10596 EMV Guide v2 20approved Copiar

www.thales-esecurity.com

THALES e-SECURITY

An impartial guide for Issuers and Acquirers lookingto migrate to EMV.

The key issues and technologies. Some questions that must

be answered. A reference for further information. Produced in collaboration with other smart card

industry leaders.

EMV EASY MIGRATION GUIDEVersion 2

1EMV Easy migration guideHow to use this guideMigration from magnetic stripe cards to EMV smart cards may look daunting. It is a complex task.However, broken down into a series of logical elements it becomes much less problematical.

Whether the reader is tasked with managing the whole project, or perhaps just discrete parts, thisdocument aims to provide a useful introduction to the headline issues arising from migration.

The guide has been divided into three main sections:

Introduction

Card Issuer challenges

Acquiring and terminal network challenges

The second and third sections follow the same format:

An Overview of the subject area

An exploration of the Essential Issues upon which decisions must be made

A list of Critical Questions that the reader should ask

Suggestions on where the reader can obtain Further Information to support the decision-makingprocess including providers of relevant products and services

At the end of the document, the Critical Questions are then repeated in checklist format for clarity of planning. Finally, overviews and contact details of the technology and service providers named in theguide are provided.

2

Introduction to

EMV

3

Introduction to EMVThe development of the smart card may well turnout to be one of the most fundamental changesyet seen by the global payments industry.Despite concerted development, magnetic stripe card technology has reached a technical dead-end. A magnetic stripe simply cannot carry the strong security needed to keep cardholder details secret.Once criminals found out how easy it was to make copies, fraud grew rapidly and according toEuropean Card Review magazine now costs the EU alone over 3.5 million a day.

But the limited security does more than leave private information vulnerable. It also means magneticstripe cards have little scope for more than one or two simple financial applications on a single card.

Against this background the smart card is revolutionary. The smart card works by storing informationsecurely for use during a transaction and by performing checks and processes using its internalmicroprocessor. Very much larger memory capacity enables it to hold multiple applications forexample an anchor debit card application, plus a number of others which do not have to be financial.

Early movers in the market have shown that smart cards reduce losses due to fraud while generatingnew revenues and differentiation.

The move to smart cards is not a free-for-all. The major card associations have collaborated to develop the EMV (Europay, MasterCard, Visa) standard, a mechanism by which the paymentsindustry is seeking to ensure that cards, terminals and other systems will successfully interact, for debit and credit applications at least, wherever they are in the world.

The EMV specifications describe core attributes including physical and electrical characteristics, howdata and functions on the card are to be accessed, and how card security is structured, but they leavethe detail of individual financial applications to card associations to define.

For all card Issuers, the question is not: should we migrate to smart cards, but: when should wemigrate to smart cards? This is because the major card associations are setting dates by whichregions around the world must have completed migration to EMV cards. Beyond these dates liability forfraudulent transactions will lie with magnetic stripe card issuers or acquirers, if it can be shown thatthe use of smart card technology would have prevented the fraud.

Issuers need to bear in mind that the date appropriate to their region is not the starting gun formigration it is the date by which the whole of their card base and its supporting infrastructure shouldbe EMV compliant. Testing and any pilot scheme should be completed well before this date.

Typical schemes with three-year replacement cycles mean that cards issued in February 2002 will stillbe in circulation past the European January 2005 deadline.

Given this effective count down to EMV, it is likely that there will be a rush as the date looms nearer,squeezing the amount of time technology vendors can devote to each Issuer. Better service and morecomprehensive support may be available to the early adopters.

There are, anyway, compelling differentiation and fraud prevention reasons why all Issuers shouldconsider moving quickly. American Express found that new customers in the US and the UK wereattracted by promised extra security and the novelty value of EMV smart cards. Early adopter marketadvantage is therefore a reality.

Also a reality is the certainty that the last card Issuers to migrate will inevitably be the concentratedtarget of fraudsters as the strong security of EMV smart cards closes the window of opportunity for crime.

4

What is the date of the EMV migration for my country or region set by the cardassociations of which I am a member?

What level of testing period do I want to allow myself before going live with my EMV cardbase/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing in mind that the cards I am issuing today might still be in circulation after the EMV migration date?

What extra business can I generate by achieving first mover advantage in my markets by moving to smart cards?

Am I actually losing business by not moving more rapidly to smart cards?

Am I being targeted by fraudsters because competitors have already migrated?

5

Critical questions about EMV

EMVco

MasterCard

JCB

Visa

Further information

6

Card

ISSUERChallenges

7

Card Issuer challengesOverviewAs a card Issuer, there are many challenges that need to be considered when moving to EMV.

A smart card must be programmed with an operating system (often called a mask) before it can beloaded with applications, in much the same way as a PC needs Windows or Linux before it can runapplications and have any utility for users.

Then, when an application such as Visas VSDC (Visa Smart Debit Credit), MasterCards M/Chip orJCBs J/Smart is loaded onto a smart card, together with unique data that personalises theapplication to an authorised cardholder, the card can interact with payment terminals to performsecure transactions.

One further major advantage is that smart cards can be securely up-dated or re-programmed in thefield. An Issuer can update risk management parameters contained within an EMV banking applicationremotely during an on-line transaction at a terminal.

Some types of multi-application cards support the download of new applications and the deletion of oldones remotely at dedicated terminals or over the Internet.

The winners in the move to smart cards are likely to be those Issuers who most successfully exploitsuch flexibility to offer the most compelling proposition at the lowest cost.

The following Essential Issues section is further sub-divided into the following areas where readersmay need to make decisions:

Financial applications

Non-financial applications

Application security

Smart card selection

Upgrading the existing back office systems

Data preparation and card personalisation overview

Data preparation

Card personalisation

8

Essential IssuesFinancial Applications

EMV credit/debit applicationsThe EMV specifications are a framework of basic risk reduction measures. Issuers have the freedom toselect the strength of the further security parameters they apply to smart cards and this has led tothe development of different EMV banking applications by the global card associations. Theseapplications cover everything needed to produce a card, including functionality, card association specificfeatures as well as EMV risk management.

JCB (J/Smart)

MasterCard (M/Chip)

Visa (VSDC)

All of these are EMV-Compliant, but use slightly different additional risk parameters to manage the riskof off-line transactions.

Most card associations offer SDA (Static Data Authentication), DDA (Dynamic Data Authentication)and CDA (Combined Dynamic Data Authentication) *card authentication mechanism within theircredit/debit application.

Domestic card brandsIn addition to the global brands, local domestic cards are proliferating. Nominally independent of theglobal brands, they are often required to work out-of-area so that they can be used by cardholderstravelling on business or leisure. Issuers therefore often form joint marketing and processingrelationships with the global brands, enabling cardholders to access cash via ATMs, and in someinstances to make purchases at merchant outlets when travelling. The most common schemes areMasterCards Maestro and Cirrus and Visas Electron and Plus cards.

e-PursesElectronic purses have been developed and deployed by a significant number of financial institutions, but they have serious drawbacks. Lack of interoperability between schemes, poor geographicalcoverage and the fact that most purses only support a single currency are three factors that have limited adoption.

Some experts believe that the business case for e-Purse as a global scheme is unproven and that we will see instead the emergence of niche, closed circuit and national e-Purse products.

The migration to EMV smart cards may create an environment in which e-Purse applications will workand be readily accepted.

*See section on Application Security.

9

10

What payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single or multiple applications or a mixture of both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I need to consider such asdata protection laws?

Critical questions about financial applications

Thales e-Security

American Express

CEPSco

Diners Club International

Discover Card

EMVco

JCB

MasterCard

Visa

Proton

Further information

Non-financial applications

Multiple applications on a single CardA multi-application smart card, in addition to providing debit or credit functionality, might also work as a store chain loyalty card, a library card, a gymnasium membership card the possibilities are verybroad. Indeed, some industry commentators have suggested that there is no technical reason why asingle smart card should not securely carry all the personal information in the average persons walletincluding, in some countries, driving license and social entitlement details.

There is no doubt that the relative simplicity of a single application card provides the easiest andfastest route to EMV issuing, with all the benefits of brand visibility, leadership and market penetrationthat rapid deployment will generate for early adopters.

But it is unlikely to be as cost-effective as a multi-application card.

The more useful applications a single card holds, the more indispensable it becomes. The higher theperceived value, the less likely the customer is to switch to an alternative card, even though it mayoffer a lower interest rate. An Issuer that opens its card to applications from third-party providers not only spreads card deployment and management costs but also generates further income streamsthrough its rental of card real-estate.

Small wonder that the overwhelming majority of industry experts expect multi-application cards to eventually become dominant.

Over 50 companies, including all the major card associations, are now members of the GlobalPlatformalliance that is working to establish standards for EMV multi-application smart cards and to promotetheir deployment.

Online retail applications and Internet bankingAlthough the EMV specification was not designed with such applications in mind, the cryptographic keyson a smart card are capable of generating what is effectively an electronic signature.

This means that the core application on a card, such as VSDC, M/Chip or J/Smart, could help secureon-line retail transactions and help provide a secure logon for Internet banking, as well as card presentdebit/credit functionality.

11

12

My card will have an anchor financial application. But do I want it to carry otherapplications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third party developers, or acceptapplications provided by partners?

How will I handle loading and deletion of third party applications for current andreplacement cards?

Critical questions about non-financial applications

Catuity

Datacard

Gemplus

Proton

Welcome Realtime

Schlumberger

Further information

EMV application security

EMV specifications define a four-element framework for the security of credit/debit card payment applications:

Card authentication The means by which a terminal can ascertain that a card is genuine. (See section below on SDA, DDA and CDA).

Risk management parameters The card records all transactions and decides when pre-setthresholds (cumulative or single transaction value) have been reached, so triggering an on-linetransaction.

Off-line PIN Smart cards are able to store data securely, offering the opportunity for PINverification to take place on the card itself. This saves the need to carry out a PIN-based transaction on-line.

Online mutual authentication The means by which an Issuer can satisfy himself that a transaction has genuinely come from a specific and authentic card as well as the card ensuringthat the approval/decline response has been sent by the authentic Issuer.

EMV does not specify the cryptographic algorithms and key management schemes to be used for authenticating transactions. It does define an eight-byte data element called an ApplicationCryptogram that is securely bound to the details of each transaction. The fact that different keymanagement methods and algorithms may be adopted is perfectly satisfactory since the cryptogram is not an interoperability parameter, being handled only by the card itself and Issuers transactionauthorisation systems.

The card associations have defined for their members all the details not included in the EMVspecifications. In addition some other schemes have evolved for specific geographical areas. An example is the UKIS scheme defined by APACS in the UK for smart cards.

EMV smart cards need around 50 data items to be created for loading onto the chip. Between 10% and 20% of these are produced using cryptographic processes implemented on a securitymodule such as the Thales P3CM. Secret values such as keys and PIN are also encrypted by themodule using a shared key to ensure their secure transmission to the personalisation system.

In addition to general security principles, there are also local legislative issues that can have a bearingon card security. These include data protection laws, digital signature legislation and e-money legislation.

The choice of SDA, DDA or CDA in credit/debit applicationsOne of many decisions facing card Issuers is which of two alternative technologies to use when verifyingthe authenticity of smart cards when used in a terminal.

Magnetic stripe cards carry a verification value (CVV) or card verification code (CVC) that can only be checked during on-line transactions.

Smart cards, designed from the outset to support off-line as well as on-line transactions, use twoalternative techniques.

The simpler, and cheaper, of the two is SDA or Static Data Authentication. This is a process where thesame digital signature is used by the card to authenticate itself to a terminal each time a transactiontakes place.

The more complex option is DDA or Dynamic Data Authentication. It creates a unique digital signatureeach time the card is used off-line rather than continually using the same one. This means that it is amore secure technology. However, it is as much as 25% more expensive, because it requires a publickey co-processor on the card and more complex software.

13

Many Issuers remain confident in SDA for on-line use because its mutual authentification checkingprocess is very secure. However, if smart cards are being used predominantly off-line the extra security provided by DDA in this environment will make it the authentification scheme of choice formany Issuers.

A further method is also specified in the EMV 2000 specifications. Known as CDA or CombinedDynamic Data Authentication, the card generates the application cryptogram and the dynamicsignature. By verifying the dynamic signature the terminal is able to determine that the applicationsignature was generated by a valid card.

14

Do I want SDA or the extra security of DDA?

What EMV risk management parameters should I select and what values should they be set to?

Will I use the off-line PIN functionality and what other, if any, Cardholder VerificationMethods should I support?

Is there legislation, such as data protection law, that might impact the security of myapplications?

How can I modify the off-line PIN after the card has been issued?

How can I modify the EMV parameters after the card has been issued?

How do I manage the information flows and business rules when I allow third partyapplications to make use of my card real estate?

Critical questions about application security

Thales e-Security

EMVco

MasterCard

Schlumberger

Aconite Solutions

JCB

Visa

Gemplus

Further information

Smart card selection

Proprietary card platformsManufacturers that have spent vast sums developing smart card technology quite sensibly wish tomaximise the return on their investment. One way they can do this is by making it advantageous forIssuers to buy all their smart cards from a single source, rather than from two or more.

The cards may be cheaper, or perhaps offer distinctive functionality but unlike open platform cards(see below) they are proprietary and therefore not capable of interoperating with cards from othervendors, unless designed to a common specification.

Card price is primarily determined by the memory size (EEPROM or E2PROM) Multi application cardsrequire larger memory typically 16K or above EEPROM to store the additional information.Proprietary, single application cards use less memory typically in the range 2-4K EEPROM and are therefore cheaper.

There are over 20 vendors of smart cards globally. Most have single application as well as multi-application platforms with memory capacities ranging from 2 to 64 Kbytes. Many offer datapreparation and card personalisation services to support their proprietary schemes.

It is not within the scope of this paper to provide an analysis of the differences between the proprietaryschemes. Readers wishing to explore them should contact card vendors for information.

Multi-application, open card platformsAs is the case with so many technologies, vendors and interest groups use many different andcontradictory definitions and terms to describe smart cards.

Safe positioning statements to make about an open smart card are that it:

Supports a wide variety of suppliers in both chips used and card software and applicationsimplemented

Supports standards-based application development and maintenance/support

Supports selectable levels of security

Facilitates partnership and co-developments with companies in the same and in other industries

Allows Issuers to experiment in finding and developing new value propositions

Has a declared development path that aims to protect existing investment.

Card buyers talking with multiple vendors will be offered a number of different multi-applicationarchitectures including Java Card, GlobalPlatform and MULTOS.

Java CardJava Card is not an operating system but a series of specifications, which defines how a Java VirtualMachine can run on any vendors underlying operating system.

In most cases Java implementations are migrating toward support of the GlobalPlatform standards and API described below.

15

GlobalPlatform CardGlobalPlatform is a highly secure, open and comprehensive system architecture designed to enable fastand easy development of globally interoperable smart card systems. The GlobalPlatform specificationsand companion documents are available royalty-free from www.globalplatform.org.

GlobalPlatform includes published Application Program Interfaces (APIs) and specifications that enableany compliant card from any vendor to be issued, loaded with applications and managed in exactly thesame way. It also provides for the use of multiple card operating systems and allows the issuer toretain total control of the card and its applications.

MULTOS CardMULTOS is an open standard multi-application smart card operating system that has been developed bythe MAOSCO consortium. MAOSCO requires all MULTOS devices to have been independantly accreditedto the highest achievable levels of security assurance such as ITSEC E6 High. Hence MULTOS istargeted at markets requiring high security such as finance, secure ID and other related applications.

The security of applications on a MULTOS card is provided by on-card firewalls that prevent memoryarea intrusions, and a load/delete mechanism based on asymmetric cryptography which means cardissuers and application providers do not need to share secrets.

www.multos.com

16

Do I want a single or multi-application card?

Will I select a proprietary card supplied by one supplier, or choose an open platformsolution with cards from multiple vendors?

What memory size do I need on the card?

Will I apply segmentation to my card base and will I create a mix of proprietary EMV-cardsand Open Platform cards?

Critical questions about smart card selection

Card platforms

GlobalPlatform

MAOSCO (MULTOS)

Card suppliers

Austria Card

Cardag

DNP

Fabrica Nacional

G&D

Gemplus

Hitachi

ID Data Systems

Incard

Infineon

Iris Tech

Novacard

Oberthur

Orga

PPC Card Systems

Schlumberger

Setec

Toppan

Keycorp

Further information

Upgrading the existing back office systems

Magnetic stripe card issuance and management is supported by tried and tested legacy back office systems.

One challenge for Issuers looking to migrate to EMV smart cards is how to provide similar automatedsupport facilities for the new card technology. Single application smart cards are significantly morecomplex and therefore demanding of support systems than magnetic stripe cards.

This is one reason why upgrading or modifying existing support systems to handle smart cards is thought by some experts to be not cost-effective.

Multi-application smart cards present back office support systems with an even more complex supporttask. The route preferred by most Issuers, particularly those moving to multiple-application cards, is therefore to concentrate smart card issuance and management support in a separate, dedicatedsolution that interfaces to the legacy back office issuing and acquiring systems.

Such a solution is called a Smart Card Management System.

Smart card management systemsSmart Card Management Systems (SCMS) manage cards and applications throughout their entire lifecycle, before and after issue to customers. They enable the loading, blocking or deleting of applicationsat any time, and make new card-based services instantly available via the Internet or private network.

Smart Card Management Systems also store details of every smart card issued, making thereplacement of lost or stolen cards both fast and simple. The same information can also be used to create a comprehensive database of cardholders and their application preferences.

Some smart card management systems support the setting and changing of application parametersduring issuance and in the field, including EMV risk parameters.

17

18

Do I want to support more then one different card type or card platform (like TIBC, Java,Proprietary or Multos)

Do I want to set and dynamically update my EMV risk parameters?

Do I want a single application card, multiple application card or a mixture?

How do I ensure that my systems support my future strategies?

How can I interface between my issuance and acquiring systems?

Critical questions about upgrading back office systems

ACI Worldwide

Bell ID

CardBASE Technologies

Card Tech Limited

Cards etc.

Datacard

Proton

Schlumberger

Further information

Data preparation and card personalisation overview

Data preparation is the process by which cardholders specific data and the complex cryptographic keysneeded for security are generated. It is the first of two steps toward readying a new card for issue.

The second is card personalisation. It includes the application of brand printing, magnetic stripeencoding, security holograms and perhaps photographs, as well as the embossing and indenting oftypographical characters. Smart cards also require electronic personalisation. The already prepareduser data and cryptographic keys are securely loaded to the card, together with one or moreapplications.

The smart card is now ready for issue.

Smart cards, with their much stronger security than magnetic stripe technology, require considerablymore data to be generated. Substantial changes to established processes are required and manyIssuers will take the opportunity for a complete re-evaluation of their data generation andpersonalisation arrangements.

Three main business modelsThere are three main models for data preparation and the subsequent card personalisation. The decision over which one is adopted is usually based on best practice security considerations as well as cost:

Outsource data preparation and card personalisation to a bureauThe Issuer sends existing magnetic stripe records output from its host system to a bureau that carriesout the entire process from data and cryptographic key generation to card personalisation.

Additionally it is necessary for the issuer to work with the service bureau to describe the additional chipdata needed that describe EMV and application features to be implemented along with the riskmanagement parameter settings to best meet the requirements of the issuer.

Data preparation in house, card personalisation outsourced to a bureauThe Issuer processes existing magnetic stripe records output by their host system, generating dataand cryptographic keys in house. It then sends the resulting file containing all the traditional magneticstripe and additional chip data to a bureau where smart cards are personalised. In this model the bankretains control of its own cryptographic master keys.

Data preparation in house, card personalisation in houseThe Issuer processes existing magnetic stripe records output by their host system, creating thecryptographic keys and extra data required for EMV cards. It then personalises smart cards using a desktop personalisation machine or high volume personalisation system in house.

19

name

age

D.O.B

Addre

ss

AB

C

D

Expires

Sort C

ode

name

age

D.O.B

Addre

ss

AB

C

D

Expires

Sort C

ode

20

Which model should I adopt for data preparation and card personalisation?

What tools and processes are available in the marketplace to assist, if model 2 or 3 adopted?

Critical questions about data preparation and card personalisation

See sections on Data Preparation and Card Personalisation.

Further information

name

age

D.O.B

Addre

ss

AB

C

D

Expire

s

Sort C

ode

name

age

D.O.B

Addre

ss

AB

C

D

Expire

s

Sort C

ode

Data preparation

Principal approaches to data preparationData preparation can be achieved with any of the three following methods:

Development of own host systemA route chosen by some Issuers is to develop the required data and key generation technology in house. It is only an option for Issuers with particularly well-funded internal IT departments, and it does have significant ongoing implications in terms of cost and pull on resources.

This is because data and key generation is a complex, specialist field and not one in which generalist ITdevelopers can rapidly gain expertise. There are many instances where internal development programshave been started, then abandoned as the scale of the task became apparent and as costs rapidlyescalated. Another factor is constantly changing specifications that further absorb costly developmenttime and divert IT staff from core activities.

OutsourceOutsourcing data preparation to a bureau is therefore seen by some as a better alternative. However,it too has its potential downside. Todays bureaus offer a highly secure solution with the very highestintegrity. However, central to best practice in security is that the number of people handlingcryptographic keys is kept to an absolute minimum, outsourcing introduces more people into the production chain and therefore introduces more potential points of weakness or attack. It alsorequires Issuers to cede responsibility for managing the extra risk, and therefore ultimately the integrityof scheme security, to a third party.

In-house with EMV data preparation solution such as Thales P3Many, perhaps most Issuers, have a fundamental aversion to anything less than 100% control oversecurity. They have always generated the data for much simpler magnetic stripe cards in-house and willwish to continue to do so for smart cards. They do not see in-house development of a data generationsystem as an option because of cost and drain on IT resources.

Their solution will be the purchase and in-house operation of a data preparation system such as theThales P3.

P3 integrates with host systems and card personalisation devices to generate EMV smart card dataand keys from existing magnetic stripe card files.

A further reason for keeping Data Preparation in house is that an Issuer does not tie himself to onepersonalisation bureau.

Bureaux may offer services for both Data Preparation and Personalisation. A one-off cost is typicallycharged for setting up the keys required for Data Preparation, with an additional per-card cost for theData Preparation itself. Personalisation is also usually charged in a similar way.

If Data Preparation and the associated key management is ceded to one bureau, and six months lateranother bureau is able to offer lower cost cards or personalisation services, then the resultant keymanagement costs at the new bureau may negate the potential savings by switching supplier.

One more consideration is that if Data Preparation is moved from one bureau to another, thefundamental security elements (cryptographic keys) have to be shared with yet another party. Securitybest practice dictates that cryptographic keys are shared with as few parties as possible.

EMV parametersThe process of data preparation includes the setting of EMV parameters for risk managementpurposes. These parameters offer the Issuer options to tailor risk management to batches of cards, orif required sometimes even on a per-card basis. With a potentially confusing number or combinationsof parameters the card associations offer recommended sets of parameters for Issuers to adopt.

21

Tools may also be available from the card associations to automate the selection of these parameters.

Key managementRigorous key management is essential for securing data preparation.

The system must be able to generate cryptographic keys, be able to receive cryptographic keys andcertificates from organisations such as Visa or MasterCard and also manage the keys during thepersonalisation process.

Unlike magnetic stripe data, EMV smart card data contains potentially sensitive information, such askeys derived from Issuer master keys. This means that every step in the process needs to be securedusing cryptographic hardware.

The five main areas of key management that a data preparation system must be able to handle are:

Key generation for each application.

Storage of the master key and transport keys

Key distribution to secure the personalisation process

Key update of the existing keys

Exchange of the public keys with scheme certification authorities (i.e. JCB, MasterCard and Visa)

22

How do I want to do data preparation?

1) Change host system

2) Deploy P3-type solution

3) Outsource

Do I select a standard set of EMV parameters as recommended by my card association or do I select my own?

Does my data preparation system provide all the key management functionality I requireand is it secure?

How do I manage my card products?

How do I handle large volumes of cards to be issued?

How do I manage the workflow?

Critical questions on data preparation

Thales e-Security

Cryptomathic

UBIQ

Schlumberger

Bell ID

Gemplus

Visa

Further information

Card personalisation

Card personalisation can be a costly and complex business, depending on the size of customercardholder base and the number of different card products that an Issuer offers.

The larger Issuers historically have employed their own in-house card personalisation bureaus for theproduction and issuance of cards. High card volumes help justify the expense of secure premises,card personalisation systems and skilled staff.

There are three options when considering personalisation:

In house bureauIt is believed that the majority of cards will be issued from central in-house bureaus for the foreseeablefuture. Smart card personalisation is slower than magnetic stripe personalisation, mainly due to thevastly increased amount of data and cryptographic keys to be loaded onto each card. However,personalisation equipment providers have developed solutions to this problem including systems thatprogram multiple cards simultaneously.

External bureausMost bureaus are also card manufacturers who realised that they were missing out by not providing a much needed value-added service.

There are over 90 Visa/MasterCard certified card manufacturers worldwide, and the majority of thesealso provide personalisation services. Most bureaus are regional, but there are global players includingSchlumberger, Gemplus, Oberthur & G&D.

Distributed or remote instant issuanceFrom a bank customer perspective, card issuance is a slow process. Most are resigned to the factthat in even the quickest of systems many days elapse between the completion and submission of theapplication form, and the arrival by separate post of the card and its PIN.

Instantaneous production of smart cards, at the point of application, will become an importantmarketing tool for Issuers in the near future. It is already a feature of magnetic stripe card products in some countries.

In regions with good telecommunications, remote sites will be able to communicate in real time withthe centralised host system for the generation of card data. If telecommunications are bad, Issuers willhave to adopt a distributed issuance model, where details are stored and forwarded to a centralsystem later.

Post-personalisationMulti-application smart cards can be re-programmed in the field. New applications can be loaded andold ones removed when the cards are used at compliant terminals.

Called post-personalisation, this powerful feature gives card Issuers the unique ability to provide a cardproduct that better supports the lifestyle of their customers, promoting usage and providingcardholders with greater benefit and perceived value.

In order to support this business model, Issuers need to deploy infrastructure (such as a Smart CardManagement System) that allows the generation and delivery of secure personalisation data, in thecorrect format for the target card, to remote devices in a real time mode.

23

Physical and cryptographic security considerationsThe card stock has to be physically protected during the production and personalisation stages. Fromthe production process perspective, security controls have to be implemented once the white plastichas had the Issuer and card association logos, brands and holograms applied. This includes physicalprotection of premises as well as management control and procedures. The stringent physical securitycontrols aim to stop printed unpersonalised cards from finding their way into the wrong hands wherethey could conceivably be used fraudulently, causing harm to the Issuer and Association brands.

It is standard practice for the international card associations to annually audit all facilities that produceassociation branded cards.

There are major differences between the cryptographic security arrangements on magnetic stripebankcards and those on smart cards.

Magnetic stripe card production involves the generation of two cryptographic elements:

Card Verification Value/Code I (stored on magnetic stripe)

Card Verification Value/Code II (printed on reverse of the card)

This is typically carried out by the Issuer using a suitable hardware security module during theproduction of card data. The values are then included into the card record, and the batch filesubsequently used for personalisation.

Once the data is produced, there is no meaningful value to be gained from these data elements, as they are cryptograms. Therefore, there is no requirement to protect the individual data elementsbeing transferred from the Issuer host to the personalisation system. However, it should be recognisedthat most Issuers still protect the batch file during transmission to the personalisation machine.

Smart card production is a fundamentally secure process, featuring a final round of cryptographicprocessing before applications, Issuer and cardholder data are loaded onto a smart card. Card dataarrives at the personalisation system encrypted and with an associated message authentication code.Blank cards are also cryptographically locked at the initialisation stage following manufacture, and canonly accept data following presentation of the correct so-called transport key.

EMV Card Personalisation SpecificationA Card Personalisation device needs to understand the chip on the card that it is about to personalise.Previously there was no standardisation in this area and personalisation systems would have to workwith many different card vendor-specific approaches to be able to personalise a range of cards.

A new initiative, driven by some of the major card associations and now approved by EMVco is calledEMV Card Personalisation Specification (CPS) method

Previously the standard personalisation methods were Common Personalisation and then Incard CPS.The one common industry personalisation standard today is EMV CPS, which addresses both DataPreparation and Personalisation.

First the Data Preparation software needs to be able to output a file or record according to the EMV CPS method.

Secondly, the Personalisation system software, usually running on a PC next to the personalisationmachine, must be able to personalise the card according to this specification.

EMV CPS provides a common standard for personalisation and will lead to lower cost implementationsas suppliers of Personalisation software will be able to support a single standard rather than multiplespecifications from multiple vendors.

An Issuer should check with their card vendor to see if the card they are considering supports thisimportant new industry standard.24

25

Where do I want to personalise my cards?

1) In house bureau?

2) Outsource to a 3rd party bureau?

3) Instant issuance at a branch level?

Do I want to consider post personalisation of new applications to my cards?

How do I manage the workflow?

Critical questions on card personalisation

Personalisation machine suppliers

Atlantic Zeiser

CIM

Datacard

Datacard Gilles Leroux

Fargo

Logika

Mattica

Mhlbauer

NBS

Orga

Personalisation bureau services

Gemplus

G & D

Oberthur

Schlumberger

FDR

TSYS

Personalisation software suppliers

Thales e-Security

Datacard

Ubiq

Schlumberger

Gemplus

Further information

26

Acquiring and Terminal

NETWORKChallenges

27

Acquiring and Terminal Network ChallengesOverviewDespite only being concerned with the process flow between terminal and smart card, the EMVspecification has implications for retail bank host systems, and for ATM and EFTPoS systems.

Issuer Transaction Processing and Host Systems

Hosts may need to be upgraded to process on-line or batch transactions from devices using messageprotocols enhanced from their magnetic-stripe equivalents. Network interfaces will need enhancing totransmit EMV data when transactions are switched out to Issuer banks for authorisation. And on-lineauthorisation capabilities will also require upgrading.

With on-line EMV transactions, Issuers may be required to receive extra chip-related data in the on-linemessage and reply to the Acquirer, and therefore to the device, with additional response data. Thisincludes authentication using the authorisation request cryptogram (ARQC) and authorisation responsecryptogram (ARPC) in a process known as on-line mutual authentication (OMA). The Issuers hostneeds to be enhanced to provide this processing, which it does in conjunction with the host securitymodule and secret keys encrypted ultimately by local master keys maintained by the HSM.

EMV allows Issuers to use scripts to modify data elements such as the PIN or risk parameters on asmart card during on-line transactions. Since this is a sensitive process, these scripts must besecured with the use of cryptography, again involving the use of an HSM. As scripts are now beinggenerated by the on-line host processor, this demands much closer integration with card managementsystems than is the case with magnetic stripe cards.

Where banks are both Issuers and Acquirers, all of the changes described here are applicable.

InterchangesThere are multiple interchanges (or switches) operating in most countries, with the most well knownbeing the international interchanges operated by Visa and MasterCard. They act as network hubs,routing on-line authorisations from the Acquirer (acceptor) of a transaction to the Issuer forauthorisation.

To correctly route EMV transactions, interchanges like host systems will need to handle theenhanced inter-bank transaction protocols required by smart cards.

SettlementCurrently most Acquirers and Issuers settle regularly with an interchange. This is normally done through an exchange of batch files (for example Visa Base2) between the interchange and its member banks. EMV impacts this process by adding chip-related data to the transaction recordswithin these files.

28

29

Do I want to be able to change EMV parameters on already-issued cards (for exampleincreasing the cards transaction value limit)?

Has my interchange or switch been enhanced to accept EMV related data?

Has my settlement process been enhanced to accept EMV related data?

Is my infrastructure capable of blocking cards and applications if needed?

Have I upgraded my host system to accept OMA (Online Mutual Authentication,ARQC/ARPC)?

Will my host system cope with the volume of extra data associated with EMV?

Will I need to support the generation of Issuer scripts and, if so, has my host beenupgraded to do this?

Critical questions about Issuer Transaction Processing and Host Systems

Transaction Processing

ACI Worldwide

Aconite Solutions

Card Tech Limited

E-Funds

IFS

Logika

Mosaic Software

Nomad

S2Systems

Thales e-Security

Type approval

EMVco

MasterCard

Visa

JCB

Transaction authorisation and Terminal Acquiring

ACI

Aconite Solutions

Card Tech Limited

CR2

IBM

Mosaic Software

Nomad

Oasis

Schlumberger

Further information

ATM/EFTPoS networks

The change from magnetic stripe to smart cards will not happen overnight. Magnetic stripe cards willbe in use for many years to come. During the transition, terminals, payment networks and hostsystems must support both types of card.

Type approvalFor a terminal to be legitimately used for accepting EMV transactions it must have first been certified(type approved) by a body appointed by the card schemes. EMVCo has worldwide responsibility for EMVterminal type approval, but the testing itself is subcontracted to qualified test laboratories.

Certification testing is at two levels: Level 1 concerns mainly terminal hardware. It verifiescommunications with the chip card and checks for correct electro-mechanical interaction.

Level 2 concerns mainly terminal software and ensures compliance with EMV specifications fortransaction flow and card/terminal interaction.

Any terminal used by banks for acquiring EMV transactions must be approved for both level 1 and level 2. Terminal hardware and software may legitimately be from different vendors, independently typeapproved by those vendors, respectively.

TerminalsThe majority of ATM and EFTPoS terminals in current use only perform magnetic-stripe basedtransactions, even though some support smart card functions but would require a software upgrade.Others support smart cards, but typically older versions of the EMV specification. They will also need upgrading.

A small number of ATM networks have been performing chip-based transactions for some years. Useof the magnetic stripe is still anticipated although in the future it will mainly be used to establish thecorrect orientation for the card, except of course for magnetic stripe transactions when a non-chipcard is used.

ATMs typically need a substantial software upgrade to cope with EMV cards. Many of the leading ATMmanufacturers have already released type approved software but to date there are few deployments.The slow take-up is partly due to such software only recently becoming available, and partly due to theenhancements needed at host systems to accommodate the new application protocols.

Hardware upgrades are also required on some ATMs. The size of the upgrade is very dependent onthe particular style of ATM but varies from a simple change to the card reader to a full upgrade of theATM Processor.

For stand-alone dial-up EFTPoS terminals already incorporating chip card readers, EMV acceptanceis simply a matter of upgrading the resident software application. Such terminals are usually owned by Acquirer banks or processors, making upgrades the responsibility of those organisations and notthe retailer.

Such a software upgrade can often be made remotely over the terminal network. However, this willalso require an enhanced transaction protocol between terminal and host, necessitating an upgrade atthe host also. As the protocols involved tend to be simpler than those used with ATMs, such hostenhancements are not normally a major obstacle to EFTPoS smart card acceptance.

Those stand-alone EFTPoS terminals that do not currently accept smart cards require either ahardware upgrade or replacement. The upgrade route may seem the most cost effective but theowner must be aware that there are performance considerations to be taken into account. Forexample an old generation product that has been upgraded may result in lengthy chip transaction timesdue to increased processing requirements. This will only get worse in the future with the introductionof longer keys for increased security.

30

31

Consequently, the short term cost advantages of hardware upgrades must be balanced against theimpact on customer satisfaction (longer waiting times at the checkout). The ideal solution is to replacethe entire estate with the latest generation products but this can be costly. For those markets that aremigrating to PIN customer verification (such as the UK) the situation is even more complex. Upgradeswill have to consider not only chip but also PIN acceptance.

The situation is complicated somewhat by a second category of retail EFTPoS terminal. Many largemulti-lane retailers like supermarkets and department stores use integrated EPoS devices that combinepayment and checkout functionality. Upgrades will require significant programming effort to integratethe software applications that handle bar code scanning, inventory and other functions with the EMVpayment transaction process.

As these devices are owned by retailers themselves, upgrades (and in the UK, off-line PIN also) will betheir responsibility. In general, however, retailers are viewing the shift to EMV positively. There will, forexample, be simpler point-of-sale procedures with less reliance on paper signatures, reduced potentialfor fraud, faster checkout times, higher floor limits, and more scope for unattended terminals throughthe use of offline PIN.

Have I upgraded my ATM/EFTPoS network to physically accept EMV cards?

Have I upgraded my ATM/EFTPoS terminal software to accept EMV cards?

Have I selected terminal and hardware that has already been appropriately type approved?

Have retailers in my markets agreed to update retailer owned EFTPoS terminals?

Have the retail outlets in my region been educated about EMV?

Has my ATM/EFTPoS management system been upgraded for EMV?

Have I taken into account the testing and approval process of EMV ATM/EFTPoSterminals in my implementation plan?

Is my implementation future proof i.e. processor speed, memory and will terminalshandle multiple applications in the future?

Do I replace or upgrade my ATM/EFTPoS network?

How long will it take to upgrade my ATM/EFTPoS network?

What training will I perform/recommend for retailers?

What do I do with my old terminals?

Critical questions about ATM/EFTPoS networks

ACI Aconite Solutions Card Tech Limited Ingenico

Mosaic Software NCR Thales e-Transactions Verifone

Further information

Appendix 1 Contributors to this documentThales, one of the globes leading suppliers of integrated security solutions, addresses the businesssecurity needs of corporates and governments alike, protecting transactions, networks, identificationdocuments and sensitive sites. Thales security capability extends to security and payment technologyfor financial transactions, networks and e-commerce. An acknowledged expert in smart cardtechnology and applications, Thales is a European leader in security critical electronic payments,integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards, as well as beingthe UKs leading supplier of electronic card payment terminals.

www.aciworldwide.comACI has been a leading company for more than 25 years with a worldwide presence in more than 80 countries focussing on payment engines for the financial industry and smart card managementsystems. Amongst ACIs more than 2000 customers are the leading financial institutes. ACIs SmartCard Division is based in Gouda, the Netherlands. It develops and delivers products to handle thecomplete issuance, life-cycle management and workflow management for smart cards of any type of card and purpose.

ACI views EMV migration as of prime strategic importance. Its wide ranging product suite (ACI SmartChip Manager, Base24) covering both the issuing and acquiring side of the business has already helpedover 50 banks to migrate to EMV. ACIs expertise in the EMV arena has been a key factor in successfulmigration projects.

ACI Smart Chip Manager is deployed in the financial industry, health care, public transport, ID andGovernment. Implementations range from small-scale single-application pilots to large-scale rollouts of leading-edge multi-application schemes containing many millions of cards.

Banks aiming for the simplest form of EMV migration already reap the benefits of ACI Smart ChipManager. Legacy systems can be seamlessly integrated into the new chip-processes without the needfor extensive re-engineering. Any mix of card and chip types can be supported.

One of the strong features of EMV is the ability of parameter management. ACI Smart Chip managerallows this capability as an additional module. It interfaces to ACIs acquiring systems or third partypayment engines and terminal management systems.

Its a challenge for most issuers to finally migrate to a full multi-application smart card scheme. ACISmart Chip Manager can easily be extended to full multi-app including additional post-issuing functionality.

www.aconite.netAconite is a business IT consultancy and software solutions provider with specialist expertise in smartcard systems, EMV, Security and e-Trust.

Aconite invests in solutions which address EMV migration, smart card systems management, businessIT and trusted computing.

Established in 2000, Aconite has expanded at pace, gathering a dynamic team with unique experiencein their respective fields. Aconite recruits experienced professionals with a combination of technicalskills and business acumen to apply technology effectively.

Working alongside leading financial institutions and retailers, Aconites client list includes Royal Bank ofScotland, Standard Chartered Bank, Coutts & Co, Visa, LINK and Marks & Spencer.

32

THALES

ACI

ACONITE

Flexible, pragmatic and committed, Aconite provides clients with applied consultancy, inventivetechnology and business understanding. Delivering focused assistance in strategic, technical andoperational areas, Aconite is a dependable partner for clients seeking to exploit innovative approachesto complex business issues.

www.apsca.orgThe Asia Pacific Smart Card Association (APSCA) is a non-profit, independent association fororganisations in the smart card industry in the Asia Pacific region. APSCA is the only professionalassociation for smart cards covering the Asia Pacific and has over 60 members in Hong Kong, China,Taiwan, Japan, Korea, Singapore, Malaysia and Thailand. The Association delivers information,consultancy, guidance and networking to corporations and government organisations, including smartcard scheme operators and suppliers, providing an unparalleled opportunity to solve problems, facilitatesmart card initiatives and generate increased business development. Apart from organising more than50 events, seminars, trainings and conferences covering all aspects of smart cards, APSCA hasassisted government smart card projects, national card payment policies and initiated real business forAPSCA members.

www.atmel.comAtmel Corporation is a world-wide leader in design manufacturing and marketing of advancedsemiconductors, including logic, non-volatile memory and mixed signal and RF integrated circuits. Atmel is also a pre-eminent provider of system level integrated solutions, enabling customers to leadthe markets they serve with electronic products that are smaller, smarter, less expensive and moreversatile than ever.

Atmel is a multi-national company employing over 7,550 people with world-wide revenues, balancedbetween North America, Europe and Asia with significant development and manufacturing in eachregion. Its headquarters are located in San Jose, California, USA.

It should be noted that Atmel is a semiconductor company only, providing Smart Card ICs in wafer formor packaged in modules for the Smart Card and Security related markets. It is neither a vendor ofcards nor software integrated solutions. It partners with the worlds leading card vendors and systemintegrators to support many of the leading Smart Card solutions in high volume production todayrequiring secure microcontroller ICs for Payment, Mobile Communications, Health, ID, Pay TV ande-Security markets.

www.bellid.comBell ID, a subsidiary of London-based Bell Group plc, has developed ANDiS, its open software platformproviding a complete spectrum of turnkey products and services for single and multi-application smartcard management schemes. In major Smart Card, Biometrics, and Public Key Infrastructure (PKI)projects, Bell ID operates both as a main contractor and/or as a technology and software platformprovider. Bell ID operates from several main segments e.g. Finance, Government, Blue Chip, Educationand Telecom.

Bell ID is a client-focused company maintaining tight relationships with key accounts. Clients areprovided with superior quality, service, training and support around the globe. Furthermore, Bell IDpursues and maintains strategic partnerships with clients and suppliers. All projects are carried out byhighly motivated, autonomous, teams with strong perseverance.

In order to guarantee interoperability and independency of the ANDiS software suite, Bell ID activelycontributes to the development of industrial standards and strives to comply with all commonstandards relating to smart cards, tokens, PKI, biometrics, electronic purse, and debit/credit.

33

APSCA

ATMEL

BELL ID

Bell IDs headquarters is located in Rotterdam, The Netherlands, providing support to client sites withinthe Benelux. Sister company Bell Security with offices in London, Belfast, Dublin, Edinburgh, Glasgow,Stockholm, Zurich, Eindhoven, Hong Kong, Melbourne and Paris provide local services, whereas salesand delivery of turnkey solutions is coordinated from the office in Rotterdam.

Full global and around-the-clock support for the ANDiS product suite is provided from Rotterdam and isenhanced through sales partnerships with a number of major companies. Sales Partners are trained inall aspects of the ANDiS software and utilise their worldwide presence to provide installation, serviceand maintenance of the ANDiS platform.

www.cardbase.comCardBASE Technologies is an independent software company offering smart card management andsmart card payment solutions. CardBASE offers MASCOT, a multi-application smart card managementsolution and ChipPURSE, a complete CEPS Purse suite of software comprising Issuer and Acquirermodules in order to help banks leverage the most benefit from the migration to smart cards andensure compliance with the EMV mandates laid down by the large payment organisations.

MASCOT, from CardBASE, is a multi-application smart card management solution. MASCOT enablesissuers to manage magnetic stripe cards, smart cards and multi-application cards on the same systemenabling issuers to adopt a phased yet comprehensive approach to EMV migration.

While MASCOT offers support for EMV and CEPS Purse it also supports non-payment applicationsincluding Certificate Authorities to issue Digital Certificates and Loyalty solutions with the aim ofsupporting the current and future needs of card issuers.

MASCOT is a Global Platform compliant solution and the product features include; CardholderManagement, Card & Application Lifecycle Management along with Post Issuance support forapplication downloads and application updates.

www.ctl.comSince its inception in 1989, CTL has become a market-leading provider of software solutions to thepayments industry. We pride ourselves in delivering the highest quality products and services on timeand to an agreed budget; we back up every installation with the very best support service, 24 hours aday, seven days a week. Today, more than 150 clients, including some of the worlds largest banks,use our systems in over 60 countries worldwide.

CTL builds software on an open platform, providing you with complete, yet modular solutions for anycard programmes you choose. One of the great advantages of our software designs is their flexibility:they integrate with existing systems and can be quickly and cost-effectively adapted to take advantageof the ever-increasing opportunities available to you in our fast-moving industry.

Payment card technologies are the foundation of our expertise. CTL systems support a wide variety ofmagnetic stripe, chip and proxy card programmes with highly sophisticated functionality. They have alsobeen adapted to create the Web tools you need for a safe, profitable entrance into the e-businessarena. We invest heavily in research and development to ensure that our future proof systems remainat the cutting edge of technology and secure your long-term investment in payments systems.

CTL guarantees compliance with the mandatory regulations of the payment associations AmericanExpress, Diners Club, JCB, MasterCard and Visa.

34

CARD TECHLIMITED

CardBASETechnologies

www.cryptomathic.comCryptomathic is one of the worlds leading providers of e-Security, specialising in commercialcryptography. Cryptomathic offers products and solutions, including systems for home banking, smartcard issuing and key management.

CardInk is a data preparation system for issuing multi-application smart cards. It uses CommonPersonalization and integrates into the GlobalPlatform framework and supports VISA and MasterCard applications.

www.datacard.comDatacard provides customers in more than 200 countries with the systems, software, and consultativeexpertise they need to launch and maintain profitable card programs. The company helped transformthe world for consumers and card issuers more than 30 years ago by enabling secure, high-volumeissuance of magnetic stripe-based financial cards. Today, more than 90% of the worlds financialcardsand the majority of plastic cards used for other applicationsare personalised with Datacardbrand systems and software. Many of the worlds leading financial institutions and consumer marketersplan to issue single & multi-application smart cards, and Datacards smart card infrastructure will beused to personalise, distribute and manage a vast majority of these cards. Through industryassociations such as Global Platform and the Smart Card Alliance, Datacard is also helping to defineand then implement open standards and interfaces needed to issue cards and manage the dataneeded within a comprehensive smart card issuance program. Datacard is a privately held companyowned by the Quandt Family of Bad Homburg, Germany. Datacard is headquartered in Minnetonka,MN, with a sales and service network of direct sales organisations, dealers, distributors and valueadded resellers in over 120 countries. Additionally, worldwide operations include software developmentcentres in the U.S., U.K., India and Japan. The company employs more than 1,600 people worldwideand generates annual revenues of more than $300 million.

www.gemplus.comGemplus helps its clients offer an exceptional range of portable, personalised solutions that bringsecurity and convenience to peoples lives. These include mobile Internet access, inter-operable bankingfacilities, e-commerce and a wealth of other applications.

Gemplus is the only completely dedicated, truly global player in the Smart Card industry, with thelargest R&D team, unrivalled experience, and an outstanding track record of technological innovation.

Gemplus offer in EMV: EMV Prime A suite of solutions guiding banks on the optimal path to migration.

Whatever your EMV migration requirements, you will find that Gemplus has a solution that fits and a team of experts to help manage your project. EMV Prime was built on three years of experience in EMV migration and with assistance and feedback from clients all around the world. EMV Primecovers migration planning, development, piloting and all stages of deployment. The EMV Prime modulescan be tailored to suit the needs of any client, whilst dedicated project management teams work withyou to ensure that EMV Prime lives up to its reputation.

Gemplus trades its shares on Euronext Paris S.A. First Market and on the NASDAQ Stock Market(tm)as GEMP in the form of ADSs.

35

GEMPLUS

DATACARD

CRYPTO-MATHIC

www.gdai.comMore than 30 years experience in smart security for payment cards have made G&D a leadingsupplier of electronic payment cards. In 6 years only, 100 million banking cards have been issued usingsmart card software developed by G&D.

G&D is an accredited technology partner of all major international payment organisations, such as Europay International, MasterCard International, Visa International, Proton World and Discover.

With our technological edge in the development of chip card operating systems and applications, G&D has successfully migrated from a manufacturer of high quality magnetic stripe cards to a leading technology supplier of microprocessor and crypto processor cards.

G&D is represented on all important international standardisation committees, i.e. MAOSCOConsortium, Eurosmart, ETSI SMG 9, JavaCard Forum, Peoples Bank of China Technical Subgroup,ISO/IEC, Smart Card Forum, Global Chip Card Alliance, Global Platform Group.

Giesecke & Devrient (G&D) is an international technology group with 150 years of tradition. Founded in 1852, G&D first specialised in banknote printing and security paper manufacture, later addingcurrency automation systems to its product portfolio. Today, G&D is also a technology leader in thefields of smart cards and system solutions for telecommunications, electronic payments,transportation, health, ID, loyalty, pay-TV, multimedia and Internet security (Public Key Infrastructure).

The Giesecke & Devrient Group, headquartered in Munich, operates subsidiaries and joint ventures all over the world. G&D employs around 7,000 people worldwide and generated a revenue of 1.12 billion in fiscal 2001.

www.globalplatform.orgGlobalPlatform is the only cross-industry forum focused on the development, management andpromotion of specifications for multiple application smart cards, smart card applications, and enablingdevices. With support from its global Member organisations, GlobalPlatform promotes a standardframework facilitating the implementation of smart card programs in any industry around the world.GlobalPlatform allows flexibility in the choice of technologies and vendors through an emphasis on openstandards for cards, terminals and support infrastructure. GlobalPlatforms card, terminal and systemsspecifications are the first open standards adopted by GlobalPlatform and will provide a solid foundationfrom which the organisation will define the future of multiple application smart cards.

GlobalPlatform totals fifty-six Members from across Europe, USA, Canada, Australia, Japan and Korea,including issuers, manufacturers, and vendors of multiple application smart cards, such as AmericanExpress, Hitachi, MasterCard International, JCB, NTT Corporation, Proton World, Schlumberger, Sun Microsystems, Thales, The Bank of Nova Scotia and Visa International, as well as severalgovernment bodies.

About Hitachi Europe Ltd.:www.hitachi-eu.com/semiconductorsHitachi Europe Ltd., is a wholly owned subsidiary of Hitachi, Ltd. Japan. It has operations throughoutEMEA which provide sales, marketing, technical support and research and development. Hitachissemiconductor and display products are key components in the fields of smart cards, communications,automotive, consumer, industrial, displays and system LSI. They include the SuperH RISCmicroprocessors, the H8 microcontroller family, smart card controllers, TFT displays, memories (Flashand SRAM), transistors and diodes, and network products. For reader enquiries or more informationon the products and services offered in Europe by Hitachi Semiconductor, please visit the Web site.

36

GLOBALPLATFORM

HITACHI

G&DGIESECKE &

DEVRIENT

About Hitachiwww. global.hitachi.com. Hitachi, Ltd., headquartered in Tokyo, Japan, is a leading global electronics company, withapproximately 320,000 employees worldwide. Fiscal 2001 (ended March 31, 2002) consolidatedsales totalled 7,994 billion yen ($60.1 billion). The company offers a wide range of systems, productsand services in market sectors, including information systems, electronic devices, power and industrialsystems, consumer products, materials and financial services. For more information on Hitachi, pleasevisit the companys Web site.

www.jcbinternational.comJCB is one of the international payment brands, such as Visa and MasterCard, and is also the largest card Issuer and acquirer by itself in Japan. JCB launched its card business in 1961 and beganexpanding overseas in 1981. Its merchant network includes 9.78 million merchants and spans189 countries and territories, and serves 42 million card members worldwide. As part of itsinternational growth strategy, JCB has formed alliances with more than 320 leading banks andfinancial institutions globally to increase merchant coverage. JCB has started the full-scale issuanceof smart cards in Japan from Dec. 2001, with J/Smart EMV application loaded, and has also beenvery active in the smart card migration in the markets outside of Japan. For further information,please visit the JCB International website.

www.logicacmg.comLogicaCMG is a global solutions company providing management and IT consultancy, systemsintegration and outsourcing services. With additional expertise in wireless technology, the companysupports clients across diverse markets including telecoms, financial services, energy and utilities,industry, distribution and transport and the public sector. Formed in December 2002 through themerger of Logica and CMG the company has offices in 34 countries and over 60 years of combinedexperience in the IT services arena. LogicaCMG is the number two European quoted IT servicescompany and is listed on both the London and Amsterdam stock exchanges.

LogicaCMG has been at the forefront of providing EMV compliant open systems for a number of years.With our knowledge of the third party product suppliers, we are able to offer consultancy, and provideeither full end-to-end card processing capability, or individual component solutions for the physical andvirtual payments world. Our solutions range from fault-tolerant systems, through high availability UNIXconfigurations, to the latest Windows NT/2000 systems. Specific focus is placed on modern opentransaction systems, smart card solutions, EMV compliance and international operator-independentmobile & card fraud alerting solutions and services.

LogicaCMGs vision for the next generation of card systems covers:

Core application components for Card Issuing, Card Transaction Acquiring, Merchant Management,Transaction Switching, Smart Card Management, Settlement, Clearing;

Customer services and business process workflow, addressing issues and opportunities around thericher functional and technological features of these systems;

Platform technologies, focusing on emerging interoperable and open corporate standards.

LogicaCMG already has a track record in implementing proven open systems that have similar reliabilitylevels to the legacy high availability systems, but with significantly improved cost of ownership and timeto market. An even more complex and critical issue is an appropriate migration strategy for replacing alegacy system with a new, open variant. The migration strategy is the central part of the vision toensure that risk is contained, whilst ensuring that return of investment criteria are being achieved.

37

LogicaCMG

JCB

www.mosaicsoftware.comMosaic Software develops leading-edge software solutions in the consumer transaction space. The Mosaic Software offices in the USA, UK, Australia and South Africa support clients that includefinancial institutions, retailers, telecommunications operators, transaction processors, Internet serviceproviders, card issuers and data processing service providers.

Mosaic Softwares product, Postilion, is a scalable, modular system designed to deliver consumer-generated transactions at every level of an EFT network. Postilion is currently installed in more than 30 countries, where it is used for ATM driving and monitoring, EFT switching and routing, EFTPoScredit/debit card transaction processing, Internet/call centre payment authorisations and mobilecommerce applications. Postilion reduces transaction processing costs, improves analytical capabilitiesof customer transactions and increases overall transactional revenues. Postilion is fully EMV compliantand can support EMV migration with two specific solutions:

Postilion EMV Gateway is a low-cost, fast track solution for EMV smart card compliance. BothAcquirers and issuers can achieve EMV compliance for online transaction processing by front-endingtheir incumbent systems with the Postilion EMV Gateway. Magnetic stripe transactions are processedby the existing system infrastructure while EMV transactions are routed directly from the Postilion EMV Gateway, avoiding the need to upgrade the incumbent system to support EMV data fields.

Postilion for Chip and PIN offers multi-lane retailers a means to rapidly support EMV chip cards andsecure PIN processing at the point of sale. Further benefits are the ability to offer sophisticated EFT services at the till such as staff discount and loyalty programmes; authorisation of transactions at the till even when store systems are down; a faster settlement cycle and reports to meet all store requirements.

Mosaic Softwares major partners include Thales, Stratus Technologies, Retail Decisions, MasterCard,SmartTrust, Diebold, and NCR. Well-known companies such as 7-Eleven, Marks & Spencer, E*Trade, BankLeumi, TNS, ABSA, Retail Decisions, American Express and Cell-C are clients. The company is backed byGE Equity and Comparex and is a selected technology provider to multiple GE Capital businesses.

www.multos.comMULTOS is an open standard multi-application smart card operating system that has been developed bythe MAOSCO consortium. MAOSCO requires all MULTOS devices to have been independantly accreditedto the highest achievable levels of security assurance such as ITSEC E6 High. Hence MULTOS istargeted at markets requiring high security such as finance, secure ID and other related applications.

The security of applications on a MULTOS card is provided by on-card firewalls that prevent memoryarea intrusions, and a load/delete mechanism based on asymmetric cryptography which means cardissuers and application providers do not need to share secrets.

www.ncr.comAs the worlds leading ATM manufacturer, NCR has deployed self-service EMV solutions across Europe,Asia Pacific and the Americas.

NCR Corporation (NYSE: NCR) is a leading global technology company helping businesses buildstronger relationships with their customers. NCRs ATMs, retail systems, Teradata data warehousesand IT services provide Relationship TechnologyTM solutions that maximise the value of customerinteractions. Based in Dayton, Ohio, NCR employs 30,400 people worldwide.

38

NCR

MULTOS

MOSAIC

www.nomadsoft.comNOMAD Software supplies card payment solutions based around its NOMAD CORTEX product set.NOMADs customers are innovative new generation banks who want to build strong and profitablerelationships with all their customers, be they private clients, merchants or businesses.

Flexibility, performance, reliability, availability and scalability are all at the heart of a NOMAD solution.NOMAD CORTEX benefits from a well architectured 3-tier structure, which embraces the Internet andsmart card. Established requirements in areas such as Card Management, Authorisation,Switching andTerminal Management are all available off-the-shelf, while the very latest business requirements can besatisfied using ready-made components.

www.norton-consultancy.comNorton Consultancy Limited is a provider of business and technical consultancy and training on theimplementation of EMV chip cards.

Norton Consultancy Limited has worked with many of the major high street UK Banks and third partyprocessors providing hands-on assistance with the implementation of chip cards. Norton ConsultancyLimited has experience with the full end-to-end EMV chip card implementation:

Establishing a suitable Project Team Structure

Defining Chip Business Requirements

Defining Chip System Design

Defining and Implementing Chip Keys

Upgrading Card Bureau to Support Chip

Interpretation of chip specifications (EMV, VIS, M/Chip Lite & M/Chip Select)

Defining chip MI requirements

Chip Testing

Delivery of Customised Training

Norton Consultancy Limited has gained a reputation for being able to translate the complex technicalworld of chip into a more understandable business language, assisting organisations to climb the steeplearning curve of chip thus reducing project time scales and costs.

www.oberthurcs.comOberthur Card Systems, listed on the Euronext Stock Exchange (Code Euroclear 12413) sinceJuly 2000, is one of the worlds leading providers of card-based solutions, software and applications including SIM and multi-application smart cards and services ranging from consulting to personalisation.

Innovative products and high quality services ensure Oberthurs strong positioning in its three maintarget markets.

Payment : 52% of revenues in 2001. the company is the world leader and number one supplier for Visa and MasterCard.

39

OBERTHURCARD

SYSTEMS

NORTONCONSULTANCY

LIMITED

NOMADSOFTWARE

Mobile Communications : 31% of revenues in 2001, with open and interoperable solutions based on Java technology.

Authentication and Network Security : emerging markets in which the company plays a pioneeringrole, with strong expertise in security and a dominant position in e-commerce and Pay-TV.

Close to its customers, Oberthur Card Systems benefits from an industrial and commercial presenceacross all five continents.

Oberthur Card Systems is a subsidiary of Franois-Charles Oberthur Group.

www.slb.comSchlumberger Smart Cards and Terminals is the worlds leading provider of microprocessor cards thekey to digital networks and a major supplier of card-related terminals and transaction software. Its5,000 employees serve customers in more than 100 countries, with worldwide sales exceeding 2.6billion smart cards to date. The company possesses more than 20 years experience in smart cardinnovation and leads its industry in security technology and open systems.

Schlumberger has an unparalleled track record implementing successful banking projects, whether itsleveraging smart card technology for nationwide EMV migration schemes, or designing payment systems.Our technical expertise embraces security, payments standards such as EMV, chip card design, cardmanagement and issuing systems, bank transaction processing and design of payment terminals

www.thales-esecurity.comOperating in three main markets covering e-security, card payment and network security, Thales e-Security addresses the business and finance industrys need for cryptographic security products andsolutions used to protect a range of critical information infrastructures. Over half of the worlds banks,together with the majority of the busiest exchanges, currently use Thales technology. For more than 20years the company has been at the forefront of security and payment technology, co-operating andcontributing to set the industry standards used for financial transactions and e-commerce globally.

Thales P3Thales P3 lets issuers deploy EMV smart cards with minimal impact on their existing systems and withminimum cost.

It integrates with host systems and card personalisation devices to:

Enable creation of EMV parameters for each card holder

Generate, store and manage cryptographic keys for each application

Output files of parameters and keys for personalisation machines

Generate an audit log of activities

Three levels of Thales P3 system enable issuers to deploy a Thales solution scaled to meet their individual needs.

Thales HSMThe Host Security Module (HSM) is a physically secure, tamper-resistant security server that providescryptographic functions to secure transactions in retail financial applications including PIN encryptionand verification, debit card validation, stored value card issuing and processing, chip card issuing andprocessing, message authentication and symmetric key management.

With the optional DSP-RSA Module, the HSM can also support public key cryptographic operationsincluding digital signatures, certificates, and asymmetric key management. 40

THALES e-SECURITY

SCHLUMBERGERSmart Cards and Terminals

www.thales-e-transactions.com Thales e-Transactions is a wholly owned subsidiary of the global electronics group Thales and providesuser-friendly secured solutions for card transactions. The company is a European leader in the fields ofportable, mobile and fixed electronic payment terminals, integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards. Thales e-Transactions expertise in smart card applications forbanking and commercial markets is highly acknowledged on a worldwide basis.

The solution that Thales e-Transactions proposes is a range of terminals that are appropriate for a variety of card acceptance locations.

Artema Desk for standard retail where the customer attends the Point of Sale desk

Artema DECT for locations where the terminal needs to be taken to the customer away from thePoint of Sale desk

Artema Mobile where the terminal can accept transactions on the move.

These products have common core hardware platform and common software architecture which offersthe following advantages

Price benefits

Lower certification costs from common EMV Level 1 IFM to common Level2 Kernel

Faster to market with regional applications through the use of a simple to use software development toolkit

The Artema Desk product can also be provided with a TSC+ PIN pad. The first in the world to achieveVisa PED approval to the higher security required for chip transactions.

Thales also produce other terminals that are specific to local regions. Because of the nature of theproposal these terminals have not been included in this offer but Thales would be happy to providefurther details on request.

With considerable expertise of developing EMV certified products in the main European markets, and with asignificant international presence both in and outside of the EU region, Thales e-Transactions believes its iswell qualified to be a valued partner of Visa International in the Global Cost Effective Acceptance Project.

www.corporate.visa.comVisa is the worlds leading payment brand generating US$2.4 trillion in annual card sales volume. Visahas unsurpassed acceptance in more than 150 countries. The Visa organization plays a pivotal role indeveloping innovative payment products and technologies to benefit its 21,000 member financialinstitutions and their cardholders. Visa is a leader in Internet based payments and is pioneering thecreation of u-commerce, or universal commerce the ability to conduct commerce anywhere, anytime,and any way. For more information, visit www.corporate.visa.com.

41

THALES e-TRANSACTIONS

VISA

42

Contact information for companiesmentioned in this document

Company Website ACI www.aciworldwide.comAconite Solutions www.aconite.netAmerican Express www.americanexpress.comAsia Pacific Smart Card Association (APSCA) www.apsca.orgAtlantic Zeiser www.atlanticzeiser.comAtmel www.atmel.comAustria Card www.austriacard.atBell ID www.bellid.comCardag www.cardag.comCardBASE Technologies www.cardbase.comCards etc. www.cardsetc.comCard Tech www.ctl.comCatuity www.catuity.comCEPSco www.cepsco.comCIM www.cimitaly.itCR2 www.bankworld.ieCryptomathic www.cryptomathic.dkDatacard www.datacard.comDatacard Gilles Leroux www.gilles-leroux.comDiners Club International www.dinersclub.comDiscover Card www.discovercard.comDNP www.dnp.co.jpE-Funds www.efunds.comEMVco www.emvco.comFabrica Nacional www.fnmt.esFargo www.fargo.comG&D www.gdai.comGemplus www.gemplus.comGlobalPlatform www.globalplatform.orgHitachi www.hitachi.comID Data Systems www.id-data.co.ukIFS www.ifsintl.comIncard www.incard.itInfineon www.infineon.comIngenico www.ingenico.comIris Tech www.iris-technology.co.ukJCB International www.jcbinternational.comKeycorp www.keycorp.netLogicaCMG www.logicacmg.comLogika www.logika.itMasterCard www.mastercard.comMatica www.maticasystems.itMosaic Software www.mosaicsoftware.comMuehlbauer www.muehlbauer.comMultos www.multos.comNBS www.nbstech.comNCR www.ncr.com

43

Company Website Nomad www.nomadsoft.comNorton Consultancy www.norton-consultancy.comNovacard www.novacardservices.co.ukOasis www.oasis-technology.comOberthur www.oberthurcs.comProton World www.protonworld.comS2Systems www.s2systems.comSchlumberger www.slb.com/smartcardsSetec www.setec.comThales e-Security www.thales-esecurity.comThales e-Transactions www.thales-e-transactions.comToppan www.toppan.co.jpUBIQ www.ubiqinc.comVerifone www.verifone.comVisa www.visa.comWelcome realtime www.welcome-rt.com

44

Card issuing Critical Questions checklist

Does this affect me?

Introduction to EMVWhat is the date of the EMV migration for my country or regionset by the card associations of which I am a member?

What level of testing period do I want to allow myself before goinglive with my EMV card base/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing inmind that the cards I am issuing today might still be in circulationafter the EMV migration date?

What extra business can I generate by achieving first moveradvantage in my markets by moving to smart cards

Am I actually losing business by not moving more rapidly to smart cards?

Am I being targeted by fraudsters because competitors havealready migrated?

Financial applicationsWhat payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single applications, multiple applications, or both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I needto consider such as data protection laws?

Non-financial applicationsMy card will have an anchor financial application. But do I want it to carry other applications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third partydevelopers, or accept applications provided by partners?

45

Does this affect me?

Application securityDo I want SDA, CDA or the extra security of DDA authentication?

What EMV risk management parameters should I select and