Credit Card Payment Protection – Bernard Foot

Credit (& Debit) Card Payment Protection in Europe & many other countries relied on chip & PIN encryption using symmetric & asymmetric algorithms, and using public & private keys depending on the nature of the transactional exchange between customer, merchant, acquirer, switcher & card issuing bank.

The PIN is a private key known only to the customer and to the card chip, & which validates the customer. The PIN is unencrypted (“in the clear”) only within a Hardware Security Module which is tamper-resistant & “self destructs” if interfered with. Interestingly, the protection on the USA still relies solely on the magnetic stripe on the back of the card on which the PIN is held. Thus a criminal approach is to “skim” the card in Europe & use a corresponding cloned card in the USA. The card verification value (CVV – the 3 digit code on the back of the card) is an encrypted value of the card number & the expiry date. Again, this is only visible to the person legally (or illegally) holding the card, but is encoded in the magnetic stripe on cards in the USA. Online purchases using a card should be protected by up-to-date PC software & internet security using the https (padlock) protocol & employ a CVV2 number (signifying “cardholder not present”). Further security can be provided by a “3D secure” system such as “Verified by Visa” which may require entry of 3 characters from private information known only to the customer & their bank.

Contactless cards are chip & PIN, but use near-field communication to validate transactions below £30 without requiring customer manual PIN entry. Smart-phone & tablet apps (e.g. Applepay) are increasingly being used instead of cards, and all data has to be encrypted since it is sent over a public network. It is recommended only for use with reputable traders. Apple i-Phones contain a “Secure Element” to do the encryption, whereas Android devices use app processing with tokenisation. Bernard gave recommendations for safe use of cards, including never disclosing one’s PIN by intent or accident, & checking ATMs for anything odd (e.g. pinhole cameras).