THALES e-SECURITY

EMV – EASY
MIGRATION GUIDE
• An impartial guide for Issuers and Acquirers looking
to migrate to EMV.
• The key issues and technologies.
• Some questions that must
be answered.
• A reference for further information.
• Produced in collaboration with other smart card
industry leaders.

BLUE STAR LIMITED

EMV – Easy migration guide
How to use this guide
Migration from magnetic stripe cards to EMV smart cards may look daunting. It is a complex task.
However, broken down into a series of logical elements it becomes much less problematical and can
even be the source of a great deal of intellectual satisfaction. Substantial professional recognition will
be due those who manage successful migrations.

Whether the reader is tasked with managing the whole project, or perhaps just discrete parts, this
document aims to provide a useful introduction to the headline issues arising from migration.

The guide has been divided into three main sections:

■ Introduction

■ Card Issuer challenges

■ Acquiring and terminal network challenges

The second two sections are then set out in the same format:
■ An Overview of the subject area

■ An exploration of the Essential Issues upon which decisions must be made

■ A list of Critical Questions that the reader should ask

■ Suggestions on where the reader can obtain Further Information to support the decision-making
process including providers of relevant products and services

At the end of the document, the Critical Questions are then repeated in checklist format for clarity
of planning. Finally, overviews and contact details of the technology and service providers named in the
guide are provided.

1
2
Introduction
to

EMV

3
 Introduction to EMV
The development of the smart card may well turn
out to be one of the most fundamental changes
yet seen by the global payments industry.
Despite concerted development, magnetic stripe card technology has reached a technical dead-end.
A magnetic stripe simply cannot carry the strong security needed to keep cardholder details secret.
Once criminals found out how easy it was to make copies, fraud grew rapidly and now costs Visa
members in the EU alone around €1 million a day.

But the limited security does more than leave private information vulnerable. It also means magnetic
stripe cards have little scope for more than one or two simple financial applications on a single card.

Against this background the smart card is revolutionary. The smart card works by storing information
securely for use during a transaction and by performing checks and processes using its internal
microprocessor. Very much larger memory capacity enables it to hold multiple applications – for
example an ‘anchor’ debit card application, plus a number of others which do not have to be financial.

Early movers in the market have shown that smart cards reduce losses due to fraud while generating
new revenues and differentiation.

The move to smart cards is not a free-for-all. The major card associations have collaborated
to develop the EMV (Europay, MasterCard, Visa) standard, a mechanism by which the payments
industry is seeking to ensure that cards, terminals and other systems will successfully interact,
for debit and credit applications at least, wherever they are in the world.

The EMV specifications describe core attributes including physical and electrical characteristics, how
data and functions on the card are to be accessed, and how card security is structured, but they leave
the detail of individual financial applications to card associations to define.

For all card Issuers, the question is not: ‘should we migrate to smart cards,’ but: ‘when should we
migrate to smart cards?’ The major card associations have set a date for migration to EMV cards
in Europe to be completed by January 2005, with different dates for other regions around the world.

Issuers need to bear in mind that this date is not the starting gun for migration – it is the date by
which the whole of their card base and its supporting infrastructure should be EMV compliant. Testing
and any pilot scheme should be completed well before this date.

Typical schemes with three-year replacement cycles mean that cards issued in February 2002 will still
be in circulation past the January 2005 deadline.

Given this effective count down to EMV, it is likely that there will be a rush as the date looms nearer,
squeezing the amount of time technology vendors can devote to each Issuer. Better service and more
comprehensive support may be available to the early adopters.

There are, anyway, compelling differentiation and fraud prevention reasons why all Issuers should
consider moving quickly. American Express found that new customers in the US and the UK were
attracted by promised extra security and the novelty value of EMV smart cards. Early adopter market
advantage is therefore a reality.

Also a reality is the certainty that the last card Issuers to migrate will inevitably be the concentrated
target of fraudsters as the strong security of EMV smart cards closes the window of opportunity
for crime.

4
Critical questions about EMV

What is the date of the EMV migration for my country or region set by the card
associations of which I am a member?

What level of testing period do I want to allow myself before going live with my EMV card
base/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing in mind that the cards
I am issuing today might still be in circulation after the EMV migration date?

What extra business can I generate by achieving first mover advantage in my markets
by moving to smart cards?

Am I actually losing business by not moving more rapidly to smart cards?

Am I being targeted by fraudsters because competitors have already migrated?

Further information

■ EMVco ■ JCB

■ MasterCard ■ Visa

5
6
Card
ISSUER
Challenges

7
 Card Issuer challenges
Overview

As a card Issuer, there are many challenges that need to be considered when moving to EMV.

A smart card must be programmed with an operating system (often called a mask) before it can be
loaded with applications, in much the same way as a PC needs Windows or Linux before it can run
applications and have any utility for users.

Then, when an application such as Visa’s VSDC (Visa Smart Debit Credit), MasterCard’s M/Chip or
JCB’s J/Smart is loaded onto a smart card, together with unique data that personalises the
application to an authorised cardholder, the card can interact with payment terminals to perform
secure transactions.

One further major advantage is that cards can be securely up-dated or re-programmed in the field. An
Issuer can update the EMV risk management parameters on the card while the card is at a terminal.
This could mean raising the offline transaction limit or even disabling the card. New applications can be
loaded automatically too, but this is more likely to take place at dedicated terminals or over the Internet
since card holders and merchants are unlikely to tolerate the process slowing up transactions.

The winners in the move to smart cards are likely to be those Issuers who most successfully exploit
such flexibility to offer the most compelling proposition at the lowest cost.

The following Essential Issues section is further sub-divided into the following areas where readers
may need to make decisions:

■ Financial applications

■ Non-financial applications

■ Application security

■ Smart card selection

■ Upgrading the existing back office systems

■ Data preparation and card personalisation overview

■ Data preparation

■ Card personalisation

8
Essential Issues
Financial Applications
EMV credit/debit applications
The EMV specifications set out the headline data parameters for banking product types (for example,
classic, gold and platinum cards), but leave the detail to Issuers’ discretion. It might be helpful to think
of the EMV specifications as a framework that imposes a basic set of risk reduction measures while
giving Issuers freedom to select the strength of the further security parameters they apply.

Global card associations produce their own interpretation of the EMV specifications and provide them
to Issuers. Examples include:

■ JCB (J/Smart)

■ MasterCard (M/Chip)

■ Visa (VSDC)

Most card associations offer both an SDA (Static Data Authentication) and a DDA
(Dynamic Data Authentication) *card authentication mechanism within their credit/debit application.

Domestic card brands

In addition to the global brands, local ‘domestic’ cards are proliferating. Nominally independent of the
global brands, they are often required to work out-of-area so that they can be used by cardholders
travelling on business or leisure. Issuers therefore often form joint marketing and processing
relationships with the global brands, enabling cardholders to access cash via ATMs, and in some
instances to make purchases at merchant outlets when travelling. The most common schemes are
MasterCard’s Maestro and Visa’s Delta for cash purchases. ATM-only schemes include MasterCard’s
Cirrus and Visa’s Plus.

e-Purses including CEPS and Mondex

Electronic purses have been developed and deployed by a significant number of financial institutions,
but they have serious drawbacks. Lack of interoperability between schemes, poor geographical
coverage and the fact that most purses only support a single currency are three of a number
of factors that have severely limited take-up.

The development of the CEPS (Common Electronic Purse Specification) is the payment industry’s
attempt at an international standard to resolve these problems. Its proponents hope that CEPS will
allow organisations to confidently invest in infrastructure and applications, resulting in electronic purse
products becoming a very much more familiar feature on the card application landscape.

However, some experts believe that the business case for CEPS as a global scheme is unproven
and that we will see instead the emergence of niche and national e-Purse products.

One alternative e-Purse to CEPS is Mondex, which is already used in numerous implementations around
the world.

It should be noted that the migration to EMV smart cards will create an environment in which e-Purse
applications could work and be readily accepted.

*See section on Application Security.

9
 Critical questions about financial applications

What payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single or multiple applications or a mixture of both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I need to consider such as
data protection laws?

Further information

■ Thales e-Security ■ EMVco

■ American Express ■ JCB

■ CEPSco ■ MasterCard

■ Diners Club International ■ Visa

■ Discover Card

10
Non-financial applications
Multiple applications on a single Card
A multi-application smart card, in addition to providing debit or credit functionality, might also work
as a store chain loyalty card, a library card, a gymnasium membership card – the possibilities are very
broad. Indeed, some industry commentators have suggested that there is no technical reason why a
single smart card should not securely carry all the personal information in the average person’s wallet
including driving license and social entitlement details.

There is no doubt that the relative simplicity of a single application card provides the easiest and
fastest route to EMV issuing, with all the benefits of brand visibility, leadership and market penetration
that rapid deployment will generate for early adopters.

But it is unlikely to be as cost-effective as a multi-application card.

The more useful applications a single card holds, the more indispensable it becomes. The higher the
perceived value, the less likely the customer is to switch to an alternative card, even though it may
offer a lower interest rate. An Issuer that opens its card to applications from third-party providers
not only spreads card deployment and management costs but also generates further income streams
through its rental of card ‘real-estate’.

Small wonder that the overwhelming majority of industry experts expect multi-application cards
to eventually become dominant.

Over 50 companies, including all the major card associations, are now members of the GlobalPlatform
alliance that is working to establish standards for EMV multi-application smart cards and to promote
their deployment.

Online retail applications and Internet banking

Although the EMV specification was not designed with such applications in mind, the cryptographic keys
on a smart card are capable of generating what is effectively an electronic signature.

This means that the core application on a card, such as VSDC, M/Chip or J/Smart, could help secure
on-line retail transactions and help provide a secure logon for Internet banking, as well as card present
debit/credit functionality.

11
 Critical questions about non-financial applications

My card will have an anchor financial application. But do I want it to carry other
applications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third party developers, or accept
applications provided by partners?

Further information

■ Catuity ■ Proton

■ Datacard ■ Welcome Realtime

■ Gemplus

12
EMV application security
EMV specifications define a four-element framework for the security of credit/debit card
payment applications:

■ Card authentication – The means by which a terminal can ascertain that a card is genuine.
(See section below on SDA and DDA).

■ Risk management parameters – The card records all transactions and decides when pre-set
thresholds (cumulative or single transaction value) have been reached, so triggering an on-line
transaction.

■ Off-line PIN – Smart cards are able to store data securely, offering the opportunity for PIN
verification to take place on the card itself. This saves the need to carry out a PIN-based
transaction on-line.

■ Online mutual authentication – The means by which an Issuer can satisfy himself that
a transaction has genuinely come from a specific and authentic card as well as the card ensuring
that the approval/decline response has been sent by the authentic Issuer.

EMV does not specify the cryptographic algorithms and key management schemes to be used
for authenticating transactions. It does define an eight-byte data element called an Application
Cryptogram that is securely bound to the details of each transaction. The fact that different key
management methods and algorithms may be adopted is perfectly satisfactory since the cryptogram
is not an interoperability parameter, being handled only by the card itself and Issuers’ transaction
authorisation systems.

The card associations have defined for their members all the details not included in the EMV
specifications. In addition some other schemes have evolved for specific geographical areas.
An example is the UKIS scheme defined by APACS in the UK for smart card trials.

EMV smart cards need around 50 data items to be created for loading onto the chip. Between
10% and 20% of these are produced using cryptographic processes implemented on a security
module such as the Thales P3CM. Secret values such as keys and PIN are also encrypted by the
module using a shared key to ensure their secure transmission to the personalisation system.

In addition to general security principles, there are also local legislative issues that can have a bearing
on card security. These include data protection laws, digital signature legislation and e-money legislation.

The choice of SDA or DDA in credit/debit applications

One of many decisions facing card Issuers is which of two alternative technologies to use when verifying
the authenticity of smart cards when used in a terminal.

Magnetic stripe cards carry a verification value (CVV) or card verification code (CVC) that can only
be checked during on-line transactions.

Smart cards, designed from the outset to support off-line as well as on-line transactions, use two
alternative techniques.

The simpler, and cheaper, of the two is SDA or Static Data Authentication. This is a process where the
same digital signature is used by the card to authenticate itself to a terminal each time a transaction
takes place. It does not require a public key co-processor on the card.

The more complex option is DDA or Dynamic Data Authentication. It creates a unique digital signature
each time the card is used off-line rather than continually using the same one. This means that it is a
more secure technology and consequently it is more expensive, requiring a public key co-processor on
the card – something which can as much as double the unit cost.

13
 Although less secure than DDA, Issuers remain confident in SDA because when a card goes on-line it
generates a unique transaction-related cryptogram. The cryptogram means a “skimmed” card would be
immediately recognisable, enabling it to be instantly disabled. The off-line risk remains, but its
probability can be greatly reduced with careful configuration of the EMV risk parameters.

Critical questions about application security

Do I want the extra security of DDA?

What EMV risk management parameters should I select and what values should they
be set to?

Will I use the off-line PIN functionality and what other, if any, Cardholder Verification
Methods should I support?

Is there legislation, such as data protection law, that might impact the security of my
applications?

How can I modify the off-line PIN after the card has been issued?

How can I modify the EMV parameters after the card has been issued?

How do I manage the information flows and business rules when I allow third party
applications to make use of my card real estate?

Further information

■ Thales e-Security ■ Aconite Solutions

■ EMVco ■ JCB

■ MasterCard ■ Visa

14
Smart card selection
Proprietary card platforms
Manufacturers that have spent vast sums developing smart card technology quite sensibly wish to
maximise the return on their investment. One way they can do this is by making it advantageous for
Issuers to buy all their smart cards from a single source, rather than from two or more.

The cards may be cheaper, or perhaps offer distinctive functionality – but unlike open platform cards
(see below) they are proprietary and therefore not capable of interoperating with cards from other
vendors.

Card price is primarily determined by the memory size (EEPROM or E2PROM) Multi application cards
require larger memory – typically 16K or above EEPROM – to store the additional information.
Proprietary, single application cards use less memory – typically in the range 2-4K EEPROM –
and are therefore cheaper.

There are over 20 vendors of smart cards globally. Most have single application as well as multi-
application platforms with memory capacities ranging from 2 to 64 Kbytes. Many offer data
preparation and card personalisation services to support their proprietary schemes.

It is not within the scope of this paper to provide an analysis of the differences between the proprietary
schemes. Readers wishing to explore them should contact card vendors for information.

Multi-application, open card platforms

As is the case with so many technologies, vendors and interest groups use many different and
contradictory definitions and terms to describe smart cards.

Safe positioning statements to make about an open smart card are that it:

■ Supports a wide variety of suppliers in both chips used and card software and applications
implemented

■ Supports standards-based application development and maintenance/support

■ Supports selectable levels of security

■ Facilitates partnership and co-developments with companies in the same and in other industries

■ Allows Issuers to experiment in finding and developing new value propositions

■ Has a declared development path that aims to protect existing investment.

Card buyers talking with multiple vendors will be offered a number of different multi-application
architectures including Java Card, GlobalPlatform and MULTOS.

Java Card
Java Card is not an operating system but a series of specifications, which defines how a Java Virtual
Machine can run on any vendors’ underlying operating system.

In most cases Java implementations are migrating toward support of the GlobalPlatform standards
and API described below.

15
 GlobalPlatform Card
This is a comprehensive system architecture (published at www.Globalplatform.org) designed to enable
fast and easy development of globally interoperable smart card systems.

It includes published APIs and specifications that enable any compliant card from any vendor to be
issued, loaded with applications and managed in exactly the same way.

GlobalPlatform sits above the Card OS (it accommodates multiple card OS solutions) and provides the
security framework (and other features) for multiple card applications. A major benefit is the
comprehensive security it delivers to Issuers, enabling them to retain total control of the card and
applications.

MULTOS Card
MULTOS is a high-security multi-application card operating system. It has been developed as an open
platform for financial and related applications.

The security of the operating system and its applications is based on asymmetric cryptography,
simplifying the secure loading and deletion of applications. All MULTOS chips have a public key co-
processor as standard.

Critical questions about smart card selection

Do I want a single or multi-application card?

Will I select a proprietary card supplied by one supplier, or choose an open platform
solution with cards from multiple vendors?

What memory size do I need on the card?

Will I apply segmentation to my card base and will I create a mix of proprietary EMV-cards
and Open Platform cards?

Further information

Card platforms
■ GlobalPlatform
■ MAOSCO (MULTOS)
Card suppliers
■ Austria Card ■ ID Data Systems ■ PPC Card Systems
■ Cardag ■ Incard ■ Schlumberger
■ DNP ■ -Infineon ■ Setec
■ Fabrica Nacional ■ Iris Tech ■ Toppan
■ G&D ■ Novacard ■ Keycorp
■ Gemplus ■ Oberthur
■ Hitachi ■ Orga

16
Upgrading the existing back office systems
Magnetic stripe card issuance and management is supported by tried and tested legacy back
office systems.

One challenge for Issuers looking to migrate to EMV smart cards is how to provide similar automated
support facilities for the new card technology. Single application smart cards are significantly more
complex and therefore demanding of support systems than magnetic stripe cards.

This is one reason why upgrading or modifying existing support systems to handle smart cards
is thought by most experts to be not cost-effective.

Multi-application smart cards present back office support systems with an even more complex support
task. The route preferred by most Issuers, particularly those moving to multiple-application cards,
is therefore to concentrate smart card issuance and management support in a separate, dedicated
solution that interfaces to the legacy back office issuing and acquiring systems.

Such a solution is called a Smart Card Management System.

Smart card management systems

Smart Card Management Systems (SCMS) manage cards and applications throughout their entire life
cycle, before and after issue to customers. They enable the loading, blocking or deleting of applications
at any time, and make new card-based services instantly available via the Internet or private network.

Smart Card Management Systems also store details of every smart card issued, making the
replacement of lost or stolen cards both fast and simple. The same information can also be used
to create a comprehensive database of cardholders and their application preferences.

Some smart card management systems support the setting and changing of application parameters
during issuance and in the field, including EMV risk parameters.

17
 Critical questions about upgrading backoffice systems

Do I want to source my cards from multiple vendors?

Do I want to support more then one different card type or card platform (like Gold,
Platinum, VISA, MasterCard, TIBC, Credit, Java, Proprietary, debit, M-chip, Multos etc)

Do I want to set and dynamically update my EMV risk parameters?

Do I want a single application card, multiple application card or a mixture?

How do I ensure that my systems support my future strategies?

How can I interface between my issuance and acquiring systems?

Further information

■ ACI Worldwide ■ Cards etc.

■ Bell ID ■ Datacard

■ Cardbase ■ Proton

18
 D D

C C
B B
A A

name name
age age
D.O.B D.O.B
Address Address

Expires Expires
Code Code
Sort Sort

Data preparation and card personalisation overview

Data preparation is the process by which user-specific data and the complex cryptographic keys
needed for security are generated. It is the first of two steps toward readying a new card for issue.

The second is card personalisation. It includes the application of brand printing, magnetic stripe
encoding, security holograms and perhaps photographs, as well as the embossing and indenting of
typographical characters. Smart cards also require electronic personalisation. The already prepared
user data and cryptographic keys are securely loaded to the card, together with one or more
applications.

The smart card is now ready for issue.

Smart cards, with their much stronger security than magnetic stripe technology, require considerably
more data to be generated. Substantial changes to established processes are required and many
Issuers will take the opportunity for a complete re-evaluation of their data generation and
personalisation arrangements.

Three main business models

There are three main models for data preparation and the subsequent card personalisation.
The decision over which one is adopted is usually based on best practice security considerations
as well as cost:

Outsource data preparation and card personalisation to a bureau

The Issuer sends existing magnetic stripe records output from its host system to a bureau that carries
out the entire process from data and cryptographic key generation to card personalisation.

Data preparation in house, card personalisation outsourced to a bureau

The Issuer processes existing magnetic stripe records output by their host system, generating data
and cryptographic keys in house. It then sends the resulting file containing all the traditional magnetic
stripe and additional chip data to a bureau where smart cards are personalised. In this model the bank
retains control of its own cryptographic master keys.

Data preparation in house, card personalisation in house

The Issuer processes existing magnetic stripe records output by their host system, creating the
cryptographic keys and extra data required for EMV cards. It then personalises smart cards using
a desktop personalisation machine or high volume personalisation system in house.

19
 Critical questions about data preparation and card personalisation

Which model should I adopt for data preparation and card personalisation?

Further information

See sections on Data Preparation and Card Personalisation.

20
 D

C
B
A

name
age
D.O.B ss
Addre

es
Expir
Code
Sort

Data preparation
Principal approaches to data preparation
Data preparation can be achieved with any of the three following methods:

B
C
D
Development of own host system
A

A route chosen by some Issuers is to develop the required data and key generation technology
name
age
D.O.B ss
Addre

es
Expir
Code
Sort

in house. It is only an option for Issuers with particularly well-funded internal IT departments, and
it does have significant ongoing implications in terms of cost and pull on resources.

This is because data and key generation is a complex, specialist field and not one in which generalist IT
developers can rapidly gain expertise. There are many instances where internal development programs
have been started, then abandoned as the scale of the task became apparent and as costs rapidly
escalated. Another factor is constantly changing specifications that further absorb costly development
time and divert IT staff from core activities.

Outsource
Outsourcing data preparation to a bureau is therefore seen by some as a better alternative. However,
it too has its potential downside. Today’s bureaus offer a highly secure solution with the very highest
integrity. Even so, many Issuers will still insist on keeping smart card data preparation in house.
This may be for legal or contractual reasons, but it is more likely to be because of a conservative
approach to risk management. Central to best practice in security is that the number of people
handling cryptographic keys is kept to an absolute minimum. Outsourcing introduces more people
into the production chain and therefore introduces more potential points of weakness or attack. It also
requires Issuers to cede responsibility for managing the extra risk, and therefore ultimately the integrity
of scheme security, to a third party.

In-house with EMV data preparation solution such as Thales P3TM

Many, perhaps most Issuers, have a fundamental aversion to anything less than 100% control over
security. They have always generated the data for much simpler magnetic stripe cards in-house and will
wish to continue to do so for smart cards. They do not see in-house development of a data generation
system as an option because of cost and drain on IT resources.

Their solution will be the purchase and in-house operation of a data preparation system such as the
Thales P3.

P3 integrates with host systems and card personalisation devices to generate EMV smart card data
and keys from existing magnetic stripe card files.

EMV parameters
The process of data preparation includes the setting of EMV parameters for risk management
purposes. These parameters offer the Issuer options to tailor risk management to batches of cards, or
if required sometimes even on a per-card basis. With a potentially confusing number or combinations
of parameters the card associations offer recommended sets of parameters for Issuers to adopt.

Key management
Rigorous key management is essential for securing data preparation.

The system must be able to generate cryptographic keys, be able to receive cryptographic keys and
certificates from organisations such as Visa or MasterCard and also manage the keys during the
personalisation process.

Unlike magnetic stripe data, EMV smart card data contains potentially sensitive information, such as
keys derived from Issuer master keys. This means that every step in the process needs to be secured
using cryptographic hardware.

21
 The five main areas of key management that a data preparation system must be able to handle are:

■ Key generation for each application.

■ Storage of the master key and transport keys

■ Key distribution to secure the personalisation process

■ Key update of the existing keys

■ Exchange of the public keys with scheme certification authorities (i.e. JCB, MasterCard and Visa)

Critical questions on data preparation

How do I want to do data preparation?

1) Change host system

2) Deploy P3-type solution

3) Outsource

Do I select a standard set of EMV parameters as recommended by my card association or

do I select my own?

Does my data preparation system provide all the key management functionality I require
and is it secure?

How do I manage my card products?

How do I handle large volumes of cards to be issued?

How do I manage the workflow?

Further information

■ Thales e-Security

■ Cryptomathic

■ UBIQ

22
Card personalisation
Card personalisation can be a costly and complex business, depending on the size of customer
cardholder base and the number of different card products that an Issuer offers.

The larger Issuers historically have employed their own in-house card personalisation bureaus for the
production and issuance of cards. High card volumes help justify the expense of secure premises,
card personalisation systems and skilled staff.

There are three options when considering personalisation:

In house bureau
It is believed that the majority of cards will be issued from central in-house bureaus for the foreseeable
future. Smart card personalisation is slower than magnetic stripe personalisation, mainly due to the
vastly increased amount of data and cryptographic keys to be loaded onto each card. However,
personalisation equipment providers have developed solutions to this problem including systems that
program multiple cards simultaneously.

External bureaus
Most bureaus are also card manufacturers who realised that they were missing out by not providing
a much needed value-added service.

There are over 90 Visa/MasterCard certified card manufacturers worldwide, and the majority of these
also provide personalisation services. Most bureaus are regional, but there are global players including
SchlumbergerSema, Gemplus, Oberthur & G&D.

Distributed or remote instant issuance

From a bank customer perspective, card issuance is a slow process. Most are resigned to the fact
that in even the quickest of systems many days elapse between the completion and submission of the
application form, and the arrival by separate post of the card and its PIN.

Instantaneous production of smart cards, at the point of application, will become an important
marketing tool for Issuers in the near future. It is already a feature of magnetic stripe card products
in some countries.

In regions with good telecommunications, remote sites will be able to communicate in real time with
the centralised host system for the generation of card data. If telecommunications are bad, Issuers will
have to adopt a distributed issuance model, where details are stored and forwarded to a central
system later.

Post-personalisation
Multi-application smart cards can be re-programmed in the field. New applications can be loaded and
old ones removed when the cards are used at compliant terminals.

Called post-personalisation, this powerful feature gives card Issuers the unique ability to provide a card
product that better supports the lifestyle of their customers, promoting usage and providing
cardholders with greater benefit and perceived value.

In order to support this business model, Issuers need to deploy infrastructure (such as a Smart Card
Management System) that allows the generation and delivery of secure personalisation data, in the
correct format for the target card, to remote devices in a real time mode.

23
 Physical and cryptographic security considerations
The card stock has to be physically protected during the production and personalisation stages. From
the production process perspective, security controls have to be implemented once the white plastic
has had the Issuer and card association logos, brands and holograms applied. This includes physical
protection of premises as well as management control and procedures. The stringent physical security
controls aim to stop printed unpersonalised cards from finding their way into the wrong hands where
they could conceivably be used fraudulently, causing harm to the Issuer and Association brands.

It is standard practice for the international card associations to annually audit all facilities that produce
association branded cards.

There are major differences between the cryptographic security arrangements on magnetic stripe
bankcards and those on smart cards.

Magnetic stripe card production involves the generation of three cryptographic elements:

■ PIN Verification Value (stored on magnetic stripe)

■ Card Verification Value/Code I (stored on magnetic stripe)

■ Card Verification Value/Code II (printed on reverse of the card)

This is typically carried out by the Issuer using a suitable hardware security module during the
production of card data. The values are then included into the card record, and the batch file
subsequently used for personalisation.

Once the data is produced, there is no meaningful value to be gained from these data elements,
as they are cryptograms. Therefore, there is no requirement to protect the individual data elements
being transferred from the Issuer host to the personalisation system. However, it should be recognised
that most Issuers still protect the batch file during transmission to the personalisation machine.

Smart card production is a fundamentally secure process, featuring a final round of cryptographic
processing before applications, Issuer and cardholder data are loaded onto a smart card. Card data
arrives at the personalisation system encrypted and with an associated message authentication code.
Blank cards are also cryptographically locked at the initialisation stage following manufacture, and can
only accept data following presentation of the correct so-called transport key.

Critical questions on card personalisation

Where do I want to personalise my cards?

1) In house bureau?

2) Outsource to a 3rd party bureau?

3) Instant issuance at a branch level?

Do I want to consider post-personalisation of new applications to my cards?

How do I manage the workflow?

24
Further information

Personalisation machine suppliers Personalisation bureau services

■ Atlantic Zeiser ■ Gemplus

■ CIM ■ G&D

■ Datacard ■ Oberthur

■ Datacard - Gilles Leroux ■ SchlumbergerSema

■ Fargo

■ Logika

■ Mattica

■ Mulbauer

■ NBS

■ Orga

25
26
Acquiring and Terminal

NETWORK
Challenges

27
 Acquiring and Terminal
Network Challenges
Overview
Despite only being concerned with the process flow between terminal and smart card, the EMV
specification has implications for retail bank host systems, and for ATM and EFTPoS systems.

Issuer Transaction Processing and Host Systems

Hosts must be upgraded to process on-line or batch transactions from devices using message
protocols enhanced from their magnetic-stripe equivalents. Network interfaces will need enhancing to
transmit EMV data when transactions are switched out to Issuer banks for authorisation. And on-line
authorisation capabilities will also require upgrading.

With on-line EMV transactions, Issuers are required to receive extra chip-related data in the on-line
message and reply to the Acquirer, and therefore to the device, with additional response data. This
includes authentication using the authorisation request cryptogram (ARQC) and authorisation response
cryptogram (ARPC) in a process known as on-line mutual authentication (OMA). The Issuer’s host
needs to be enhanced to provide this processing, which it does in conjunction with the host security
module and secret keys encrypted ultimately by local master keys maintained by the HSM.

EMV allows Issuers to use scripts to modify data elements such as the PIN or risk parameters on a
smart card during on-line transactions. Since this is a sensitive process, these scripts must be
secured with the use of cryptography, again involving the use of an HSM. As scripts are now being
generated by the on-line host processor, this demands much closer integration with card management
systems than is the case with magnetic stripe cards.

Where banks are both Issuers and Acquirers, all of the changes described here are applicable.

Interchanges
There are multiple interchanges (or switches) operating in most countries, with the most well known
being the international interchanges operated by Visa and MasterCard. They act as network hubs,
routing on-line authorisations from the Acquirer (acceptor) of a transaction to the Issuer for
authorisation.

To correctly route EMV transactions, interchanges - like host systems - will need to handle the
enhanced inter-bank transaction protocols required by smart cards.

Settlement
Currently most Acquirers and Issuers settle regularly with an interchange. This is normally
done through an exchange of batch files (for example Visa Base2) between the interchange and
its member banks. EMV impacts this process by adding chip-related data to the transaction records
within these files.

28
Critical questions about Issuer Transaction Processing and Host Systems

Do I want to be able to change EMV parameters on already-issued cards (for example

increasing the card’s transaction value limit)?

Has my interchange or switch been enhanced to accept EMV related data?

Has my settlement process been enhanced to accept EMV related data?

Is my infrastructure capable of blocking cards and applications if needed?

Have I upgraded my host system to accept OMA (Online Mutual Authentication,

ARQC/ARPC)?

Will my host system cope with the volume of extra data associated with EMV?

Will I need to support the generation of Issuer scripts and, if so, has my host been
upgraded to do this?

Further information

Transaction Processing Transaction authorisation

and Terminal Acquiring
■ ACI Worldwide
■ ACI
■ Aconite Solutions
■ Aconite Solutions
■ E-Funds
■ CR2
■ IFS
■ IBM
■ Logika
■ Mosaic Software
■ Mosaic
■ Nomad
■ Nomad
■ Oasis
■ S2Systems
■ SchlumbergerSema
■ Thales e-Security

Type approval

■ EMVco

■ MasterCard

■ Visa

■ JCB

29
 ATM/EFTPoS networks
The change from magnetic stripe to smart cards will not happen overnight. Magnetic stripe cards will
be in use for many years to come. During the transition, terminals, payment networks and host
systems must support both types of card.

Type approval
For a terminal to be legitimately used for accepting EMV transactions it must have first been certified
(type approved) by a body appointed by the card schemes. EMVCo has worldwide responsibility for EMV
terminal type approval, but the testing itself is subcontracted to qualified test laboratories.

Certification testing is at two levels: Level 1 concerns mainly terminal hardware. It verifies
communications with the chip card and checks for correct electro-mechanical interaction.

Level 2 concerns mainly terminal software and ensures compliance with EMV specifications for
transaction flow and card/terminal interaction.

Any terminal used by banks for acquiring EMV transactions must be approved for both level 1 and
level 2. Terminal hardware and software may legitimately be from different vendors, independently type
approved by those vendors, respectively.

Terminals
The majority of ATM and EFTPoS terminals in current use only perform magnetic-stripe based
transactions, even though some support smart card functions but would require a software upgrade.
Others support smart cards, but typically older versions of the EMV specification. They will also
need upgrading.

A small number of ATM networks have been performing chip-based transactions for some years. Use
of the magnetic stripe is still anticipated – although in the future it will mainly be used to establish the
correct orientation for the card, except of course for magnetic stripe transactions when a non-chip
card is used.

ATMs typically need a substantial software upgrade to cope with EMV cards. Many of the leading ATM
manufacturers have already released type approved software but to date there are few deployments.
The slow take-up is partly due to such software only recently becoming available, and partly due to the
enhancements needed at host systems to accommodate the new application protocols.

Hardware upgrades are also required on some ATMs. The size of the upgrade is very dependent on
the particular style of ATM but varies from a simple change to the card reader to a full upgrade of the
ATM Processor.

For stand-alone dial-up EFTPoS terminals already incorporating chip card readers, EMV acceptance
is simply a matter of upgrading the resident software application. Such terminals are usually owned
by Acquirer banks or processors, making upgrades the responsibility of those organisations and not
the retailer.

Such a software upgrade can often be made remotely over the terminal network. However, this will
also require an enhanced transaction protocol between terminal and host, necessitating an upgrade at
the host also. As the protocols involved tend to be simpler than those used with ATMs, such host
enhancements are not normally a major obstacle to EFTPoS smart card acceptance.

Those stand-alone EFTPoS terminals that do not currently accept smart cards require either a
hardware upgrade or replacement. The upgrade route may seem the most cost effective but the
owner must be aware that there are performance considerations to be taken into account. For
example an old generation product that has been upgraded may result in lengthy chip transaction times
due to increased processing requirements. This will only get worse in the future with the introduction
of longer keys for increased security.
30
Consequently, the short term cost advantages of hardware upgrades must be balanced against the
impact on customer satisfaction (longer waiting times at the checkout). The ideal solution is to replace
the entire estate with the latest generation products but this can be costly. For those markets that are
migrating to PIN customer verification (such as the UK) the situation is even more complex. Upgrades
will have to consider not only chip but also PIN acceptance.

The situation is complicated somewhat by a second category of retail EFTPoS terminal. Many large
multi-lane retailers like supermarkets and department stores use integrated EPoS devices that combine
payment and checkout functionality. Upgrades will require significant programming effort to integrate
the software applications that handle bar code scanning, inventory and other functions with the EMV
payment transaction process.

As these devices are owned by retailers themselves, upgrades (and in the UK, off-line PIN also) will be
their responsibility. In general, however, retailers are viewing the shift to EMV positively. There will, for
example, be simpler point-of-sale procedures with less reliance on paper signatures, reduced potential
for fraud, faster checkout times, higher floor limits, and more scope for unattended terminals through
the use of offline PIN.

Critical questions about ATM/EFTPoS networks

Have I upgraded my ATM/EFTPoS network to physically accept EMV cards?

Have I upgraded my ATM/EFTPoS terminal software to accept EMV cards?

Have I selected terminal and hardware that has already been appropriately type approved?

Have retailers in my markets agreed to update retailer owned EFTPoS terminals?

Have the retail outlets in my region been educated about EMV?

Has my ATM/EFTPoS management system been upgraded for EMV?

Have I taken into account the testing and approval process of EMV ATM/EFTPoS
terminals in my implementation plan?

Is my implementation future proof - i.e. processor speed, memory and will terminals handle
multiple applications in the future?

Do I replace or upgrade my ATM/EFTPoS network?

How long will it take to upgrade my ATM/EFTPoS network?

What training will I perform/recommend for retailers?

What do I do with my old terminals?

Further information

■ ACI ■ NCR
■ Aconite Solutions ■ Thales e-Transactions
■ Ingenico ■ Verifone
■ Mosaic Software

31
 Appendix 1 –
Contributors to this document
THALES Thales, one of the globe's leading suppliers of integrated security solutions, addresses the business
security needs of corporates and governments alike, protecting transactions, networks, identification
documents and sensitive sites. Thales' security capability extends to security and payment technology
for financial transactions, networks and e-commerce. An acknowledged expert in smart card
technology and applications, Thales is a European leader in security critical electronic payments,
integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards, as well as being
the UK's leading supplier of electronic card payment terminals.

ACI www.aciworldwide.com
ACI has been a leading company for more than 25 years with a worldwide presence in more than
80 countries focussing on payment engines for the financial industry and smart card management
systems. Amongst ACI’s more than 2000 customers are the leading financial institutes. ACI’s Smart
Card Division is based in Gouda, the Netherlands. It develops and delivers products to handle the
complete issuance, life-cycle management and workflow management for smart cards of any type
of card and purpose.

ACI views EMV migration as of prime strategic importance. Its wide ranging product suite (ACI Smart
Chip Manager, Base24) covering both the issuing and acquiring side of the business has already helped
over 50 banks to migrate to EMV. ACI’s expertise in the EMV arena has been a key factor in successful
migration projects.

ACI Smart Chip Manager is deployed in the financial industry, health care, public transport, ID and
Government. Implementations range from small-scale single-application pilots to large-scale rollouts
of leading-edge multi-application schemes containing many millions of cards.

Banks aiming for the simplest form of EMV migration already reap the benefits of ACI Smart Chip
Manager. Legacy systems can be seamlessly integrated into the new chip-processes without the need
for extensive re-engineering. Any mix of card and chip types can be supported.

One of the strong features of EMV is the ability of parameter management. ACI Smart Chip manager
allows this capability as an additional module. It interfaces to ACI’s acquiring systems or third party
payment engines and terminal management systems.

It’s a challenge for most issuers to finally migrate to a full multi-application smart card scheme. ACI
Smart Chip Manager can easily be extended to full multi-app including additional post-issuing functionality.

ACONITE www.aconite.net
Aconite is a business IT consultancy and software solutions provider with specialist expertise in smart
card systems, EMV, Security and e-Trust.

Aconite invests in solutions which address EMV migration, smart card systems management, business
IT and trusted computing.

Established in 2000, Aconite has expanded at pace, gathering a dynamic team with unique experience
in their respective fields. Aconite recruits experienced professionals with a combination of technical
skills and business acumen to apply technology effectively.

Working alongside leading financial institutions and retailers, Aconite's client list includes Royal Bank of
Scotland, Standard Chartered Bank, Coutts & Co, Visa, LINK and Marks & Spencer.

32
 Flexible, pragmatic and committed, Aconite provides clients with applied consultancy, inventive
technology and business understanding. Delivering focused assistance in strategic, technical and
operational areas, Aconite is a dependable partner for clients seeking to exploit innovative approaches
to complex business issues.

DATACARD www.datacard.com
Datacard provides customers in more than 200 countries with the systems, software, and consultative
expertise they need to launch and maintain profitable card programs. The company helped transform
the world for consumers and card issuers more than 30 years ago by enabling secure, high-volume
issuance of magnetic stripe-based financial cards. Today, more than 90% of the world’s financial
cards—and the majority of plastic cards used for other applications—are personalised with Datacard‚
brand systems and software. Many of the world’s leading financial institutions and consumer marketers
plan to issue single & multi-application smart cards, and Datacard’s smart card infrastructure will be
used to personalise, distribute and manage a vast majority of these cards. Through industry
associations such as Global Platform and the Smart Card Alliance, Datacard is also helping to define
and then implement open standards and interfaces needed to issue cards and manage the data
needed within a comprehensive smart card issuance program. Datacard is a privately held company
owned by the Quandt Family of Bad Homburg, Germany. Datacard is headquartered in Minnetonka,
MN, with a sales and service network of direct sales organisations, dealers, distributors and value
added resellers in over 120 countries. Additionally, worldwide operations include software development
centres in the U.S., U.K., India and Japan. The company employs more than 1,600 people worldwide
and generates annual revenues of more than $300 million.

GEMPLUS www.gemplus.com
Gemplus helps its clients offer an exceptional range of portable, personalised solutions that bring
security and convenience to people's lives. These include mobile Internet access, inter-operable banking
facilities, e-commerce and a wealth of other applications.

Gemplus is the only completely dedicated, truly global player in the Smart Card industry, with the
largest R&D team, unrivalled experience, and an outstanding track record of technological innovation.

Gemplus' offer in EMV: AEMV Prime - A suite of solutions guiding banks on the optimal path
to migration.

Whatever your EMV migration requirements, you will find that Gemplus has a solution that fits and
a team of experts to help manage your project. EMV Prime was built on three years of experience
in EMV migration and with assistance and feedback from clients all around the world. EMV Prime
covers migration planning, development, piloting and all stages of deployment. The EMV Prime modules
can be tailored to suit the needs of any client, whilst dedicated project management teams work with
you to ensure that EMV Prime lives up to its reputation.

In 2001, Gemplus was the worldwide smart card leader in both revenue and total smart card
shipments (source: Gartner-Dataquest, Frost and Sullivan). Gemplus was also awarded Frost and
Sullivan's 2002 Market Value Award for its exceptional performance.

Gemplus trades its shares on Euronext Paris S.A. First Market and on the NASDAQ Stock Market(tm)
as GEMP in the form of ADSs. Its revenue in 2001 was 1 billion Euros.

33
 G&D www.gdai.com
GIESECKE & More than 30 years' experience in smart security for payment cards have made G&D a leading
DEVRIENT supplier of electronic payment cards. In 6 years only, 100 million banking cards have been issued using
smart card software developed by G&D.

G&D is an accredited technology partner of all major international payment organisations, such
as Europay International, MasterCard International, Visa International, Proton World and Discover.

With our technological edge in the development of chip card operating systems and applications,
G&D has successfully migrated from a manufacturer of high quality magnetic stripe cards
to a leading technology supplier of microprocessor and crypto processor cards.

G&D is represented on all important international standardisation committees, i.e. MAOSCO

Consortium, Eurosmart, ETSI SMG 9, JavaCard Forum, People's Bank of China Technical Subgroup,
ISO/IEC, Smart Card Forum, Global Chip Card Alliance, Global Platform Group.

Giesecke & Devrient (G&D) is an international technology group with 150 years of tradition. Founded
in 1852, G&D first specialised in banknote printing and security paper manufacture, later adding
currency automation systems to its product portfolio. Today, G&D is also a technology leader in the
fields of smart cards and system solutions for telecommunications, electronic payments,
transportation, health, ID, loyalty, pay-TV, multimedia and Internet security (Public Key Infrastructure).

The Giesecke & Devrient Group, headquartered in Munich, operates subsidiaries and joint ventures
all over the world. G&D employs around 7,000 people worldwide and generated a revenue
of € 1.12 billion in fiscal 2001.

GLOBAL www.globalplatform.org
PLATFORM GlobalPlatform is the only cross-industry forum focused on the development, management and
promotion of specifications for multiple application smart cards, smart card applications, and enabling
devices. With support from its global Member organisations, GlobalPlatform promotes a standard
framework facilitating the implementation of smart card programs in any industry around the world.
GlobalPlatform allows flexibility in the choice of technologies and vendors through an emphasis on open
standards for cards, terminals and support infrastructure. GlobalPlatform's card, terminal and systems
specifications are the first open standards adopted by GlobalPlatform and will provide a solid foundation
from which the organisation will define the future of multiple application smart cards.

GlobalPlatform totals fifty-six Members from across Europe, USA, Canada, Australia, Japan and Korea,
including issuers, manufacturers, and vendors of multiple application smart cards, such as American
Express, Hitachi, MasterCard International, JCB, NTT Corporation, Proton World, Schlumberger,
Sun Microsystems, Thales, The Bank of Nova Scotia and Visa International, as well as several
government bodies.

HITACHI About Hitachi Europe Ltd.:

www.hitachi-eu.com/semiconductors
Hitachi Europe Ltd., is a wholly owned subsidiary of Hitachi, Ltd. Japan. It has operations throughout
EMEA which provide sales, marketing, technical support and research and development. Hitachi’s
semiconductor and display products are key components in the fields of smart cards, communications,
automotive, consumer, industrial, displays and system LSI. They include the SuperH™ RISC
microprocessors, the H8 microcontroller family, smart card controllers, TFT displays, memories (Flash
and SRAM), transistors and diodes, and network products. For reader enquiries or more information
on the products and services offered in Europe by Hitachi Semiconductor, please visit the Web site.

34
 HITACHI About Hitachi
www. global.hitachi.com.
Hitachi, Ltd., headquartered in Tokyo, Japan, is a leading global electronics company, with
approximately 320,000 employees worldwide. Fiscal 2001 (ended March 31, 2002) consolidated
sales totalled 7,994 billion yen ($60.1 billion). The company offers a wide range of systems, products
and services in market sectors, including information systems, electronic devices, power and industrial
systems, consumer products, materials and financial services. For more information on Hitachi, please
visit the company's Web site.

JCB www.jcbinternational.com
JCB is one of the international payment brands, such as Visa and MasterCard, and is also the
largest card Issuer and acquirer by itself in Japan. JCB launched its card business in 1961 and began
expanding overseas in 1981. Its merchant network includes 9.78 million merchants and spans 189
countries and territories, and serves 42 million card members worldwide. As part of its international
growth strategy, JCB has formed alliances with more than 320 leading banks and financial institutions
globally to increase merchant coverage. JCB has started the full-scale issuance of smart cards in
Japan from Dec. 2001, with "J/Smart" EMV application loaded, and has also been very active in the
smart card migration in the markets outside of Japan. For further information, please visit the JCB
International website.

MOSAIC www.mosaicsoftware.com
SOFTWARE Mosaic Software develops leading-edge software solutions in the consumer transaction space.
The Mosaic Software offices in the USA, UK, Australia and South Africa support clients that include
financial institutions, retailers, telecommunications operators, transaction processors, Internet service
providers, card issuers and data processing service providers.

Mosaic Software's product, Postilion, is a scalable, modular system designed to deliver consumer-
generated transactions at every level of an EFT network. Postilion is currently installed in more than
30 countries, where it is used for ATM driving and monitoring, EFT switching and routing, EFTPoS
credit/debit card transaction processing, Internet/call centre payment authorisations and mobile
commerce applications. Postilion reduces transaction processing costs, improves analytical capabilities
of customer transactions and increases overall transactional revenues. Postilion is fully EMV compliant
and can support EMV migration with two specific solutions:

Postilion EMV Gateway is a low-cost, fast track solution for EMV smart card compliance. Both
Acquirers and issuers can achieve EMV compliance for online transaction processing by front-ending
their incumbent systems with the Postilion EMV Gateway. Magnetic stripe transactions are processed
by the existing system infrastructure while EMV transactions are routed directly from the Postilion
EMV Gateway, avoiding the need to upgrade the incumbent system to support EMV data fields.

Postilion for Chip and PIN offers multi-lane retailers a means to rapidly support EMV chip cards and
secure PIN processing at the point of sale. Further benefits are the ability to offer sophisticated EFT
services at the till such as staff discount and loyalty programmes; authorisation of transactions at the
till even when store systems are down; a faster settlement cycle and reports to meet all store
requirements.

Mosaic Software's major partners include Thales, Stratus Technologies, Retail Decisions, MasterCard,
SmartTrust, Diebold, and NCR. Well-known companies such as 7-Eleven, Marks & Spencer, E*Trade, Bank
Leumi, TNS, ABSA, Retail Decisions, American Express and Cell-C are clients. The company is backed by
GE Equity and Comparex and is a selected technology provider to multiple GE Capital businesses.

35
 NCR www.ncr.com
As the world’s leading ATM manufacturer, NCR has deployed self-service EMV solutions across Europe,
Asia Pacific and the America’s.

NCR Corporation (NYSE: NCR) is a leading global technology company helping businesses build
stronger relationships with their customers. NCR’s ATMs, retail systems, Teradata® data warehouses
and IT services provide Relationship TechnologyTM solutions that maximise the value of customer
interactions. Based in Dayton, Ohio, NCR employs 30,400 people worldwide.

OBERTHUR www.oberthurcs.com
CARD Oberthur Card Systems, listed on the Euronext Stock Exchange (Code Euroclear 12413) since July
SYSTEMS 2000, is one of the world’s leading providers of card-based solutions, software and applications
including SIM and multi-application smart cards and services ranging from consulting to
personalisation.

Innovative products and high quality services ensure Oberthur’s strong positioning in its three main
target markets.

■ Payment : 52% of revenues in 2001. the company is the world leader and number one supplier for
Visa and MasterCard.

■ Mobile Communications : 31% of revenues in 2001, with open and interoperable solutions based on
Java™ technology.

■ Authentication and Network Security : emerging markets in which the company plays a pioneering
role, with strong expertise in security and a dominant position in e-commerce and Pay-TV.

Close to its customers, Oberthur Card Systems benefits from an industrial and commercial presence
across all five continents.

Oberthur Card Systems is a subsidiary of François-Charles Oberthur Group.

SCHLUMBERGER www.slb.com
SEMA SchlumbergerSema is one of two business segments of Schlumberger Limited, a global technology
services company. With more than 30,000 employees serving customers in 65 countries,
SchlumbergerSema aggregates IT consulting, systems integration, managed services and related
products to the oil and gas, telecommunications, energy and utilities, finance, transport and public
sector markets. Leveraging the Schlumberger DeXa* Suite of Services, it also provides IP network
connectivity, information security solutions, distributed computing support services and data centre
hosting services. In 2001, Schlumberger revenues were $14,3 billion.

THALES www.thales-esecurity.com
e-SECURITY Operating in three main markets covering e-security, card payment and network security, Thales e-
Security addresses the business and finance industry's need for cryptographic security products and
solutions used to protect a range of critical information infrastructures. Over half of the world's banks,
together with the majority of the busiest exchanges, currently use Thales technology. For more than 20
years the company has been at the forefront of security and payment technology, co-operating and
contributing to set the industry standards used for financial transactions and e-commerce globally.

36
 Thales P3
Thales P3 lets issuers deploy EMV smart cards with minimal impact on their existing systems and with
minimum cost.

It integrates with host systems and card personalisation devices to:

■ Enable creation of EMV parameters for each card holder

■ Generate, store and manage cryptographic keys for each application

■ Output files of parameters and keys for personalisation machines

■ Generate an audit log of activities

Three levels of P3 system enable issuers to deploy a Thales solution scaled to meet their individual needs.

Thales HSM
The Host Security Module (HSM) is a physically secure, tamper-resistant security server that provides
cryptographic functions to secure transactions in retail financial applications including PIN encryption
and verification, debit card validation, stored value card issuing and processing, chip card issuing and
processing, message authentication and symmetric key management.

With the optional DSP-RSA Module, the HSM can also support public key cryptographic operations
including digital signatures, certificates, and asymmetric key management.

THALES www.thales-e-transactions.com
e-TRANSACTIONS
Thales e-Transactions is a wholly owned subsidiary of the global electronics group Thales and provides
user-friendly secured solutions for card transactions. The company is a European leader in the fields
of portable, mobile and fixed electronic payment terminals, integrated Electronic Fund Transfer (EFT),
e-purse payment and secured keyboards. Thales e-Transactions’ expertise in smart card applications
for banking and commercial markets is highly acknowledged on an worldwide basis.

The solution that Thales e-Transactions proposes is a range of terminals that are appropriate for
a variety of card acceptance locations.

■ Artema Desk for standard retail where the customer attends the Point of Sale desk

■ Artema DECT for locations where the terminal needs to be taken to the customer away from the
Point of Sale desk

■ Artema Mobile where the terminal can accept transactions on the move.

These products have common core hardware platform and common software architecture which offers
the following advantages

■ Price benefits from

■ Lower certification costs from common EMV Level 1 IFM to common Level2 Kernel

■ Faster to market with regional applications through the use of a simple to use software
development toolkit

The Artema Desk product can also be provided with a TSC+ PIN pad. The first in the world to achieve
Visa PED approval to the higher security required for chip transactions.

37
 Thales also produce other terminals that are specific to local regions. Because of the nature of the
proposal these terminals have not been included in this offer but Thales would be happy to provide
further details on request.

With considerable expertise of developing EMV certified products in the main European markets, and
with a significant international presence both in and outside of the EU region, Thales e-Transactions
believes its is well qualified to be a valued partner of Visa International in the Global Cost Effective
Acceptance Project.

38
Contact information for companies
mentioned in this document

Company Website
ACI www.aciworldwide.com
Aconite Solutions www.aconite.net
American Express www.americanexpress.com
Atlantic Zeiser www.atlanticzeiser.com
Austria Card www.austriacard.at
Bell ID www.bellid.com
Cardag www.cardag.com
Cardbase www.cardbase.com
Cards etc. www.cardsetc.com
Catuity www.catuity.com
CEPSco www.cepsco.com
CIM www.cimitaly.it
CR2 www.bankworld.ie
Cryptomathic www.cryptomathic.dk
Datacard www.datacard.com
Datacard - Gilles Leroux www.gilles-leroux.com
Diners Club International www.dinersclub.com
Discover Card www.discovercard.com
DNP www.dnp.co.jp
E-Funds www.efunds.com
EMVco www.emvco.com
Fabrica Nacional www.fnmt.es
Fargo www.fargo.com
G&D www.gdai.com
Gemplus www.gemplus.com
GlobalPlatform www.globalplatform.org
Hitachi www.hitachi.com
ID Data Systems www.id-data.co.uk
IFS www.ifsintl.com
Incard www.incard.it
Infineon www.infineon.com
Ingenico www.ingenico.com
Iris Tech www.iris-technology.co.uk
JCB International www.jcbinternational.com
Keycorp www.keycorp.net
Logika www.logika.it
MasterCard www.mastercard.com
Matica www.maticasystems.it
Mosaic Software www.mosaicsoftware.com
Muehlbauer www.muehlbauer.com
Multos www.multos.com
NBS www.nbstech.com
NCR www.ncr.com
Nomad www.nomadsoft.com
Novacard www.novacardservices.co.uk
Oasis www.oasis-technology.com
Oberthur www.oberthurcs.com

39
 Company Website
Proton World www.protonworld.com
S2Systems www.s2systems.com
SchlumbergerSema www.slb.com/smartcards
Setec www.setec.com
Thales e-Security www.thales-esecurity.com
Thales e-Transactions www.thales-e-transactions.com
Toppan www.toppan.co.jp
UBIQ www.ubiqinc.com
Verifone www.verifone.com
Visa www.visa.com
Welcome realtime www.welcome-rt.com

40
Card issuing Critical Questions checklist
Does this affect me?
Introduction to EMV
What is the date of the EMV migration for my country or region
set by the card associations of which I am a member?

What level of testing period do I want to allow myself before going

live with my EMV card base/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing in

mind that the cards I am issuing today might still be in circulation
after the EMV migration date?

What extra business can I generate by achieving first mover

advantage in my markets by moving to smart cards

Am I actually losing business by not moving more rapidly

to smart cards?

Am I being targeted by fraudsters because competitors have

already migrated?

Financial applications
What payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single applications, multiple applications,

or both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I need
to consider such as data protection laws?

Non-financial applications
My card will have an anchor financial application. But do I want
it to carry other applications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third party

developers, or accept applications provided by partners?

41
 Does this affect me?
Application security
Do I want the extra security of SDA authentication?

What EMV risk management parameters should I select and what

values should they be set to?

Will I use the off-line PIN functionality and what other, if any,
Cardholder Verification Methods (CVM) should I support?

Is there legislation, such as data protection law, that might impact

the security of my applications?

How can I modify the off-line PIN after the card has been issued?

How can I modify the EMV parameters after the card has
been issued?

How do I manage the information flows and business rules when I

allow third-party applications to make use of my card real estate?

Smart card selection

Do I want a single or multi-application card?

Will I select a proprietary card supplied by one supplier, or choose

an open platform solution with cards from multiple vendors?

What memory size do I need on the card?

Will I apply segmentation to my card base and will I create a mix

of proprietary EMV-cards and Open Platform cards?

Upgrading back office systems

Do I want to source my cards from multiple vendors?

Do I want to support more then one different card type or card

platform (Gold, Platinum, VISA, MasterCard, TIBC, Credit, Java,
Proprietary, debit, M-chip, Mulattos etc)

Do I want to set and dynamically update my EMV (risk) parameters?

Do I want a single application card, multiple application card or a mixture?

How do I ensure that my systems support my future strategies?

How can I interface between my issuance and acquiring systems?

42
 Does this affect me?
Data preparation
How do I want to do data preparation?

1) Change host system

2) Deploy P3-type solution

3) Outsource

Do I select a standard set of EMV parameters as recommended

by my card association or do I select my own?

Does my data preparation system provide all the key management

functionality I require and is it secure?

How do I manage my card products?

How do I handle large volumes of cards to be issued?

How do I manage the workflow?

Card personalisation
Where do I want to personalise my cards?

1) In house bureau?

2) Outsource to a third party bureau?

3) Instant issuance at a branch level?

Do I want to consider post personalisation application load of new

applications to my cards?

How do I manage the workflow?

43
 Acquiring and terminal network Critical
Questions checklist
Does this affect me?
Issuer transaction processing and host systems
Do I want to be able to change EMV parameters on already-issued
cards (for example increasing the card’s transaction value limit)?

Has my interchange or switch been enhanced to accept

EMV related data?

Has my settlement process been enhanced to accept

EMV related data?

Is my infrastructure capable of blocking cards and applications

if needed?

Have I upgraded my host system to accept OMA (Online Mutual

Authentication, ARQC/ARPC)?

Will my host system cope with the volume of extra data associated
with EMV?

Will I need to support the generation of Issuer scripts and, if so,

has my host been upgraded to do this?

ATM/EFTPoS networks
Have I upgraded my ATM/EFTPoS network to physically accept
EMV cards?

Have I upgraded my ATM/EFTPoS terminal software to accept

EMV cards?

Have I selected terminal and hardware that has already been

appropriately type approved?

Have retailers in my markets agreed to update retailer owned

EFTPoS terminals?

Have the retail outlets in my region been educated about EMV?

Has my ATM/EFTPoS management system been upgraded

for EMV?

Have I taken into account the testing and approval process of EMV
ATM/EFTPoS terminals in my implementation plan?

Is my implementation future proof (i.e. processor speed, memory

and will terminals handle multiple applications in the future?)

Do I replace or upgrade my ATM/EFTPoS network?

44
 Does this affect me?
How long will it take to upgrade my ATM/EFTPoS network?

What training will I perform/recommend for retailers?

What do I do with my old terminals?

Host systems
What do you do with all your old terminals?

Have I upgraded my host system to accept OMA (Online Mutual

Authentication, ARQC/ARPC)?

Will my host system cope with the volume of extra data associated
with EMV?

45
 CORPORATE OFFICE INDIA
THALES e-SECURITY LTD. BLUE STAR LTD.
Meadow View House Divisional Head Quarters
Long Crendon, Aylesbury Sahas, 414/2 Vir Savarkar Marg
Buckinghamshire, HP18 9EQ, UK Prabhadevi
Tel: +44 (0)1844 201800 Mumbai 400 025, INDIA
Fax: +44 (0)1844 208550 Tel: +91 22 24306155
e-mail: emea.sales@thales- Fax: +91 22 24307078
esecurity.com e-mail: prosenjit@lineone.net

DISCLAIMER
Thales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein.
THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER.
The Thales policy is one of continuous development and consequently the equipment may vary in detail from the description and specification in this publication.
All trademarks are acknowledged. U.S. Patent No. 4,405,829 licensed exclusively by RSA Data Security, Inc.
Publication Number: 102/1102/10412 ©2002.