CardInk Case Study– S2M
STRONG USER AUTHENTICATION FOR MULTI CHANNEL BANKING
Since the early days of EMV®, card issuing has become less challenging thanks to maturing specifications, increased expertise and flexible vendor solutions. The main challenge for banks and service provides has shifted towards competition, differentiation, time to market, and the ability to be the first to pilot and adapt new technologies. Approximately 10 years after issuing their first EMV® chip cards S2M, a North African market leading pioneer in card payment solutions, found itself in the position that it possessed the card issuing platform and knowhow, but markets where changing and constantly demanding more.
Technology once again became the main issue for ensuring continued success and growth. Meanwhile S2M was stuck with an issuing platform that had not been maintained to reflect the requirements of an evolving market and as a result the organisation needed to rethink its strategy.
Needless to say this posed a new set of challenges, not the least migrating from one platform to another without any disruption or inconvenience to its clients, who had come to expect the high levels of services that S2M is renowned for during more than 30 years in business.
S2M found itself in a difficult position when moving to a new advanced technology. It opened up to new business opportunities but also presented a significant set of technical challenges. We felt comfortable in having chosen the right partner in Cryptomathic but we were pleasantly surprised to find how well the two companies worked together on all aspects and particularly with Cryptomathic’s approach in dealing with unknowns as they arose along the way."
Managing Director of S2M
S2M is one of the leading service providers in North Africa and pioneered the very first credit card applications in the region. Founded in 1983, S2M has profiled itself for over thirty years as one of the leading players in developing and implementing payment solutions, personalisation, publishing and mailing.
S2M has established an impressive international reputation with hundreds of private and public banks in 22 countries in America, Asia, Africa and the Middle-East relying on its solutions and services.
STATUS BEFORE CRYPTOMATHIC
When migrating from magnetic stripe only to chip in 2003, S2M acquired a data preparation system as part of a complete issuing solution delivered by a card vendor. It enabled S2M to perform data preparation for targeted cards within a project and it worked well for that initial purpose. The system was initially acquired at a reasonable cost, but over time it became apparent that S2M had become locked into a relationship with the card vendor.
The data preparation had shortcomings in terms of both technical and business flexibility.
The functionality was centred around the card vendor’s products and therefore not easy to use for issuing cards from other vendors. Beyond the initial and successful project, S2M had to involve the card vendor each time they wanted to support other card vendor products, which proved costly, as well as time consuming.
It is vital for card issuers, and even more so service providers like S2M to have the freedom to shop around and choose the best card platform based on required functionality and price. In spite of that S2M suddenly found themselves tied into one vendor, putting the business at risk by having no choice but to forfeit suitable technology or accept the financial overhead associated with custom development, not to mention the uncertainty about expected delivery times.
Compliance is the new black.
In response to the growth in complexity and the need for common compliance standards, the major international card payment schemes are cooperating through the PCI Security Standards Council body, which they founded in 2006.
The system in place at S2M was, in fairness, developed before that time, but nevertheless becoming non-compliant in a number of ways, so numerous fixes were required following yearly audits. The detection of potential security weaknesses by auditors was an unpleasant reality for a company producing live banking cards, the mere rumour of non-compliance would pose a significant business risk.
In response to these issues S2M decided to opt for a new, flexible and more technologically advanced data preparation system and approached suitable major industry vendors. An RFP was issued and Cryptomathic, having also offered its data preparation system CardInk to S2M ten year prior, was determined to prove it worthiness and ability to help solve S2M’s problems once and for all. After an intense dialogue, exchange of technical documentation and vendor demonstrations, it became apparent to S2M that CardInk from Cryptomathic was the best-fit option. Despite S2M considering several other solutions Cryptomathic was chosen for a number of specific reasons:
- Mature technology
- Experienced vendor
- International expertise
- Hardware vendor independency
- Impressive reference list
In addition there was a good cultural fit between S2M and Cryptomathic with quality ethos, staff competence and ability to work together in completing an advanced task.
Secondary to the above CardInk was also chosen as it boasts key features that are important to S2M:
Compliance and Security
CardInk complies with PCI logical security and Cryptomathic personnel have experience and a keen understanding of what is required with regards to logical security.
CardInk has built-in complete key management for EMV. Fully GUI controlled, the classic tasks of key generation,, component and zone-encrypted key import / export,, key lifecycle management and certificate exchange procedures with the payment scheme CA, are available and easily executed.
CardInk integrates into challenging issuing environments.
New applications and flavours are GUI editable by the customer.
CardInk is a proven solution that has been running in small, medium and high volume facilities for over a decade and Cryptomathic prides itself in protecting against system downtime and offers 24/7 x 365 professional support.
Profiles and applications are GUI edited.
Time to market
CardInk is a mature off-the-shelf product.
Price and total cost of ownership
Cryptomathic uses a competitive licensing model suitable for any customer, regardless of its issuing requirements.
Cryptomathic commits itself to support changes to existing applications from new and updated specifications and applets and supports all new versions of the major applications (incl. mobile) plus a wealth of regional and custom applications.
CardInk is the fastest system in the world. It uses off-HSM key storage with two-level master key encryption.
A successful company quickly amasses a multitude of production profiles. From time to time there will be changes affecting several profiles e.g. specification changes and new cards/applets. CardInk has GUI mass edit of profiles to simultaneously set and change parameters in multiple profiles in one go.
Card platform neutral
CardInk produces data in the standard formats TLV, Common Personalization, Multos, in addition to custom formats using the GUI to edit applications and profiles.
CRYPTOMATHIC TOKEN MANAGER
Regardless of the data preparation platform chosen, migration from a legacy production system to a new one requires serious and meticulous planning. During the transition phase, the main worry for S2M was 'system down', and uptime was a top priority in order to avoid service interruptions.
The process of migration involved more than the installation of a new system and ensuring its stability. Since S2M already produced cards, the collection of production profiles and cryptographic keys had to be continued over to the new system.
S2M services banks in more than 20 countries, so the prospect of creating and re-certifying cryptographic keys was not an option. A tool was needed. Cryptomathic delivered a specific tool that enabled S2M to securely transfer all cryptographic material from the old system to the new system. Thanks to this, S2M could start up the new system and go straight into production.
An added bonus for S2M was the ability to reuse parts of the existing infrastructure, including the HSMs, producing direct cost savings.
Besides providing CardInk, Cryptomathic also delivered an Automation Utility for interfacing with S2M’s card management system, xml-mapping the banks’ data formats and controlling automatic processing of incoming data files. Both Cryptomathic systems interface with DataCard Affina via the Automation Utility that returns files for Affina pickup
PROJECT AND CONCLUSION
An aggressive time frame was set for S2M’s migration project. The dialogue began in June 2014. By November 2014, S2M was fully migrated and ready for production.
S2M is now running CardInk to full satisfaction. The focus, skills, knowledge and innovative approach demonstrated by everyone involved in the project, from both companies, enabled it to be successfully delivered within a tight timeframe. After project completion a solid partnership has been established, which is set to last for many years to come.
After ten years of successfully issuing EMV chip cards, S2M, the North African pioneer in card payment solutions, took the strategic decision to re-evaluate its EMV data preparation system for its card issuing platform. Decisive factors were:
- Compliance and security
- Built-in EMV key management
- Flexibility and configurability
- Stability and productivity