulator/demodulator, a device which converts digital information from a computer into analogue signals for transmission over a telephone line and then converts it back into digital information on receipt. Module. Packaging for easy imbedding of ICs into cards. Money laundering. The wilful concealment of the existence, illegal source, or illegal use of proceeds, and the disguise of them as legitimate.
Mosaic. A GUI (Graphical User Interface) for accessing the world wide web on the internet.
Cards and payments
57
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 58
MOTO (Mail Order Telephone Order). Merchants taking an order and card details over the phone or by post.
MSC (Merchant Service Charge). Charge made to a card acceptor by an acquirer for processing transactions originated by the card acceptor.
MTP (Micropayment Transfer Protocol). A W3-defined software system for micropayments optimised for use in low-value transfers between parties who have a relationship over a period of time. MTU. Mobile Top-Up. Multi-application card. A smart card capable of handling a number of different sorts of application, such as electronic purse, ID and health records. The applications may be provided by different parties or be controlled by a single scheme developer. Multi-currency dealing. Processing of transactions denominated in different currencies within a single payment system. Multihost-based auditing. Audit data from multiple hosts can be used to detect intrusions.
Multos. A smart card operating system aimed at operating multiple applications off a single chip card, launched by MAOSCO .
Multimedia. Technology that combines sound, graphics, image and text, e.g. CD-ROM.
58
Cards and payments
N
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 59
NBS (National bureau of Standards). The predecessor body to the US National Institute of Standards and Technology.
NIST (National Institute of Standards and Technology). The US government body concerned, among other things, with the development of standards for use by the US federal government.
NBAs. National Banking Associations. NCB. National Central Bank. NCIS. National Criminal Intelligence Service in the UK. NCP (Network Control Programme). A programme which controls data transfer in a computer network.
Nectar. Multipartner loyalty card scheme in the UK. Negative file. A record containing all accounts on which all charge privileges have been revoked.
Network. A set of entities connected by links. In computers, a set of computing systems connected by data communication links via which they communicate and cooperate. Network
architecture. The organisation of computer and communications systems which supports communication and co-operation between them. Cards and payments
59
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 60
Network management message. In a payment system, any message used to monitor or control the operation of an intermediate network facility.
Network protocol. In an intermediate network facility, a set of rules and procedures governing communication between entities connected by the network. Neural network. Intelligent fraud prevention system where the software “learns“ and amends patterns of behaviour.
NFC (Near Field Communication). Developed by Philips Electronics and Sony is a radio-frequency communication technology. It enables shortrange communication networks between consumer devices incorporating an NFC interface. It will compete in some ways with Bluetooth. NFC will operate on 13.56 MHz and allow for the transfer of any kind of data between mobile devices across a distance of up to 20 cm at speeds fast enough to transfer high quality images. Niche membership. See Affinity card. NLF. New legal framework for payments being developed by the European Commission to provide a common legal basis for all payments.
Node. An entity connected to others by one or more links in a network. Non-bank. In a payment system, a financial institution not offering retail banking services (such as MBMA). Non-discrimination. A principle under which a card acceptor agrees to charge the same price to a customer regardless of the payment instrument the customer offers. Non-repudiation. Technique which confirms to a data sender that the data has been delivered and that confirms the sender’s identity to the recipient, so that neither can later deny having processed the data. Used in cryptography systems.
Non-toxicity. ISO standard identification cards are supposed not to present any toxic hazards in normal use (defined in ISO 7810).
60
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 61
Non-volatile memory. A computer memory which does not lose its contents when external power is removed.
NPV. Net Present Value.
Cards and payments
61
O
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 62
OCF (Open Card Framework). Framework that provides programmers with an interface for developing Java smart card applications. OCR-A. A character set for optical character recognition defined in ISO 1073 Part 1.
OCR-B. A character set for optical character recognition defined in ISO 1073 Part 2.
OEM. Original Equipment Manufacturer. Oersted. The unit of magnetic coercive force in the centimetre, gram, second, system of units. Also used to define relative difficulty of erasing magnetic material.
Offline. Taking a transaction either on paper or on an electronic terminal without connecting to a central acquiring system. OFX (Open Financial Exchange). Standard used in retail banking for transmitting bill information as well as exchanging transaction information between a bank and a desktop financial package.
OITS SG. Operations Infrastructure Technology & Standards Support Group.
OMR (Optical Memory Reader). A device which reads information stored using optical recording techniques. 62
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 63
One-time PROM. PROM which, once located with data, cannot be erased and rewritten (compare EPROM, EEPROM). Online. Taking a transaction on a terminal permanently connected to a network that is online to the card account. Online authorisation. Connecting to an authorisation centre to check the status of a card.
On-Us transaction. A transaction where the issuer and the acquirer are the same.
Open network. A telecoms network to which access is not restricted. Open platform. Provides specific security features to enable financial institutions to ascertain application and data integrity on their cards before and after they are issued.
Open to buy. The difference between the credit limit assigned to a cardholder account and the present balance (including authorisation outstanding) on that account. Synonymous with available credit.
Open operating system. Operating system not owned by a single card maker, e.g. Java Card or Windows Platform for Smart Cards.
Open system. A card system that involves multiple issuers of cards that can be used to access services or purchase products at multiple service providers. It requires the processing of interchange transactions, usually by an independent “system operator“. Optical card. See Optical memory card. Optical card reader. A device which reads optical memory cards. Optical fibre. See Fibre optic cables. Optical image retrieval. Retrieval of digitised images. Optical image storage. Electronic storage of digitised images.
Cards and payments
63
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 64
Optical memory card. An identification card on which information is recorded using optical recording techniques (similar to those used for compact discs for domestic audio). OS (Operating System). Software linked to all PCs that allows hardware to talk to the software. Also implemented on smart cards to allow applications to be loaded and operated.
OSI. Open Systems Interconnection. OTPROM. One Time Programmable Read Only Memory.
64
Cards and payments
P
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 65
P2P (Person to Person payment packet). A block of data sent over the network containing the identities of the sending and receiving stations, plus error-control information and message.
P3 (Personalisation Preparation Process). Software system enabling secure key management and data generation when issuing smart cards. Packet-switching network. A data communication system in which data is conveyed in discrete units called packets.
Padding. Additional bits that are attached to a message so that it contains the required number of bits or bytes. PAN (Primary Account Number). Earlier designation for identification number.
Parity bit. A bit appended to the bit pattern for a character so that the number of bits in the pattern and parity bit combined is either even or odd (even or odd parity respectively). ISO standard identification cards use odd parity on their magnetic tracks (defined in ISO 7811).
Passive chip card. An integrated circuit card containing no programmed processing elements. Payment instrument. Any means of rendering value from one party to another.
Cards and payments
65
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 66
Payment system. Generally any system for processing payment instruments and settling consequential debts among parties to the system. Examples are MasterCard, International and Visa International. The term is now often used specifically to refer to the computer networks and software systems used by the financial institutions involved.
PCB (Printed Circuit Board). A laminated board, often of epoxy resin, on which conducting tracks are etched and electronic components mounted to fabricate an electronic circuit. PCE. Personal Consumption/Consumer Expenditure. PCMCIA (Personal Computer Memory Card International Association). A US based association with members drawn from leading hardware and software companies worldwide working to develop international standards for storage and computer application memory cards.
PDA (Personal Digital Assistant). Typically offer calendar, contacts, text and numerical data processing.
PDC (Personal Digital Cellular). One of the world’s three main digital wireless standards, ranking alongside GSM and TDMA. Users are currently in Japan. PE-ACH.
Pan-European identification number.
Automated
Clearing
House
personal
Personal positive identification. See Biometric authentication. Personalisation. Process whereby a smart card is modified to contain the users details.
PET card. A plastic card with the same width and length as a credit card but thinner and made out of polyethylene terephthalate. PGA. Programmable Gate Array. Phishing. Internet scam involving sending emails to lure people onto bogus websites set up to look like legitimate e-commerce sites. People are
66
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 67
then asked to enter personal information including credit card and social security numbers.
Photo ID card. An identification card bearing a photographic image of the cardholder. The image can be an actual photograph or one captured wholly electronically. See electronic imaging. Phreaker. A person who spends a lot of time trying to find out as much as possible about telephone company and how it works. They often try to find out ways to make long distance calls for free.
Phreaking. Method of computer deception by electronically manipulating telephone signals to avoid payment of bills. Piggybacking (Tailgating). A method of gaining unauthorised access to computer facilities by following an authorised employee through a controlled door.
PIC (Personal Identification Code). Four or six digit code assigned which provides access to an electronic device in conjunction with the debit/credit card and also provides security in the event of card loss. See PIN.
PIN (Personal Identification Number). A number allocated to a cardholder to identify him unambiguously at point of sale. Such numbers need to be remembered by the cardholder and are usually short (four digits is common). A number this short cannot identify a cardholder uniquely within a cardbase, but it is usually enough to distinguish him from other cardholders at the point of use of his card. PIN generation. The generation of PINs for allocation to cardholders. PIN pad. A small keyboard device attached to an electronic payment terminal on which a cardholder enters his PIN to authenticate his identity. PIWG. Payment Instrument Working Group. Pixel. A small element of tone or light constituting an indivisible element of graphic image. PKCS. Public Key Cryptography Standard. Cards and payments
67
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 68
PKI (Public Key Infrastructure). A system that uses two different keys (public and private) for encrypting and signing data (securing mobile transactions etc).
PLA (Poly Lactic Acid). A biodegradable and eco-friendly material for cards made from lactic acid, which is made from fermentable sugar, made from starch such as corn.
Plaintext. Non-encrypted data. See also encryption. Plastic card. Generic description of all payment cards including credit, debit and cheque guarantee. Plastic counterfeiting. Altering and re-embossing genuine charge, credit or debit cards; or re-encoding details of a genuine account number on to the magnetic stripe of another genuine charge, credit or debit card; or producing white plastic; or producing completely counterfeit charge, credit or debit cards. Plastic key. A token in the form of an identification card. Plaintext. The original non-encrypted data. Point of authorisation. Within a payment system, the point at which a card issuer or his agent approves a transaction to proceed.
Point of compromise. A location where details of genuine charge, credit or debit cards are compromised. Embossed features and/or the encoded information on the magnetic stripe are captured for fraudulent use by criminals. Point of sale terminal. A device placed in a merchant location which is connected to the bank’s system, via telephone lines, designed to authorise, record and forward data by electronic means for each sale. Polling. The process of collecting batches of transactions from an offline EFTPOS terminal.
Polyester laminate. Raw plastic sheet material from which identification cards are made.
68
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 69
Port. Connection between a computer and another device through which data passes back and forth.
Portability. The ability of one technology to work with another. Portal. Website or cluster of websites which act as a starting point to continue browsing the internet. Used by ISPs to launch their internet services: news, chat, etc. PoS (Point of Sale). The location at which a transaction takes place. Post-issuance management. Adding or deleting different applications on a smart card after issuance and replacing lost or stolen cards. Post-status fraud. Fraud which takes place after a payment card has been reported lost, stolen or compromised.
PP (Protection Profile). Model used by the Common Criteria to determine a category of products, equipment or given systems (a payment smart card, a microcircuit, an operating system, etc.), objectives and requirements in the area of security, without any reference to specific implementation.
Pre-authorisation. Granting approval for a transaction in advance of it being contracted.
Predominantly Offline Terminal (POT). A merchant terminal on which above floor limit, and certain below floor limit, transactions normally result in electronic authorisation requests being sent to the outlet's acquirer.
Pre-paid card. A card paid for at point of sale, and permitting the bearer to buy goods or services usually of a particular type up to the prepaid value. Not all such cards are ISO standard identification cards because some do show the identity of the bearer. See telephone card. Pre-paid smart card. A pre-paid integrated circuit card. Pre-status fraud. Fraud which takes place before a payment card has been reported lost, stolen or compromised.
Cards and payments
69
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 70
Prior authorisation. Acceptance of financial liability for services to be rendered by a provider to an individual by the payer. This does not automatically ensure payment. Private key. In asymmetric cryptography, the key which is published by the user (designated recipient) to allow others to send secure messages which may then only be decoded by the designated recipient who possesses the matching private key.
Private label/proprietary card. A card that is a member of a scheme that is not one of the major bank issued schemes. Most usually a scheme run by or for a retailer.
Processing fee. A fee charged by a party in a payment system for processing transactions or settlements.
Processor. Organisation which provides card transaction processing services to banks, such as transaction routing services, authorisation management services and clearing and settlement services. Programmable read-only memory. Read-only memory whose contents can be loaded by the user after manufacture (compare masked ROM). Some forms permit the user to erase the contents and reload new data, e.g. EPROM (= erasable PROM) and EEPROM (= electronically erasable PROM).
Protocol. Set of rules and procedures governing interchange of information between communicating entities (see network protocol). Proximity card. A non-contact card whose presence and contained data can be sensed by an interface device not in physical contact with the card. Such cards are often used in access control systems.
PS/SC. Microsoft-initiated project to standardise the interfaces between PCs and smart card readers which has attracted many smart card companies.
70
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 71
Public-key cryptosystem. A cryptosystem in which keys have public and secret parts. Public keys are known to all users. Secret keys are known only to their owners. To send a message a user encrypts it using his own secret key and the public key of the recipient. See Rivest-ShamirAdleman cryptosystem. Published key. In asymmetric cryptography, the key which is published by the user to others for their use in verifying signatures and encrypting messages. PUK (Personal Unblocking Key). The verification of this personal key serves as a system to unblock a SIM card. Purse card. See Electronic purse. Purse provider. An organisation responsible for the overall functionality and security of an IEP system. PVC (Polyvinyl Chloride). One of the plastics (another is polyvinyl chloride acetate) specified by ISO 7810 as a suitable material for ID cards.
Cards and payments
71
R
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 72
Rainbow printing. Infill printing using graded areas of colour which merge into one another.
RAM (Random Access Memory). A volatile memory used in integrated circuit cards that requires power to maintain data. RBT (Remote Batch Terminal). Remote from the computer to which it is connected which collects data for and returns data from batch processing.
Reader-writer. A device which can both read from and write to a recording medium.
Read-on-insertion. Reading information from a magnetic stripe while the card is being inserted into the reader device.
Read-only magnetic tracks. Track 1 and track 2 on an ISO standard identification card. Only track 3 is a read-write track. Read-on withdrawal. Reading information from a magnetic stripe while the card is being removed from the reader device.
Read-write track. Track 3 on an ISO standard identification card. Real time. Information processing, carried out promptly on demand.
72
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 73
Reciprocity. In card payment systems, agreement between parties that they will provide to each other corresponding services in respect of each other’s card bases.
Reconciliation. The process of checking that one or more transactions have been completely and correctly recorded between two parties in a payment system.
Reconciliation control message. In a payment system, a message used to exchange information for the purpose of reconciliation. Reflex hologram. A hologram produced in film form similar to a photo negative which gives full 3-D imagery.
Registration authority. Organisation at which individual users verify their credentials prior to sending a certificate.
Reliability. Measure of efficiency. Measured in up time or the average number of transactions which can be completed before failure occurs. Relief height. the height above the surface of the card of characters formed on it by embossing. For ISO standard identification cards this height should not exceed 0.48mm (defined in ISO 7811). Remote payment. A payment carried out through the sending of payment orders or payment instruments from a remote location. Repudiation. The denial by one of the parties to a transaction, of participation in all or part of the transaction or the content of a communication.
Reset signal. An electronic signal applied at contact C2 of an integrated circuit card to reset it for use. Response time. The time taken for a terminal to obtain a reply from a remote control computer system.
Retail banking. The part of a bank’s operations providing services at its branches for small (in bank terms) account holders.
Cards and payments
73
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 74
Retail funds transfer system. A system which handles a large volume of payments of low value in forms such as cheques, credit transfers, direct debits and withdrawals at ATMs and EFTPOS.
Retinal-scanning. A device used to recognise patterns in the human retina. The device makes a digitised image of a strip of retina. This image can then be compared with a pre-stored one. Retinal patterns are almost unique to individuals and retinal scanning is currently one of the most powerful methods of biometric authentication.
Reversal debit. A debit arising from reversal of a previous credit. Reversal message. In a payment system, a message relating to a reversal.
Reversal transfer. A transfer of funds arising from reversal of a previous transfer.
Revolving credit. An account on which payment is any amount less than the total balance and the remaining balance carried forward is subject to applicable finance charges. RF card (Radio Frequency card). A proximity card in which the coupling between the card and its interface device is by radio.
RFID (Radio Frequency Identification). Automatic identification and data capture system using readers and tags. Data is transferred by using modulative, inductive or radiating electromagnetic carriers.
RISC (Reduced Instruction Set Computer). Computer or microprocessor which operates on a smaller range of instructions, therefore achieving higher instruction speeds than a conventional processor.
Risk analysis. Ranking physical risks using a mathematical formula. Risk explorer. Detection system that gives risk score for cleared international transactions.
74
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 75
Risk management. Part of a bank, or individuals, with responsibility for managing risk and measures designed to reduce risk of credit and fraud losses. RMS. Resource Management System. RNG. Random Number Generator. ROI. Return On Investment. ROM (Read-Only Memory). Non-volatile memory that is written once, usually during card production. It is used to store operating systems and algorithms employed by the microprocessor in an integrated circuit card during transactions. Routing. The chain of transmissions by which a transaction passes from an acquirer to a card issuer in a payment system. RSA (Rivest-Shamir-Adleman cryptosystem). A public-key cryptosystem in which public and secret keys are derived from the factors of very large numbers. It is an asymmetric form of encryption using a private key to lock the data and a public key to unlock it. RST. The designation given in ISO 7816 for the reset signal. Runaway card. A lost or stolen card that is being misused frequently and fast.
Cards and payments
75
S
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 76
SAM. A logical device used to provide security for insecure environments. Protected against tampering and a store for secret or critical information.
Screen printing. Card printing technique where ink is forced through a design-bearing screen made of silk or other material onto the substrate being printed. SCF. SEPA Cards Framework. SCSUG (Smart Card Security Users Group). Established by the major card organisations to establish recommendations for chips and smart card operating systems. SCT. SEPA Credit Transfer. SDA (Static Data Authentication). Card authentication using a digitally signed copy of selected card data.
SDD. SEPA Direct Debit. SDK (Software Development Kit). A set of development utilities used to write software applications.
SDN (Synchronous Data Network). A data communications network in which data is transmitted synchronously on the links of the network.
SEC. Securities and Exchange Commission.
76
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 77
Secret key. The key used in a symmetric cryptographic algorithm, where the same key is used for encryption and decryption.
Securecode. MasterCard e-payment security programme. See UCAF. Security module. A smart card or other protected hardware device in which secret keys are stored, which is resident in a reader/writer terminal.
Security printing. Printing which incorporates anti-counterfeiting measures such as fine-line security patterns, infill printing, lenticular patterns, rainbow printing, serial numbering, etc. and which is carried out under tightly controlled conditions to prevent fraud. SEPA (Single Euro Payments Area). Term used by the European Central Bank to refer to its goal of establishing a pan-European payments infrastructure by 2010.
SEPP. Secure Electronic Payment Protocol. Server. A computer that serves other computers connected to it by LANs or Wide Area Networks.
Service code. A code recorded on track 1 of a financial transaction card indicating what kinds of facilities the cardholder may access with the card.
Session. Period of time between two card resets, or between a power up and a power down.
Session key. A cryptographic key which is used for a limited time, e.g. a single communication session or transaction and then discarded.
SET (Secure Electronic Transactions). Developed by Visa, Microsoft and MasterCard, to provide security via encryption to all parties involved in transactions over open networks such as the internet. Now updated to Three Domain SET.
Settlement conversion rate. The rate applied to convert a transaction value from the currency of denomination into the relevant settlement currency.
Cards and payments
77
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 78
Settlement currency. The currency in which settlement of debts between two parties in a payment system takes place.
Settlement date. Within a payment system, the date of settlement between an acquirer and a card issuer; for a cardholder the date when he must settle his account with the card issuer. Settlement fee. A fee charged by a party in the payment system for handling or processing settlements. Settlement system. That part of a payment system which processes and effects settlements.
SFA. Sales-Force Automation. SFO. UK Serious Fraud Office. Signature pad. An electronic device which captures a digitised image of a person’s signature to facilitate signature verification electronically. Signature panel. The area of an identification card in which the bearer enters his signature (defined in ISO 7810).
Signature verification. Checking a person’s identity by comparing the signature with a previously supplied specimen. To date this has been done almost entirely manually, but electronic signature verification systems are beginning to appear.
Signed applet. Putting a digital signature on an applet to prove it come from a particular trusted author. SIM (Subscriber Identification Module). The chip card necessary for the operation of GSM phones. It provides the subscriber’s identity to the network operator for billing purposes. SIM Toolkit. The SIM application Toolkit provides mechanisms which allow applications to interact and operate with the mobile phone handset.
Skimming. To copy the magnetic stripe encoding from one card to the stripe on another card; also called bit-copying. A common type of counterfeit fraud. 78
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 79
SLA. Service Level Agreement. Slip printer. A machine in an EPOS or EFTPOS installation which prints out sales vouchers. Smart card. Conforming to ISO 7816 dimensions, a card capable of processing and storing information. An integrated circuit card with microprocessor and memory. See chip card. Smart Card Club. A professional association of member companies forming the UK’s premier forum for education and networking in the smart card community. Smart label. A low cost version of an RFID tag. Smartphones. Phone incorporating data capabilities such as MS Outlook, html and WAP browser. SME. Small and Medium business Enterprises. SMS. Short Message Service. SNA (System Network Architecture). A proprietary network architecture for IBM computers.
Source authentication. Proof of the point of origin or the identity of the originator of a message or transaction in a payment system. SPA (Secure Payment Application). A MasterCard system for securing electronic payments. See UCAF.
Spectrum. Airwave frequencies. Carriers want as much spectrum as possible as it is a limited and highly regulated resource. SPOM (Self-Pprogrammable One chip Microcomputer). An electronic component comprising one central unit, one unit of RAM and one of EEPROM. Access depends on the operating system present in the ROM. SRAM (Static Random Access Memory). Random access memory which does not need to be refreshed on each memory cycle.
Cards and payments
79
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 80
SSL (Secure Socket Layer). Protocol enabling encrypted, authenticated web communication.
Stakeholders. Those with an interest: e.g. banks (and their associations and infrastructures), their customers (and their associations), and regulators.
Stand-alone terminal. An electronic payment terminal not connected online to a computer-based payment system. STEP2. Europe’s first pan- European ACH managed by EBA clearing company.
Store-and-forward. A mode of message handling in which online and offline operation are mixed. Store-and-forward operation occurs when a message cannot be transmitted online immediately to its destination but is retained for transmission when the destination system comes online again.
Store card. A financial transaction card associated with a retailer or group of retail stores which can be used only for purchases from the retailers concerned.
Stored value card. Also known as a cash card, electronic purse, or prepaid card. A financial card used to purchase goods and services, usually of low cost, that is loaded beforehand with a certain amount of money. With each purchase, the amount is then deducted from the total on the card. STP (Straight Through Processing). A system for processing transactions from the front office to the back office in the shortest possible time. The aim is to reduce the time from 3 days (Trade day plus 3 or T+3) to one day (Trade day plus 1 or T+1). Surcharge. Additional fee charged on a card transaction by the acceptor to cover the additional cost of taking a card rather than cash or cheque.
SWIFT (Society for Worldwide Interbank Financial Telecommunication). Communication mechanism owned by over 1,000 banks worldwide and used to transmit funds, transfer instructions and administrative messages.
80
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 81
Swipe reader. A magnetic stripe reader in which the stripe is read by passing the card manually through the reader past the magnetic heads. Switch. A UK domestic debit card run by a consortium of UK banks. Switching. Establishment and disestablishment of connections in a communications network. Synchronous. Of data transmission, encoded with digital pulses indicating the boundaries between successive individual bits.
System-on-a-chip. The integration of multiple functions on a single computer chip. In addition to the incorporation of functions, such as a floating-point unit, a system on a chip might also include display, communications and other components that contribute to a functional system.
Systems trace audit number. Number identifying a transaction uniquely within a payment system.
Cards and payments
81
T
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 82
T&E card (Travel and Entertainment card). General term for financial transaction cards, usually charge cards, used mainly by business executives. American Express and Diners Club cards are often referred to as T&E cards as their original growth was mostly in this market. Tag. Read only or read-write electronic device carried inside a vehicle for toll payment. An ID number on the tag can be read remotely. Tamper-proof. Made resistant to interference. Most electronic payment terminals are tamper-proof to some extent. Common tamperproofing measures include automatic erasure of sensitive information, automatic shutdown and automatic physical locking. Tanatos. See Bugbear. TARGET2. The Eurosystem’s planned replacement for TARGET (TransEuropean Automated Realtime Gross settlement Express Transfer system).
TASI (Terminal Application Services Interface). Used in testing an application or service, it describes the way that an application interfaces with the outside world. TBACS (Token-Based Access Control System). A means of network control whereby a terminal can transmit only when it has received an electronic token from the network.
82
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 83
TC (Transaction Certificate). Value derived from transaction parameters enabling the integrity and source of the transaction to be verified at a later date.
TCP/IP (Transfer Control Protocol/Internet Protocol). Used on the internet to transfer packets, Can lso be used on a LAN.
TCSEC (Trusted Computer Security Evaluation Criteria). US requirements for evaluating computer system security.
TDMA (Time Division Multiple Access). A technology used in digital cellular communication that divides each cellular channel into three time slots in order to increase the amount of data that can be carried. TDMA is used by Digital- American Mobile Phone Service (DAMPS), GSM, and Personal Digital Cellular (PDC). However, each of these systems implements TDMA in a somewhat different and incompatible way. TE9. An operating system standard adopted by IBM in its Multi Function Card.
Telephone card/credit card. A card enabling the cardholder to pay for telephone calls only.
Temperature range. ISO standard identification cards are supposed to remain structurally reliable and useable at ambient temperatures up to 35 degrees Celsius (defined in ISO 7810).
Terminal emulation. Making a microcomputer mimic a terminal wired directly to a mainframe, by use of a communications programme.
Terminal-resident. Of a function in a terminal, carried out entirely by processing elements within the terminal itself. Thickness. The thickness of an ISO standard financial transaction card should be 0.76mm +/- 0.08mm (defined in ISO 7813). Thin card. Low-cost thin-section polyester laminate used to fabricate identification cards which are not required to comply with the thickness requirements of ISO 7813.
Cards and payments
83
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 84
Third-party processing. Processing of transactions by a party acting under contract to card issuers or acquirers. Tipping. Coating the raised area of an embossed image with ink to make it more easily readable. Touch screen. An interactive visual display device with which the user interacts by touching the screen to select options from a displayed menu.
Town card. Multi-application card system run by specific urban or local authorities.
Traceability. The degree to which value-transfer transactions can be traced to the originator(s) or the recipient(s) of the transfer. Track 1. The first magnetic track on a financial transaction card. It is read-only and recorded at 8.3 bpmm (contents are defined in ISO 7813). Track 2. The second magnetic track on a financial transaction card. It is read-only and recorded at 3 bpmm (contents are defined in ISO 7813).
Track 3. The third magnetic track on a financial transaction card. If present it is read-write and is recorded at 8.3 bpmm (contents are defined in ISO 4909).
Transaction. An exchange of money for goods or services; within a payment system the totality of data relating to such an exchange.
Transaction cost. Any cost incurred by a party in a payment system relating to a transaction but not forming part of the value of the transaction.
Transaction currency. The currency in which a transaction is denominated (compare cardholder billing currency).
Transaction description. Data describing a transaction for billing purposes.
84
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 85
Transaction log. A sequential record of transactions that is stored in a device.
Transaction processing. A mode of computer operation supporting real-time, online processing of transactions.
Transaction processing fee. A fee charged by a party in a payment system for handling or forwarding transactions. Transaction value. The price of goods or services obtained in a transaction.
Transmission date/time. The time of day at which the details of a transaction are entered into a payment system. Transponder. Electronic transmitter/responder, usually called a tag. Transport Keys. A string of numbers used to lock the smart card during its travel from the manufacturer to the customer.
Trojan horse. A destructive programme that masquerades as a benign application. Unlike viruses Trojan horses do not replicate themselves but can be just as destructive. TTP. Trusted Third Party.
Cards and payments
85
U
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 86
UCAF (Universal Card Authentication Field). A 32-character hidden field that is embedded at web storefronts to collect authentication data generated by issuers and cardholders, and create a unique cardholder authentication for each transaction, which is then forwarded to the issuer, with the authorisation request.
UML (Unified Modelling Language). A language used for modelling object based systems, especially in C++ and Java.
UMTS (Universal Mobile Telecommunications Service). Is a socalled "third-generation," broadband, packet-based transmission of text, digitised voice, video, and multimedia at data rates up to 2 megabits per second (Mbps) that will offer a consistent set of services to mobile computer and phone users no matter where they are located. Based on the GSM standard, UMTS is the planned global standard for mobile users. Unattended terminal. An electronic payment terminal not attended by a card acceptor’s representative and operated by the cardholder (e.g. an ATM). Up-line loading. Loading of data from a merchant’s terminal to an acquirer’s computer system via an intermediate network facility (e.g. to transmit reconciliation data).
86
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 87
UMTS (Universal Mobile Telecommunications System). The mobile telecommunications standard which has been defined by the International Telecommunications Union to deliver pictures, graphics and video to mobile phone handsets. UNIX. A multi-tasking, multi-user operating system. URL (Uniform Resource Locator). A website address. USB (Universal Serial Bus). An input/output bus that can allow up to 120 devices to be daisychained. USSD (Unstructured Supplementary Service Data). A mobile messaging technology for GSM, mostly via the net.
USIM. Universal Subscriber Identity Module.
Cards and payments
87
V
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 88
Value chain. Concept which focuses on a company’s internal processes and the interactions between different elements of the organisation. Through analysis, one can calculate where and how value is added. VBM. Value-Based Management.
VbV. Verified by Visa security specification for making card payments over the internet. VCC. The ISO standard designation for the supply voltage to an integrated circuit card (defined in ISO 7816).
VDU. Visual Display Unit. Vicinity. Contactless technology operating at a distance of 50 cm (approx.).
Visa. An international payment system or organisation controlled by its members.
Visa Cash. Visa’s electronic purse programme. VisaNet. Visa’s worldwide network for data exchange. Visual display unit. A computer output device which displays alphanumeric or graphic data to its user on a refreshable image surface (i.e. not producing hard copy).
88
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 89
VLT (Value Load Terminal). A kiosk-type device where cardholders can load value onto a smart card from their bank account.
VOIP (Voice Over Internet Protocol). Allows simultaneous transmission of data and voice on one line and one network. Volatile memory. Computer memory which loses its contents when the external power is removed.
VPN (Virtual Private Network). A system to deliver corporate information over a shared public infrastructure.
VPP. Standard designation for the programming voltage input to an integrated circuit card (see ISO 7816).
Cards and payments
89
W
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 90
WAP. Wireless Application Protocol.
Watermark magnetics. A magnetic tape that contains non-erasable personalised magnetics for identification purposes, hence increasing the security of magnetic media. WCDMA. Wideband code-division multiple access. An ITU standard derived from CDMA, is officially known as IMT-2000 direct spread. WCDMA is a 3G mobile wireless technology offering much higher data speeds to mobile and portable wireless devices than commonly offered in today's market. WCDMA can support mobile/portable voice, images, data, and video communications at up to 2 Mbps (local area access) or 384 Kbps (wide area access).
Weigand wire. Magnetic media embedded in cards used for access control applications. WEP. Basic wireless security provided by Wi-Fi. White plastic. A generic term for a plastic card used to imitate the functions of a genuine charge, credit or debit card. Wi-fi. An interoperability certification for wireless local area network (LAN) products based on IEEE 802.11 standard. WIM (Wap Identity Module). SIM card that is specifically developed
for the internet.
90
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 91
Wired logic card. Alternative name for a memory card. WML (Wireless Markup Language). A subset of HTML for use on wireless devices.
WORM (Write Once Read Many Times). Variation of CD-ROM. WPKI. Wireless Public Key Infrastructure. WTLS. Wireless Transport Layer Security.
Cards and payments
91
X
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 92
X.509. A communication protocol. XML (Extensible Markup Language). More powerful variant of HTML. Allows users to embed detailed tags into documents, which can be used to initiate transactions and call up data and applications. XOR. A very simple encryption algorithm that offers little protection against intrusion.
92
Cards and payments
Z
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 93
Zero floor limit. Requirement for all card transactions to be authorised. Zero knowledge. Form of authentication in which the object demonstrates that it knows a secret to the challenger without disclosing that secret. Usually makes use of PKI.
Zones. Areas of ICC storage designated for free access, limited access, or no access.
Cards and payments
93
0-9
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 94
1G. The 1G period began in the late 1970s and lasted through the 1980s. Although the first true mobile phone systems, using analog voice signalling, they were little more sophisticated than repeater networks used by amateur radio operators.
2G. The 2G phase began in the 1990s, and much of this technology is still in use. The 2G cell phone features digital voice encoding. Examples include CDMA, TDMA, and GSM. Since its inception, 2G technology has steadily improved, with increased bandwidth, packet routing, and the introduction of multimedia followed by the enhanced 2.5G. 3G. Third-generation wireless. Also see UMTS. 3G wireless systems provide high-speed data transmission (144 kbps plus) and Internet Protocol (IP) based services. The standard for third-generation systems includes three operating modes CDMA2000, W-CDMA and TDSCDMA. Features include: enhanced multimedia (voice, data, video and remote control), Crossdevice usability (mobile phone, email, PDA, paging, fax, video conferencing and internet browsing).
94
Cards and payments
9
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 95
Keys to...
An Efma production
Cards and payments
95
Cards and payments_V4:Mise en page 1
27/08/07
11:39
Page 96
Groupe Corlet imprimeur 14110 Condé-sur-Noireau France
Copyright ©2007 Efma - All rights reserved
96
Cards and payments
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page c4
Cards and payments_V4:Mise en page 1
27/08/07
11:38
Page c1
Cards and payments Banks are increasingly aware of the importance of retail payments for their business. They are examining new products such as pre-paid, contactless, corporate and business payments. The Internet has changed the card business, because it is easier for customers to compare products, and move to a new offering more quickly. These are the challenges. This glossary of terms is intended for those who are new to the business, or who want to update themselves with major events and developments in this fast moving industry. Card World and Efma are pleased to present this booklet. We hope you find it useful.
An Efma production Usually written in the form of a glossary, each work offers an original and global perspective of a theme related to the financial sector. Areas covered: strategy, products and markets, new technologies, regulations, communication, marketing, management, etc.
c1