Cardholders (or consumers) are one of the corners of the ‘four corner’ model in the payment card world. Here we take a brief look at the payment security in relation to cardholders.
Definition of a Cardholder
A cardholder is defined as “the holder of the card used to make a purchase.” This is generally the customer of a financial institution, known as the issuer. The issuer issues one or more payment cards (credit card, debit card, or prepaid card) and gives it to the cardholder. However, the cardholder doesn’t own the payment card, it remains the property of the issuer (typically, the issuer is a bank).
The financial account linked to the card is named the “cardholder account.” This is an account opened in the financial institution by the cardholder, but it may be a financial account belonging to someone else or a non-physical person (a company).
Cardholder security is of primary concern to almost all stakeholders in the payment world. Obviously, it is the primary concern of the issuer, as well as the major card brands (also named card schemes) who must provide guarantees and insurance for cardholder security.
Given the authorization to use a payment card (either a physical card or virtual payment card), the cardholder may have access to many payment terminals all over the globe and purchase various goods and services. A small plastic payment card can allow the cardholder to withdraw a large amount of cash and/or buy expensive goods and services. Therefore, that payment card can become a desirable target for criminals. It’s easier to steal than jewels, cars or even large amounts of cash that are easier to keep secure.
Payment Security and the Cardholder: A Brief Historical Overview
Originally, payment cards had relatively little security which was also reserved for a few bank customers. Bank employees or shop owners manually performed security checks. During the 70s, the use of payment cards became computerized and made available to a greater number of bank customers.
Because of the need to automate the processing of transactions, a magnetic stripe was added to the plastic cards in the 80s. This magnetic stripe offered no actual security and was only used to electronically store some information about the card. Anyone could use the information printed on their payment cards and order via telephone or the primitive computer networks of the time.
To prevent the theft of the payment card and impersonation of the legitimate cardholder, a secret code named the cardholder bank PIN (personal identification number) was developed and implemented by banks, using the work of Mohamed Atalla (the founder of the Atalla corporation who is often referred to as the “father of the PIN.”)
Criminal networks targeting credit card fraud spread across the globe and began cloning bank cards and intercepting non-protected PINs. This forced the payment industry to face facts and migrate toward more secure payment card systems to better protect cardholders.
The chip-based payment system appeared in France and Germany during the 90s because of the work of French inventor Roland Moreno and others. It provided a radically unique system compared to the “traditional” magnetic-stripe based payment cards. The protection of the cardholder became ensured through complex and robust cryptographic protocols, including the use of public key cryptography.
Within years, the payment schemes created the EMV consortium (Europay-Mastercard-Visa), which is still, as of today, ruling the way chip-based payment cards must be designed.
With the chip-based payment card, the security of the cardholder exists because the bank programmatically ensures the integrity and authenticity of the card it has issued and binds it to the cardholder. They accomplish this via cryptographic protocols and a very secure PIN transmission over payment networks.
Additionally, EMV chips protect cardholders against the cloning of their cards, because the chips which are used are extremely secured and contain systems that prevent cloning such as secure protected memories or physically unclonable functions (PUF) for instance.
However, the PIN remains so far the only way a cardholder can protect its payment card. Once a PIN is disclosed, the security provided is put in jeopardy.
Therefore, bank PINs must remain an absolute secret and encrypted “end-to-end” from the pin pad to the issuing bank with no interruption or only inside ultra-secure HSMs for a brief moment during PIN translation.
Recently, EMVco has been considering the introduction of biometric identification as another means for cardholder identification to guarantee the security of the cardholder. However, this is still a work in progress. Other techniques, such as one-time passwords sent to a mobile phone, during an EMV transaction, may also be considered in the near future.
The Case of Card-not-Present (CNP) Payments
Traditionally, real cardholder security has been almost impossible to achieve in the world of card-not-present payments. Such transactions, which are today mostly done online via desktop computers or mobile devices, are made without the possibility of physically presenting the card at the time of payment processing. The amount of data needed from a payment card to place an “online” transaction is very scarce. There is no real way to simply identify a cardholder because PIN identification does not work with CNP.
Therefore, it is not extremely difficult for criminals to impersonate and lure cardholders in such transactions. Unfortunately, cardholder payment card data are often leaked because of breaches in online databases or illegally modified payment terminals.
EMV is considering bringing more security for the cardholder to the CNP area (tokenization or EMV for CNP). However, it’s also still a work in progress.
Additionally, many CNP transactions are now secured by multiple-factor authentications (usually using one-time-passwords sent by SMS or pushed to a mobile device). As a general rule, mobile devices are now commonly used to provide more security to cardholders.
Organizations that are Involved in Cardholder Security and Safety
The primary organizations involved with cardholder security are:
- The PCI Security Standards Council
- the PCI-PIN norm rules how the cardholder PIN should be ciphered, transported, stored, and processed
- The PCI-DSS rules how online systems should store and process securely cardholders' data
- The VISA cardholder information security program
- Protection programs through specific issuer banks and card schemes for cardholders
There are multiple layers of security involved in the protection of the cardholder. While the protection around the card itself is very robust because of the use of complex cryptographic protocols and secure chips, “online” transactions (CNP) remain the weak point and are hard to provide with complete security. Yet, the use of mobile phones to send temporary TAN-codes and biometric authentication are more and more commonly used to provide strong multi-factor authentication in order to better protect the cardholders.
References, Side Notes and Further Reading
- Read more articles on Payment Security (2018 - today), by Martin Rupp, Jo Lintzen, Matt Landrock and more
- Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more