After the magnetic strip and chips, let’s dive into the topic due to which I started this series in fact, and let’s see how a bank card transaction looks like. We use our bank card daily, even several times, but there are not too many people who would know exactly what happens in such cases. This is unfortunate because simple card holders may worry about whether they can be sure that their money is really safe when they pay with a card.
Transactions can be categorized from several points of view. The most important one may be that there are financial transactions, where card holders do not actually use their card, but they start a payment by using the data that are visible on it. These are just called ‘card not present’ transactions by the banks, and they are typically the online shopping events, when using a website we only have to enter the card number and expiry date as well as that certain three-character security code which can be found on the back side of the card. I may keep these data in mind and I can still give them even if I left the card at home in my drawer. And what is worse, with possessing these data even other persons can initiate a payment in my name.
IT security specialists often mention that the identification of a person is considered secure, if it is based at least on two independent factors and the person proves for the system that he/she possesses something and knows something. In case of bank cards we have to possess the card itself and to know the PIN code. If I lose my card, of course I will worry, but probably it would not be a great drama, since my PIN has not been obtained by that person with my card together, which will considerably mitigate the risk of withdrawing a larger sum from my account. (Yeah… really! Why do banks continue to say that we shouldn’t write our PIN with a permanent marker on the back side of the card? Well yes, unfortunately I also know people who are unwilling to consider it, thus taking certainly a serious risk.)
In the case above that is in card not present transactions, the possibility of two-factor identification is lost, as it is enough to know the data required for them and there is no need for a card to be present. Risks arising from it shall be treated by acquirers in terms of business and they do it. Since bank card as the key player in our series has nothing to do with these payment methods, let’s turn back to card present transactions.
As I mentioned, transactions can have different categories, and now I would arbitrarily choose one of them. Nowadays most cards are suitable for contact and contactless payment. This time I would write about the first one, because this is the classical solution that has been used for a long time, and later I will talk about the other one too.
From a technical side, two or three active players take part in bank card transactions, including:
- the card
- the terminal (ATM or POS)
- and a remote acceptance system invisible for the card holder (it is called ’host’ in English).
The transaction is offline, when the card and the terminal themselves manage the transaction, and it is online, when the host also joins in it. The wonder of the chip bank cards is that they were considered by their inventors so secure, that they prepared the programs running on the chip and supervising the transactions from the side of the card, for both offline and online operations. In the old fashioned, magnetic striped world, online operation was reasonable for almost all transactions, except perhaps some very special cases, for example, when small sums were paid at the toll road gates. This was so because, due to the reasons mentioned above, the card was a very stupid tool and could hardly add anything to make the terminal sure about the authenticity of the card.
Online transactions can be considered the most secure payment today as well, since in these cases the transaction data are transmitted to the server of the card issuing bank or to the processor assigned by the bank, to the host, where acceptance of the transaction can be considered individually, based on up-to-date data. Additionally, due to development of telecommunication networks, host is pretty reliably accessible, and therefore, application operating on cards is set by the banks so that it rather forces online operation. But what happens, if a businessman suddenly remembers the next day’s marriage anniversary, while returning home from New York, and therefore, he would like to pay a perfume for his wife somewhere above the ocean, on the board of a plane? In this case, in lack of online connection, the bank card says that either it is not willing to carry out the transaction, which is more than unpleasant, or it persuades the terminal that it is not a stolen card, and after all our forgetful card holder can somehow surprise his wife, when returning home. In this case, the ability to persuade becomes a technological issue.
As to the above case, we are now at the stage, when the buyer has already chosen the article, his/her intention to buy it has been indicated to the seller, who has entered the sum in the POS terminal and put it in front of the dear buyer’s nose, kindly asking him/her to place his/her card in the device. If it is done, a classical ’card present’ transaction will start.
If the chip is placed in the reader, it will get power-supply voltage through its pins, and this will immediately be followed by a so-called ’reset’, due to which the small minicomputer will be in basic position after power-on. In addition, it will answer to the terminal, saying some facts about itself, such as its type, in what way it likes to communicate and some information about its history (this answer is called ATR, its name is originating from the initials of the words Answer To Reset.) POS doesn’t deal too much with ATR, but first things first, and it is important that a connection can be set up between the two devices.
In the next step, the terminal has to know which payment application it shall cooperate with. The different card corporations have different applications, and in good cases, there is one of them on the card, and the terminal knows it and is willing to manage it. To this end, the terminal tries to start a program on the card, which is the general industry standard operating in the same way on each bank card according to EMV. It does nothing but sends a list that contains payment applications existing on the card.
But let’s stop here! What does this mean, that ’it tries to start a program on the card’? The terminal talks to the card very simply, more or less in the same way, as Sergeant Potrien talks to Csülök, when he wants to find the owner of a waist-belt that was lost in a tavern brawl (see ’The three musketeers in Africa’, a novel written by Jenő Rejtő /P. Howard/). The terminal issues an instruction, which the card will answer to, and after considering the answer another instruction will arrive with another answer, until the transaction is closed. The first operation after ‘reset’ will be the issuance of a standard ‘select application’ instruction. Name of the applications on the chip is not as meaningful as those we use on a PC, but it is a ‘binary scribble-scrabble’, and nevertheless, this is just suitable for both the chip and the terminal. If we translate the first instruction into human language, it will only mean that ‘please select application containing list of payment applications’.
If there is such small program on the card, this program will answer the terminal with sending a list, which will generally have only one element and contain the name of the program(s) required to be used for transactions. If there is none, it is not a big problem, but then the terminal has to ask for all the programs that are known for it in order to find one which it can work with. If we are lucky and we have really put our bank card in the terminal, the POS will find the payment application and it will accordingly start to run the series of operations at the end of which the transaction will be closed and the parties will consider the payment as done.
Next time I will describe in detail what this series of operations covers and what the card and the terminal are doing in the meantime.