BLUE STAR LIMITED

THALES e-SECURITY

• An impartial guide for Issuers and Acquirers lookingto migrate to EMV.

• The key issues and technologies.• Some questions that must

be answered.• A reference for further information.• Produced in collaboration with other smart card

industry leaders.

EMV – EASYMIGRATION GUIDE

1

EMV – Easy migration guideHow to use this guideMigration from magnetic stripe cards to EMV smart cards may look daunting. It is a complex task.However, broken down into a series of logical elements it becomes much less problematical and caneven be the source of a great deal of intellectual satisfaction. Substantial professional recognition willbe due those who manage successful migrations.

Whether the reader is tasked with managing the whole project, or perhaps just discrete parts, thisdocument aims to provide a useful introduction to the headline issues arising from migration.

The guide has been divided into three main sections:

■ Introduction

■ Card Issuer challenges

■ Acquiring and terminal network challenges

The second two sections are then set out in the same format:

■ An Overview of the subject area

■ An exploration of the Essential Issues upon which decisions must be made

■ A list of Critical Questions that the reader should ask

■ Suggestions on where the reader can obtain Further Information to support the decision-makingprocess including providers of relevant products and services

At the end of the document, the Critical Questions are then repeated in checklist format for clarity of planning. Finally, overviews and contact details of the technology and service providers named in theguide are provided.

2

Introduction to

EMV

3

Introduction to EMVThe development of the smart card may well turnout to be one of the most fundamental changesyet seen by the global payments industry.Despite concerted development, magnetic stripe card technology has reached a technical dead-end. A magnetic stripe simply cannot carry the strong security needed to keep cardholder details secret.Once criminals found out how easy it was to make copies, fraud grew rapidly and now costs Visamembers in the EU alone around €1 million a day.

But the limited security does more than leave private information vulnerable. It also means magneticstripe cards have little scope for more than one or two simple financial applications on a single card.

Against this background the smart card is revolutionary. The smart card works by storing informationsecurely for use during a transaction and by performing checks and processes using its internalmicroprocessor. Very much larger memory capacity enables it to hold multiple applications – forexample an ‘anchor’ debit card application, plus a number of others which do not have to be financial.

Early movers in the market have shown that smart cards reduce losses due to fraud while generatingnew revenues and differentiation.

The move to smart cards is not a free-for-all. The major card associations have collaborated to develop the EMV (Europay, MasterCard, Visa) standard, a mechanism by which the paymentsindustry is seeking to ensure that cards, terminals and other systems will successfully interact, for debit and credit applications at least, wherever they are in the world.

The EMV specifications describe core attributes including physical and electrical characteristics, howdata and functions on the card are to be accessed, and how card security is structured, but they leavethe detail of individual financial applications to card associations to define.

For all card Issuers, the question is not: ‘should we migrate to smart cards,’ but: ‘when should wemigrate to smart cards?’ The major card associations have set a date for migration to EMV cards in Europe to be completed by January 2005, with different dates for other regions around the world.

Issuers need to bear in mind that this date is not the starting gun for migration – it is the date bywhich the whole of their card base and its supporting infrastructure should be EMV compliant. Testingand any pilot scheme should be completed well before this date.

Typical schemes with three-year replacement cycles mean that cards issued in February 2002 will stillbe in circulation past the January 2005 deadline.

Given this effective count down to EMV, it is likely that there will be a rush as the date looms nearer,squeezing the amount of time technology vendors can devote to each Issuer. Better service and morecomprehensive support may be available to the early adopters.

There are, anyway, compelling differentiation and fraud prevention reasons why all Issuers shouldconsider moving quickly. American Express found that new customers in the US and the UK wereattracted by promised extra security and the novelty value of EMV smart cards. Early adopter marketadvantage is therefore a reality.

Also a reality is the certainty that the last card Issuers to migrate will inevitably be the concentratedtarget of fraudsters as the strong security of EMV smart cards closes the window of opportunity for crime.

4

What is the date of the EMV migration for my country or region set by the cardassociations of which I am a member?

What level of testing period do I want to allow myself before going live with my EMV cardbase/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing in mind that the cards I am issuing today might still be in circulation after the EMV migration date?

What extra business can I generate by achieving first mover advantage in my markets by moving to smart cards?

Am I actually losing business by not moving more rapidly to smart cards?

Am I being targeted by fraudsters because competitors have already migrated?

5

Critical questions about EMV

■ EMVco

■ MasterCard

■ JCB

■ Visa

Further information

6

Card

ISSUERChallenges

7

Card Issuer challengesOverview

As a card Issuer, there are many challenges that need to be considered when moving to EMV.

A smart card must be programmed with an operating system (often called a mask) before it can beloaded with applications, in much the same way as a PC needs Windows or Linux before it can runapplications and have any utility for users.

Then, when an application such as Visa’s VSDC (Visa Smart Debit Credit), MasterCard’s M/Chip orJCB’s J/Smart is loaded onto a smart card, together with unique data that personalises theapplication to an authorised cardholder, the card can interact with payment terminals to performsecure transactions.

One further major advantage is that cards can be securely up-dated or re-programmed in the field. AnIssuer can update the EMV risk management parameters on the card while the card is at a terminal.This could mean raising the offline transaction limit or even disabling the card. New applications can beloaded automatically too, but this is more likely to take place at dedicated terminals or over the Internetsince card holders and merchants are unlikely to tolerate the process slowing up transactions.

The winners in the move to smart cards are likely to be those Issuers who most successfully exploitsuch flexibility to offer the most compelling proposition at the lowest cost.

The following Essential Issues section is further sub-divided into the following areas where readersmay need to make decisions:

■ Financial applications

■ Non-financial applications

■ Application security

■ Smart card selection

■ Upgrading the existing back office systems

■ Data preparation and card personalisation overview

■ Data preparation

■ Card personalisation

8

Essential IssuesFinancial Applications

EMV credit/debit applicationsThe EMV specifications set out the headline data parameters for banking product types (for example,classic, gold and platinum cards), but leave the detail to Issuers’ discretion. It might be helpful to thinkof the EMV specifications as a framework that imposes a basic set of risk reduction measures whilegiving Issuers freedom to select the strength of the further security parameters they apply.

Global card associations produce their own interpretation of the EMV specifications and provide themto Issuers. Examples include:

■ JCB (J/Smart)

■ MasterCard (M/Chip)

■ Visa (VSDC)

Most card associations offer both an SDA (Static Data Authentication) and a DDA (Dynamic Data Authentication) *card authentication mechanism within their credit/debit application.

Domestic card brandsIn addition to the global brands, local ‘domestic’ cards are proliferating. Nominally independent of theglobal brands, they are often required to work out-of-area so that they can be used by cardholderstravelling on business or leisure. Issuers therefore often form joint marketing and processingrelationships with the global brands, enabling cardholders to access cash via ATMs, and in someinstances to make purchases at merchant outlets when travelling. The most common schemes areMasterCard’s Maestro and Visa’s Delta for cash purchases. ATM-only schemes include MasterCard’sCirrus and Visa’s Plus.

e-Purses including CEPS and MondexElectronic purses have been developed and deployed by a significant number of financial institutions, but they have serious drawbacks. Lack of interoperability between schemes, poor geographicalcoverage and the fact that most purses only support a single currency are three of a number of factors that have severely limited take-up.

The development of the CEPS (Common Electronic Purse Specification) is the payment industry’sattempt at an international standard to resolve these problems. Its proponents hope that CEPS willallow organisations to confidently invest in infrastructure and applications, resulting in electronic purseproducts becoming a very much more familiar feature on the card application landscape.

However, some experts believe that the business case for CEPS as a global scheme is unproven and that we will see instead the emergence of niche and national e-Purse products.

One alternative e-Purse to CEPS is Mondex, which is already used in numerous implementations aroundthe world.

It should be noted that the migration to EMV smart cards will create an environment in which e-Purseapplications could work and be readily accepted.

*See section on Application Security.

9

10

What payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single or multiple applications or a mixture of both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I need to consider such asdata protection laws?

Critical questions about financial applications

■ Thales e-Security

■ American Express

■ CEPSco

■ Diners Club International

■ Discover Card

■ EMVco

■ JCB

■ MasterCard

■ Visa

Further information

Non-financial applications

Multiple applications on a single CardA multi-application smart card, in addition to providing debit or credit functionality, might also work as a store chain loyalty card, a library card, a gymnasium membership card – the possibilities are verybroad. Indeed, some industry commentators have suggested that there is no technical reason why asingle smart card should not securely carry all the personal information in the average person’s walletincluding driving license and social entitlement details.

There is no doubt that the relative simplicity of a single application card provides the easiest andfastest route to EMV issuing, with all the benefits of brand visibility, leadership and market penetrationthat rapid deployment will generate for early adopters.

But it is unlikely to be as cost-effective as a multi-application card.

The more useful applications a single card holds, the more indispensable it becomes. The higher theperceived value, the less likely the customer is to switch to an alternative card, even though it mayoffer a lower interest rate. An Issuer that opens its card to applications from third-party providers not only spreads card deployment and management costs but also generates further income streamsthrough its rental of card ‘real-estate’.

Small wonder that the overwhelming majority of industry experts expect multi-application cards to eventually become dominant.

Over 50 companies, including all the major card associations, are now members of the GlobalPlatformalliance that is working to establish standards for EMV multi-application smart cards and to promotetheir deployment.

Online retail applications and Internet bankingAlthough the EMV specification was not designed with such applications in mind, the cryptographic keyson a smart card are capable of generating what is effectively an electronic signature.

This means that the core application on a card, such as VSDC, M/Chip or J/Smart, could help secureon-line retail transactions and help provide a secure logon for Internet banking, as well as card presentdebit/credit functionality.

11

12

My card will have an anchor financial application. But do I want it to carry otherapplications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third party developers, or acceptapplications provided by partners?

Critical questions about non-financial applications

■ Catuity

■ Datacard

■ Gemplus

■ Proton

■ Welcome Realtime

Further information

EMV application security

EMV specifications define a four-element framework for the security of credit/debit card payment applications:

■ Card authentication – The means by which a terminal can ascertain that a card is genuine. (See section below on SDA and DDA).

■ Risk management parameters – The card records all transactions and decides when pre-setthresholds (cumulative or single transaction value) have been reached, so triggering an on-linetransaction.

■ Off-line PIN – Smart cards are able to store data securely, offering the opportunity for PINverification to take place on the card itself. This saves the need to carry out a PIN-based transaction on-line.

■ Online mutual authentication – The means by which an Issuer can satisfy himself that a transaction has genuinely come from a specific and authentic card as well as the card ensuringthat the approval/decline response has been sent by the authentic Issuer.

EMV does not specify the cryptographic algorithms and key management schemes to be used for authenticating transactions. It does define an eight-byte data element called an ApplicationCryptogram that is securely bound to the details of each transaction. The fact that different keymanagement methods and algorithms may be adopted is perfectly satisfactory since the cryptogram is not an interoperability parameter, being handled only by the card itself and Issuers’ transactionauthorisation systems.

The card associations have defined for their members all the details not included in the EMVspecifications. In addition some other schemes have evolved for specific geographical areas. An example is the UKIS scheme defined by APACS in the UK for smart card trials.

EMV smart cards need around 50 data items to be created for loading onto the chip. Between 10% and 20% of these are produced using cryptographic processes implemented on a securitymodule such as the Thales P3CM. Secret values such as keys and PIN are also encrypted by themodule using a shared key to ensure their secure transmission to the personalisation system.

In addition to general security principles, there are also local legislative issues that can have a bearingon card security. These include data protection laws, digital signature legislation and e-money legislation.

The choice of SDA or DDA in credit/debit applicationsOne of many decisions facing card Issuers is which of two alternative technologies to use when verifyingthe authenticity of smart cards when used in a terminal.

Magnetic stripe cards carry a verification value (CVV) or card verification code (CVC) that can only be checked during on-line transactions.

Smart cards, designed from the outset to support off-line as well as on-line transactions, use twoalternative techniques.

The simpler, and cheaper, of the two is SDA or Static Data Authentication. This is a process where thesame digital signature is used by the card to authenticate itself to a terminal each time a transactiontakes place. It does not require a public key co-processor on the card.

The more complex option is DDA or Dynamic Data Authentication. It creates a unique digital signatureeach time the card is used off-line rather than continually using the same one. This means that it is amore secure technology and consequently it is more expensive, requiring a public key co-processor onthe card – something which can as much as double the unit cost.

13

Although less secure than DDA, Issuers remain confident in SDA because when a card goes on-line itgenerates a unique transaction-related cryptogram. The cryptogram means a “skimmed” card would beimmediately recognisable, enabling it to be instantly disabled. The off-line risk remains, but itsprobability can be greatly reduced with careful configuration of the EMV risk parameters.

14

Do I want the extra security of DDA?

What EMV risk management parameters should I select and what values should they be set to?

Will I use the off-line PIN functionality and what other, if any, Cardholder VerificationMethods should I support?

Is there legislation, such as data protection law, that might impact the security of myapplications?

How can I modify the off-line PIN after the card has been issued?

How can I modify the EMV parameters after the card has been issued?

How do I manage the information flows and business rules when I allow third partyapplications to make use of my card real estate?

Critical questions about application security

■ Thales e-Security

■ EMVco

■ MasterCard

■ Aconite Solutions

■ JCB

■ Visa

Further information

Smart card selection

Proprietary card platformsManufacturers that have spent vast sums developing smart card technology quite sensibly wish tomaximise the return on their investment. One way they can do this is by making it advantageous forIssuers to buy all their smart cards from a single source, rather than from two or more.

The cards may be cheaper, or perhaps offer distinctive functionality – but unlike open platform cards(see below) they are proprietary and therefore not capable of interoperating with cards from othervendors.

Card price is primarily determined by the memory size (EEPROM or E2PROM) Multi application cardsrequire larger memory – typically 16K or above EEPROM – to store the additional information.Proprietary, single application cards use less memory – typically in the range 2-4K EEPROM – and are therefore cheaper.

There are over 20 vendors of smart cards globally. Most have single application as well as multi-application platforms with memory capacities ranging from 2 to 64 Kbytes. Many offer datapreparation and card personalisation services to support their proprietary schemes.

It is not within the scope of this paper to provide an analysis of the differences between the proprietaryschemes. Readers wishing to explore them should contact card vendors for information.

Multi-application, open card platformsAs is the case with so many technologies, vendors and interest groups use many different andcontradictory definitions and terms to describe smart cards.

Safe positioning statements to make about an open smart card are that it:

■ Supports a wide variety of suppliers in both chips used and card software and applicationsimplemented

■ Supports standards-based application development and maintenance/support

■ Supports selectable levels of security

■ Facilitates partnership and co-developments with companies in the same and in other industries

■ Allows Issuers to experiment in finding and developing new value propositions

■ Has a declared development path that aims to protect existing investment.

Card buyers talking with multiple vendors will be offered a number of different multi-applicationarchitectures including Java Card, GlobalPlatform and MULTOS.

Java CardJava Card is not an operating system but a series of specifications, which defines how a Java VirtualMachine can run on any vendors’ underlying operating system.

In most cases Java implementations are migrating toward support of the GlobalPlatform standards and API described below.

15

GlobalPlatform CardThis is a comprehensive system architecture (published at www.Globalplatform.org) designed to enablefast and easy development of globally interoperable smart card systems.

It includes published APIs and specifications that enable any compliant card from any vendor to beissued, loaded with applications and managed in exactly the same way.

GlobalPlatform sits above the Card OS (it accommodates multiple card OS solutions) and provides thesecurity framework (and other features) for multiple card applications. A major benefit is thecomprehensive security it delivers to Issuers, enabling them to retain total control of the card andapplications.

MULTOS CardMULTOS is a high-security multi-application card operating system. It has been developed as an openplatform for financial and related applications.

The security of the operating system and its applications is based on asymmetric cryptography,simplifying the secure loading and deletion of applications. All MULTOS chips have a public key co-processor as standard.

16

Do I want a single or multi-application card?

Will I select a proprietary card supplied by one supplier, or choose an open platformsolution with cards from multiple vendors?

What memory size do I need on the card?

Will I apply segmentation to my card base and will I create a mix of proprietary EMV-cardsand Open Platform cards?

Critical questions about smart card selection

Card platforms

■ GlobalPlatform

■ MAOSCO (MULTOS)

Card suppliers

■ Austria Card

■ Cardag

■ DNP

■ Fabrica Nacional

■ G&D

■ Gemplus

■ Hitachi

■ ID Data Systems

■ Incard

■ -Infineon

■ Iris Tech

■ Novacard

■ Oberthur

■ Orga

■ PPC Card Systems

■ Schlumberger

■ Setec

■ Toppan

■ Keycorp

Further information

Upgrading the existing back office systems

Magnetic stripe card issuance and management is supported by tried and tested legacy back office systems.

One challenge for Issuers looking to migrate to EMV smart cards is how to provide similar automatedsupport facilities for the new card technology. Single application smart cards are significantly morecomplex and therefore demanding of support systems than magnetic stripe cards.

This is one reason why upgrading or modifying existing support systems to handle smart cards is thought by most experts to be not cost-effective.

Multi-application smart cards present back office support systems with an even more complex supporttask. The route preferred by most Issuers, particularly those moving to multiple-application cards, is therefore to concentrate smart card issuance and management support in a separate, dedicatedsolution that interfaces to the legacy back office issuing and acquiring systems.

Such a solution is called a Smart Card Management System.

Smart card management systemsSmart Card Management Systems (SCMS) manage cards and applications throughout their entire lifecycle, before and after issue to customers. They enable the loading, blocking or deleting of applicationsat any time, and make new card-based services instantly available via the Internet or private network.

Smart Card Management Systems also store details of every smart card issued, making thereplacement of lost or stolen cards both fast and simple. The same information can also be used to create a comprehensive database of cardholders and their application preferences.

Some smart card management systems support the setting and changing of application parametersduring issuance and in the field, including EMV risk parameters.

17

18

Do I want to source my cards from multiple vendors?

Do I want to support more then one different card type or card platform (like Gold,Platinum, VISA, MasterCard, TIBC, Credit, Java, Proprietary, debit, M-chip, Multos etc)

Do I want to set and dynamically update my EMV risk parameters?

Do I want a single application card, multiple application card or a mixture?

How do I ensure that my systems support my future strategies?

How can I interface between my issuance and acquiring systems?

Critical questions about upgrading backoffice systems

■ ACI Worldwide

■ Bell ID

■ Cardbase

■ Cards etc.

■ Datacard

■ Proton

Further information

Data preparation and card personalisation overview

Data preparation is the process by which user-specific data and the complex cryptographic keysneeded for security are generated. It is the first of two steps toward readying a new card for issue.

The second is card personalisation. It includes the application of brand printing, magnetic stripeencoding, security holograms and perhaps photographs, as well as the embossing and indenting oftypographical characters. Smart cards also require electronic personalisation. The already prepareduser data and cryptographic keys are securely loaded to the card, together with one or moreapplications.

The smart card is now ready for issue.

Smart cards, with their much stronger security than magnetic stripe technology, require considerablymore data to be generated. Substantial changes to established processes are required and manyIssuers will take the opportunity for a complete re-evaluation of their data generation andpersonalisation arrangements.

Three main business modelsThere are three main models for data preparation and the subsequent card personalisation. The decision over which one is adopted is usually based on best practice security considerations as well as cost:

Outsource data preparation and card personalisation to a bureauThe Issuer sends existing magnetic stripe records output from its host system to a bureau that carriesout the entire process from data and cryptographic key generation to card personalisation.

Data preparation in house, card personalisation outsourced to a bureauThe Issuer processes existing magnetic stripe records output by their host system, generating dataand cryptographic keys in house. It then sends the resulting file containing all the traditional magneticstripe and additional chip data to a bureau where smart cards are personalised. In this model the bankretains control of its own cryptographic master keys.

Data preparation in house, card personalisation in houseThe Issuer processes existing magnetic stripe records output by their host system, creating thecryptographic keys and extra data required for EMV cards. It then personalises smart cards using a desktop personalisation machine or high volume personalisation system in house.

19

name

age

D.O.B

Address

AB

C

D

Expires

Sort Code

name

age

D.O.B

Address

AB

C

D

Expires

Sort Code

20

Which model should I adopt for data preparation and card personalisation?

Critical questions about data preparation and card personalisation

See sections on Data Preparation and Card Personalisation.

Further information

name

age

D.O.B

Address

AB

C

D

Expires

Sort Code

name

age

D.O.B

Address

AB

C

D

Expires

Sort Code

Data preparation

Principal approaches to data preparationData preparation can be achieved with any of the three following methods:

Development of own host systemA route chosen by some Issuers is to develop the required data and key generation technology in house. It is only an option for Issuers with particularly well-funded internal IT departments, and it does have significant ongoing implications in terms of cost and pull on resources.

This is because data and key generation is a complex, specialist field and not one in which generalist ITdevelopers can rapidly gain expertise. There are many instances where internal development programshave been started, then abandoned as the scale of the task became apparent and as costs rapidlyescalated. Another factor is constantly changing specifications that further absorb costly developmenttime and divert IT staff from core activities.

OutsourceOutsourcing data preparation to a bureau is therefore seen by some as a better alternative. However,it too has its potential downside. Today’s bureaus offer a highly secure solution with the very highestintegrity. Even so, many Issuers will still insist on keeping smart card data preparation in house. This may be for legal or contractual reasons, but it is more likely to be because of a conservativeapproach to risk management. Central to best practice in security is that the number of peoplehandling cryptographic keys is kept to an absolute minimum. Outsourcing introduces more people into the production chain and therefore introduces more potential points of weakness or attack. It alsorequires Issuers to cede responsibility for managing the extra risk, and therefore ultimately the integrityof scheme security, to a third party.

In-house with EMV data preparation solution such as Thales P3TM

Many, perhaps most Issuers, have a fundamental aversion to anything less than 100% control oversecurity. They have always generated the data for much simpler magnetic stripe cards in-house and willwish to continue to do so for smart cards. They do not see in-house development of a data generationsystem as an option because of cost and drain on IT resources.

Their solution will be the purchase and in-house operation of a data preparation system such as theThales P3.

P3 integrates with host systems and card personalisation devices to generate EMV smart card dataand keys from existing magnetic stripe card files.

EMV parametersThe process of data preparation includes the setting of EMV parameters for risk managementpurposes. These parameters offer the Issuer options to tailor risk management to batches of cards, orif required sometimes even on a per-card basis. With a potentially confusing number or combinationsof parameters the card associations offer recommended sets of parameters for Issuers to adopt.

Key managementRigorous key management is essential for securing data preparation.

The system must be able to generate cryptographic keys, be able to receive cryptographic keys andcertificates from organisations such as Visa or MasterCard and also manage the keys during thepersonalisation process.

Unlike magnetic stripe data, EMV smart card data contains potentially sensitive information, such askeys derived from Issuer master keys. This means that every step in the process needs to be securedusing cryptographic hardware.

21

The five main areas of key management that a data preparation system must be able to handle are:

■ Key generation for each application.

■ Storage of the master key and transport keys

■ Key distribution to secure the personalisation process

■ Key update of the existing keys

■ Exchange of the public keys with scheme certification authorities (i.e. JCB, MasterCard and Visa)

22

How do I want to do data preparation?

1) Change host system

2) Deploy P3-type solution

3) Outsource

Do I select a standard set of EMV parameters as recommended by my card association ordo I select my own?

Does my data preparation system provide all the key management functionality I requireand is it secure?

How do I manage my card products?

How do I handle large volumes of cards to be issued?

How do I manage the workflow?

Critical questions on data preparation

■ Thales e-Security

■ Cryptomathic

■ UBIQ

Further information

Card personalisation

Card personalisation can be a costly and complex business, depending on the size of customercardholder base and the number of different card products that an Issuer offers.

The larger Issuers historically have employed their own in-house card personalisation bureaus for theproduction and issuance of cards. High card volumes help justify the expense of secure premises,card personalisation systems and skilled staff.

There are three options when considering personalisation:

In house bureauIt is believed that the majority of cards will be issued from central in-house bureaus for the foreseeablefuture. Smart card personalisation is slower than magnetic stripe personalisation, mainly due to thevastly increased amount of data and cryptographic keys to be loaded onto each card. However,personalisation equipment providers have developed solutions to this problem including systems thatprogram multiple cards simultaneously.

External bureausMost bureaus are also card manufacturers who realised that they were missing out by not providing a much needed value-added service.

There are over 90 Visa/MasterCard certified card manufacturers worldwide, and the majority of thesealso provide personalisation services. Most bureaus are regional, but there are global players includingSchlumbergerSema, Gemplus, Oberthur & G&D.

Distributed or remote instant issuanceFrom a bank customer perspective, card issuance is a slow process. Most are resigned to the factthat in even the quickest of systems many days elapse between the completion and submission of theapplication form, and the arrival by separate post of the card and its PIN.

Instantaneous production of smart cards, at the point of application, will become an importantmarketing tool for Issuers in the near future. It is already a feature of magnetic stripe card products in some countries.

In regions with good telecommunications, remote sites will be able to communicate in real time withthe centralised host system for the generation of card data. If telecommunications are bad, Issuers willhave to adopt a distributed issuance model, where details are stored and forwarded to a centralsystem later.

Post-personalisationMulti-application smart cards can be re-programmed in the field. New applications can be loaded andold ones removed when the cards are used at compliant terminals.

Called post-personalisation, this powerful feature gives card Issuers the unique ability to provide a cardproduct that better supports the lifestyle of their customers, promoting usage and providingcardholders with greater benefit and perceived value.

In order to support this business model, Issuers need to deploy infrastructure (such as a Smart CardManagement System) that allows the generation and delivery of secure personalisation data, in thecorrect format for the target card, to remote devices in a real time mode.

23

Physical and cryptographic security considerationsThe card stock has to be physically protected during the production and personalisation stages. Fromthe production process perspective, security controls have to be implemented once the white plastichas had the Issuer and card association logos, brands and holograms applied. This includes physicalprotection of premises as well as management control and procedures. The stringent physical securitycontrols aim to stop printed unpersonalised cards from finding their way into the wrong hands wherethey could conceivably be used fraudulently, causing harm to the Issuer and Association brands.

It is standard practice for the international card associations to annually audit all facilities that produceassociation branded cards.

There are major differences between the cryptographic security arrangements on magnetic stripebankcards and those on smart cards.

Magnetic stripe card production involves the generation of three cryptographic elements:

■ PIN Verification Value (stored on magnetic stripe)

■ Card Verification Value/Code I (stored on magnetic stripe)

■ Card Verification Value/Code II (printed on reverse of the card)

This is typically carried out by the Issuer using a suitable hardware security module during theproduction of card data. The values are then included into the card record, and the batch filesubsequently used for personalisation.

Once the data is produced, there is no meaningful value to be gained from these data elements, as they are cryptograms. Therefore, there is no requirement to protect the individual data elementsbeing transferred from the Issuer host to the personalisation system. However, it should be recognisedthat most Issuers still protect the batch file during transmission to the personalisation machine.

Smart card production is a fundamentally secure process, featuring a final round of cryptographicprocessing before applications, Issuer and cardholder data are loaded onto a smart card. Card dataarrives at the personalisation system encrypted and with an associated message authentication code.Blank cards are also cryptographically locked at the initialisation stage following manufacture, and canonly accept data following presentation of the correct so-called transport key.

24

Where do I want to personalise my cards?

1) In house bureau?

2) Outsource to a 3rd party bureau?

3) Instant issuance at a branch level?

Do I want to consider post-personalisation of new applications to my cards?

How do I manage the workflow?

Critical questions on card personalisation

25

Personalisation machine suppliers

■ Atlantic Zeiser

■ CIM

■ Datacard

■ Datacard - Gilles Leroux

■ Fargo

■ Logika

■ Mattica

■ Mulbauer

■ NBS

■ Orga

Personalisation bureau services

■ Gemplus

■ G & D

■ Oberthur

■ SchlumbergerSema

Further information

26

Acquiring and Terminal

NETWORKChallenges

27

Acquiring and Terminal Network ChallengesOverviewDespite only being concerned with the process flow between terminal and smart card, the EMVspecification has implications for retail bank host systems, and for ATM and EFTPoS systems.

Issuer Transaction Processing and Host Systems

Hosts must be upgraded to process on-line or batch transactions from devices using messageprotocols enhanced from their magnetic-stripe equivalents. Network interfaces will need enhancing totransmit EMV data when transactions are switched out to Issuer banks for authorisation. And on-lineauthorisation capabilities will also require upgrading.

With on-line EMV transactions, Issuers are required to receive extra chip-related data in the on-linemessage and reply to the Acquirer, and therefore to the device, with additional response data. Thisincludes authentication using the authorisation request cryptogram (ARQC) and authorisation responsecryptogram (ARPC) in a process known as on-line mutual authentication (OMA). The Issuer’s hostneeds to be enhanced to provide this processing, which it does in conjunction with the host securitymodule and secret keys encrypted ultimately by local master keys maintained by the HSM.

EMV allows Issuers to use scripts to modify data elements such as the PIN or risk parameters on asmart card during on-line transactions. Since this is a sensitive process, these scripts must besecured with the use of cryptography, again involving the use of an HSM. As scripts are now beinggenerated by the on-line host processor, this demands much closer integration with card managementsystems than is the case with magnetic stripe cards.

Where banks are both Issuers and Acquirers, all of the changes described here are applicable.

InterchangesThere are multiple interchanges (or switches) operating in most countries, with the most well knownbeing the international interchanges operated by Visa and MasterCard. They act as network hubs,routing on-line authorisations from the Acquirer (acceptor) of a transaction to the Issuer forauthorisation.

To correctly route EMV transactions, interchanges - like host systems - will need to handle theenhanced inter-bank transaction protocols required by smart cards.

SettlementCurrently most Acquirers and Issuers settle regularly with an interchange. This is normally done through an exchange of batch files (for example Visa Base2) between the interchange and its member banks. EMV impacts this process by adding chip-related data to the transaction recordswithin these files.

28

29

Do I want to be able to change EMV parameters on already-issued cards (for exampleincreasing the card’s transaction value limit)?

Has my interchange or switch been enhanced to accept EMV related data?

Has my settlement process been enhanced to accept EMV related data?

Is my infrastructure capable of blocking cards and applications if needed?

Have I upgraded my host system to accept OMA (Online Mutual Authentication,ARQC/ARPC)?

Will my host system cope with the volume of extra data associated with EMV?

Will I need to support the generation of Issuer scripts and, if so, has my host beenupgraded to do this?

Critical questions about Issuer Transaction Processing and Host Systems

Transaction Processing

■ ACI Worldwide

■ Aconite Solutions

■ E-Funds

■ IFS

■ Logika

■ Mosaic

■ Nomad

■ S2Systems

■ Thales e-Security

Type approval

■ EMVco

■ MasterCard

■ Visa

■ JCB

Transaction authorisation and Terminal Acquiring

■ ACI

■ Aconite Solutions

■ CR2

■ IBM

■ Mosaic Software

■ Nomad

■ Oasis

■ SchlumbergerSema

Further information

ATM/EFTPoS networks

The change from magnetic stripe to smart cards will not happen overnight. Magnetic stripe cards willbe in use for many years to come. During the transition, terminals, payment networks and hostsystems must support both types of card.

Type approvalFor a terminal to be legitimately used for accepting EMV transactions it must have first been certified(type approved) by a body appointed by the card schemes. EMVCo has worldwide responsibility for EMVterminal type approval, but the testing itself is subcontracted to qualified test laboratories.

Certification testing is at two levels: Level 1 concerns mainly terminal hardware. It verifiescommunications with the chip card and checks for correct electro-mechanical interaction.

Level 2 concerns mainly terminal software and ensures compliance with EMV specifications fortransaction flow and card/terminal interaction.

Any terminal used by banks for acquiring EMV transactions must be approved for both level 1 and level 2. Terminal hardware and software may legitimately be from different vendors, independently typeapproved by those vendors, respectively.

TerminalsThe majority of ATM and EFTPoS terminals in current use only perform magnetic-stripe basedtransactions, even though some support smart card functions but would require a software upgrade.Others support smart cards, but typically older versions of the EMV specification. They will also need upgrading.

A small number of ATM networks have been performing chip-based transactions for some years. Useof the magnetic stripe is still anticipated – although in the future it will mainly be used to establish thecorrect orientation for the card, except of course for magnetic stripe transactions when a non-chipcard is used.

ATMs typically need a substantial software upgrade to cope with EMV cards. Many of the leading ATMmanufacturers have already released type approved software but to date there are few deployments.The slow take-up is partly due to such software only recently becoming available, and partly due to theenhancements needed at host systems to accommodate the new application protocols.

Hardware upgrades are also required on some ATMs. The size of the upgrade is very dependent onthe particular style of ATM but varies from a simple change to the card reader to a full upgrade of theATM Processor.

For stand-alone dial-up EFTPoS terminals already incorporating chip card readers, EMV acceptanceis simply a matter of upgrading the resident software application. Such terminals are usually owned by Acquirer banks or processors, making upgrades the responsibility of those organisations and notthe retailer.

Such a software upgrade can often be made remotely over the terminal network. However, this willalso require an enhanced transaction protocol between terminal and host, necessitating an upgrade atthe host also. As the protocols involved tend to be simpler than those used with ATMs, such hostenhancements are not normally a major obstacle to EFTPoS smart card acceptance.

Those stand-alone EFTPoS terminals that do not currently accept smart cards require either ahardware upgrade or replacement. The upgrade route may seem the most cost effective but theowner must be aware that there are performance considerations to be taken into account. Forexample an old generation product that has been upgraded may result in lengthy chip transaction timesdue to increased processing requirements. This will only get worse in the future with the introductionof longer keys for increased security.

30

31

Consequently, the short term cost advantages of hardware upgrades must be balanced against theimpact on customer satisfaction (longer waiting times at the checkout). The ideal solution is to replacethe entire estate with the latest generation products but this can be costly. For those markets that aremigrating to PIN customer verification (such as the UK) the situation is even more complex. Upgradeswill have to consider not only chip but also PIN acceptance.

The situation is complicated somewhat by a second category of retail EFTPoS terminal. Many largemulti-lane retailers like supermarkets and department stores use integrated EPoS devices that combinepayment and checkout functionality. Upgrades will require significant programming effort to integratethe software applications that handle bar code scanning, inventory and other functions with the EMVpayment transaction process.

As these devices are owned by retailers themselves, upgrades (and in the UK, off-line PIN also) will betheir responsibility. In general, however, retailers are viewing the shift to EMV positively. There will, forexample, be simpler point-of-sale procedures with less reliance on paper signatures, reduced potentialfor fraud, faster checkout times, higher floor limits, and more scope for unattended terminals throughthe use of offline PIN.

Have I upgraded my ATM/EFTPoS network to physically accept EMV cards?

Have I upgraded my ATM/EFTPoS terminal software to accept EMV cards?

Have I selected terminal and hardware that has already been appropriately type approved?

Have retailers in my markets agreed to update retailer owned EFTPoS terminals?

Have the retail outlets in my region been educated about EMV?

Has my ATM/EFTPoS management system been upgraded for EMV?

Have I taken into account the testing and approval process of EMV ATM/EFTPoSterminals in my implementation plan?

Is my implementation future proof - i.e. processor speed, memory and will terminals handlemultiple applications in the future?

Do I replace or upgrade my ATM/EFTPoS network?

How long will it take to upgrade my ATM/EFTPoS network?

What training will I perform/recommend for retailers?

What do I do with my old terminals?

Critical questions about ATM/EFTPoS networks

■ ACI

■ Aconite Solutions

■ Ingenico

■ Mosaic Software

■ NCR

■ Thales e-Transactions

■ Verifone

Further information

Appendix 1 –Contributors to this documentThales, one of the globe's leading suppliers of integrated security solutions, addresses the businesssecurity needs of corporates and governments alike, protecting transactions, networks, identificationdocuments and sensitive sites. Thales' security capability extends to security and payment technologyfor financial transactions, networks and e-commerce. An acknowledged expert in smart cardtechnology and applications, Thales is a European leader in security critical electronic payments,integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards, as well as beingthe UK's leading supplier of electronic card payment terminals.

www.aciworldwide.comACI has been a leading company for more than 25 years with a worldwide presence in more than 80 countries focussing on payment engines for the financial industry and smart card managementsystems. Amongst ACI’s more than 2000 customers are the leading financial institutes. ACI’s SmartCard Division is based in Gouda, the Netherlands. It develops and delivers products to handle thecomplete issuance, life-cycle management and workflow management for smart cards of any type of card and purpose.

ACI views EMV migration as of prime strategic importance. Its wide ranging product suite (ACI SmartChip Manager, Base24) covering both the issuing and acquiring side of the business has already helpedover 50 banks to migrate to EMV. ACI’s expertise in the EMV arena has been a key factor in successfulmigration projects.

ACI Smart Chip Manager is deployed in the financial industry, health care, public transport, ID andGovernment. Implementations range from small-scale single-application pilots to large-scale rollouts of leading-edge multi-application schemes containing many millions of cards.

Banks aiming for the simplest form of EMV migration already reap the benefits of ACI Smart ChipManager. Legacy systems can be seamlessly integrated into the new chip-processes without the needfor extensive re-engineering. Any mix of card and chip types can be supported.

One of the strong features of EMV is the ability of parameter management. ACI Smart Chip managerallows this capability as an additional module. It interfaces to ACI’s acquiring systems or third partypayment engines and terminal management systems.

It’s a challenge for most issuers to finally migrate to a full multi-application smart card scheme. ACISmart Chip Manager can easily be extended to full multi-app including additional post-issuing functionality.

www.aconite.netAconite is a business IT consultancy and software solutions provider with specialist expertise in smartcard systems, EMV, Security and e-Trust.

Aconite invests in solutions which address EMV migration, smart card systems management, businessIT and trusted computing.

Established in 2000, Aconite has expanded at pace, gathering a dynamic team with unique experiencein their respective fields. Aconite recruits experienced professionals with a combination of technicalskills and business acumen to apply technology effectively.

Working alongside leading financial institutions and retailers, Aconite's client list includes Royal Bank ofScotland, Standard Chartered Bank, Coutts & Co, Visa, LINK and Marks & Spencer.

32

THALES

ACI

ACONITE

Flexible, pragmatic and committed, Aconite provides clients with applied consultancy, inventivetechnology and business understanding. Delivering focused assistance in strategic, technical andoperational areas, Aconite is a dependable partner for clients seeking to exploit innovative approachesto complex business issues.

www.datacard.comDatacard provides customers in more than 200 countries with the systems, software, and consultativeexpertise they need to launch and maintain profitable card programs. The company helped transformthe world for consumers and card issuers more than 30 years ago by enabling secure, high-volumeissuance of magnetic stripe-based financial cards. Today, more than 90% of the world’s financialcards—and the majority of plastic cards used for other applications—are personalised with Datacard‚brand systems and software. Many of the world’s leading financial institutions and consumer marketersplan to issue single & multi-application smart cards, and Datacard’s smart card infrastructure will beused to personalise, distribute and manage a vast majority of these cards. Through industryassociations such as Global Platform and the Smart Card Alliance, Datacard is also helping to defineand then implement open standards and interfaces needed to issue cards and manage the dataneeded within a comprehensive smart card issuance program. Datacard is a privately held companyowned by the Quandt Family of Bad Homburg, Germany. Datacard is headquartered in Minnetonka,MN, with a sales and service network of direct sales organisations, dealers, distributors and valueadded resellers in over 120 countries. Additionally, worldwide operations include software developmentcentres in the U.S., U.K., India and Japan. The company employs more than 1,600 people worldwideand generates annual revenues of more than $300 million.

www.gemplus.comGemplus helps its clients offer an exceptional range of portable, personalised solutions that bringsecurity and convenience to people's lives. These include mobile Internet access, inter-operable bankingfacilities, e-commerce and a wealth of other applications.

Gemplus is the only completely dedicated, truly global player in the Smart Card industry, with thelargest R&D team, unrivalled experience, and an outstanding track record of technological innovation.

Gemplus' offer in EMV: AEMV Prime - A suite of solutions guiding banks on the optimal path to migration.

Whatever your EMV migration requirements, you will find that Gemplus has a solution that fits and a team of experts to help manage your project. EMV Prime was built on three years of experience in EMV migration and with assistance and feedback from clients all around the world. EMV Primecovers migration planning, development, piloting and all stages of deployment. The EMV Prime modulescan be tailored to suit the needs of any client, whilst dedicated project management teams work withyou to ensure that EMV Prime lives up to its reputation.

In 2001, Gemplus was the worldwide smart card leader in both revenue and total smart cardshipments (source: Gartner-Dataquest, Frost and Sullivan). Gemplus was also awarded Frost andSullivan's 2002 Market Value Award for its exceptional performance.

Gemplus trades its shares on Euronext Paris S.A. First Market and on the NASDAQ Stock Market(tm)as GEMP in the form of ADSs. Its revenue in 2001 was 1 billion Euros.

33

DATACARD

GEMPLUS

www.gdai.comMore than 30 years' experience in smart security for payment cards have made G&D a leadingsupplier of electronic payment cards. In 6 years only, 100 million banking cards have been issued usingsmart card software developed by G&D.

G&D is an accredited technology partner of all major international payment organisations, such as Europay International, MasterCard International, Visa International, Proton World and Discover.

With our technological edge in the development of chip card operating systems and applications, G&D has successfully migrated from a manufacturer of high quality magnetic stripe cards to a leading technology supplier of microprocessor and crypto processor cards.

G&D is represented on all important international standardisation committees, i.e. MAOSCOConsortium, Eurosmart, ETSI SMG 9, JavaCard Forum, People's Bank of China Technical Subgroup,ISO/IEC, Smart Card Forum, Global Chip Card Alliance, Global Platform Group.

Giesecke & Devrient (G&D) is an international technology group with 150 years of tradition. Founded in 1852, G&D first specialised in banknote printing and security paper manufacture, later addingcurrency automation systems to its product portfolio. Today, G&D is also a technology leader in thefields of smart cards and system solutions for telecommunications, electronic payments,transportation, health, ID, loyalty, pay-TV, multimedia and Internet security (Public Key Infrastructure).

The Giesecke & Devrient Group, headquartered in Munich, operates subsidiaries and joint ventures all over the world. G&D employs around 7,000 people worldwide and generated a revenue of € 1.12 billion in fiscal 2001.

www.globalplatform.orgGlobalPlatform is the only cross-industry forum focused on the development, management andpromotion of specifications for multiple application smart cards, smart card applications, and enablingdevices. With support from its global Member organisations, GlobalPlatform promotes a standardframework facilitating the implementation of smart card programs in any industry around the world.GlobalPlatform allows flexibility in the choice of technologies and vendors through an emphasis on openstandards for cards, terminals and support infrastructure. GlobalPlatform's card, terminal and systemsspecifications are the first open standards adopted by GlobalPlatform and will provide a solid foundationfrom which the organisation will define the future of multiple application smart cards.

GlobalPlatform totals fifty-six Members from across Europe, USA, Canada, Australia, Japan and Korea,including issuers, manufacturers, and vendors of multiple application smart cards, such as AmericanExpress, Hitachi, MasterCard International, JCB, NTT Corporation, Proton World, Schlumberger, Sun Microsystems, Thales, The Bank of Nova Scotia and Visa International, as well as severalgovernment bodies.

About Hitachi Europe Ltd.:www.hitachi-eu.com/semiconductorsHitachi Europe Ltd., is a wholly owned subsidiary of Hitachi, Ltd. Japan. It has operations throughoutEMEA which provide sales, marketing, technical support and research and development. Hitachi’ssemiconductor and display products are key components in the fields of smart cards, communications,automotive, consumer, industrial, displays and system LSI. They include the SuperH™ RISCmicroprocessors, the H8 microcontroller family, smart card controllers, TFT displays, memories (Flashand SRAM), transistors and diodes, and network products. For reader enquiries or more informationon the products and services offered in Europe by Hitachi Semiconductor, please visit the Web site.

34

G&DGIESECKE &

DEVRIENT

GLOBALPLATFORM

HITACHI

About Hitachiwww. global.hitachi.com. Hitachi, Ltd., headquartered in Tokyo, Japan, is a leading global electronics company, withapproximately 320,000 employees worldwide. Fiscal 2001 (ended March 31, 2002) consolidatedsales totalled 7,994 billion yen ($60.1 billion). The company offers a wide range of systems, productsand services in market sectors, including information systems, electronic devices, power and industrialsystems, consumer products, materials and financial services. For more information on Hitachi, pleasevisit the company's Web site.

www.jcbinternational.comJCB is one of the international payment brands, such as Visa and MasterCard, and is also the largest card Issuer and acquirer by itself in Japan. JCB launched its card business in 1961 and beganexpanding overseas in 1981. Its merchant network includes 9.78 million merchants and spans 189countries and territories, and serves 42 million card members worldwide. As part of its internationalgrowth strategy, JCB has formed alliances with more than 320 leading banks and financial institutionsglobally to increase merchant coverage. JCB has started the full-scale issuance of smart cards inJapan from Dec. 2001, with "J/Smart" EMV application loaded, and has also been very active in thesmart card migration in the markets outside of Japan. For further information, please visit the JCBInternational website.

www.mosaicsoftware.comMosaic Software develops leading-edge software solutions in the consumer transaction space. The Mosaic Software offices in the USA, UK, Australia and South Africa support clients that includefinancial institutions, retailers, telecommunications operators, transaction processors, Internet serviceproviders, card issuers and data processing service providers.

Mosaic Software's product, Postilion, is a scalable, modular system designed to deliver consumer-generated transactions at every level of an EFT network. Postilion is currently installed in more than 30 countries, where it is used for ATM driving and monitoring, EFT switching and routing, EFTPoScredit/debit card transaction processing, Internet/call centre payment authorisations and mobilecommerce applications. Postilion reduces transaction processing costs, improves analytical capabilitiesof customer transactions and increases overall transactional revenues. Postilion is fully EMV compliantand can support EMV migration with two specific solutions:

Postilion EMV Gateway is a low-cost, fast track solution for EMV smart card compliance. BothAcquirers and issuers can achieve EMV compliance for online transaction processing by front-endingtheir incumbent systems with the Postilion EMV Gateway. Magnetic stripe transactions are processedby the existing system infrastructure while EMV transactions are routed directly from the Postilion EMV Gateway, avoiding the need to upgrade the incumbent system to support EMV data fields.

Postilion for Chip and PIN offers multi-lane retailers a means to rapidly support EMV chip cards andsecure PIN processing at the point of sale. Further benefits are the ability to offer sophisticated EFTservices at the till such as staff discount and loyalty programmes; authorisation of transactions at thetill even when store systems are down; a faster settlement cycle and reports to meet all storerequirements.

Mosaic Software's major partners include Thales, Stratus Technologies, Retail Decisions, MasterCard,SmartTrust, Diebold, and NCR. Well-known companies such as 7-Eleven, Marks & Spencer, E*Trade, BankLeumi, TNS, ABSA, Retail Decisions, American Express and Cell-C are clients. The company is backed byGE Equity and Comparex and is a selected technology provider to multiple GE Capital businesses.

35

HITACHI

JCB

MOSAICSOFTWARE

www.ncr.comAs the world’s leading ATM manufacturer, NCR has deployed self-service EMV solutions across Europe,Asia Pacific and the America’s.

NCR Corporation (NYSE: NCR) is a leading global technology company helping businesses buildstronger relationships with their customers. NCR’s ATMs, retail systems, Teradata® data warehousesand IT services provide Relationship TechnologyTM solutions that maximise the value of customerinteractions. Based in Dayton, Ohio, NCR employs 30,400 people worldwide.

www.oberthurcs.comOberthur Card Systems, listed on the Euronext Stock Exchange (Code Euroclear 12413) since July2000, is one of the world’s leading providers of card-based solutions, software and applicationsincluding SIM and multi-application smart cards and services ranging from consulting topersonalisation.

Innovative products and high quality services ensure Oberthur’s strong positioning in its three maintarget markets.

■ Payment : 52% of revenues in 2001. the company is the world leader and number one supplier forVisa and MasterCard.

■ Mobile Communications : 31% of revenues in 2001, with open and interoperable solutions based onJava™ technology.

■ Authentication and Network Security : emerging markets in which the company plays a pioneeringrole, with strong expertise in security and a dominant position in e-commerce and Pay-TV.

Close to its customers, Oberthur Card Systems benefits from an industrial and commercial presenceacross all five continents.

Oberthur Card Systems is a subsidiary of François-Charles Oberthur Group.

www.slb.comSchlumbergerSema is one of two business segments of Schlumberger Limited, a global technologyservices company. With more than 30,000 employees serving customers in 65 countries,SchlumbergerSema aggregates IT consulting, systems integration, managed services and relatedproducts to the oil and gas, telecommunications, energy and utilities, finance, transport and publicsector markets. Leveraging the Schlumberger DeXa* Suite of Services, it also provides IP networkconnectivity, information security solutions, distributed computing support services and data centrehosting services. In 2001, Schlumberger revenues were $14,3 billion.

www.thales-esecurity.comOperating in three main markets covering e-security, card payment and network security, Thales e-Security addresses the business and finance industry's need for cryptographic security products andsolutions used to protect a range of critical information infrastructures. Over half of the world's banks,together with the majority of the busiest exchanges, currently use Thales technology. For more than 20years the company has been at the forefront of security and payment technology, co-operating andcontributing to set the industry standards used for financial transactions and e-commerce globally.

36

NCR

OBERTHURCARD

SYSTEMS

SCHLUMBERGERSEMA

THALES e-SECURITY

Thales P3Thales P3 lets issuers deploy EMV smart cards with minimal impact on their existing systems and withminimum cost.

It integrates with host systems and card personalisation devices to:

■ Enable creation of EMV parameters for each card holder

■ Generate, store and manage cryptographic keys for each application

■ Output files of parameters and keys for personalisation machines

■ Generate an audit log of activities

Three levels of P3 system enable issuers to deploy a Thales solution scaled to meet their individual needs.

Thales HSMThe Host Security Module (HSM) is a physically secure, tamper-resistant security server that providescryptographic functions to secure transactions in retail financial applications including PIN encryptionand verification, debit card validation, stored value card issuing and processing, chip card issuing andprocessing, message authentication and symmetric key management.

With the optional DSP-RSA Module, the HSM can also support public key cryptographic operationsincluding digital signatures, certificates, and asymmetric key management.

www.thales-e-transactions.com Thales e-Transactions is a wholly owned subsidiary of the global electronics group Thales and providesuser-friendly secured solutions for card transactions. The company is a European leader in the fields of portable, mobile and fixed electronic payment terminals, integrated Electronic Fund Transfer (EFT), e-purse payment and secured keyboards. Thales e-Transactions’ expertise in smart card applicationsfor banking and commercial markets is highly acknowledged on an worldwide basis.

The solution that Thales e-Transactions proposes is a range of terminals that are appropriate for a variety of card acceptance locations.

■ Artema Desk for standard retail where the customer attends the Point of Sale desk

■ Artema DECT for locations where the terminal needs to be taken to the customer away from thePoint of Sale desk

■ Artema Mobile where the terminal can accept transactions on the move.

These products have common core hardware platform and common software architecture which offersthe following advantages

■ Price benefits from

■ Lower certification costs from common EMV Level 1 IFM to common Level2 Kernel

■ Faster to market with regional applications through the use of a simple to use software development toolkit

The Artema Desk product can also be provided with a TSC+ PIN pad. The first in the world to achieveVisa PED approval to the higher security required for chip transactions.

37

THALES e-TRANSACTIONS

Thales also produce other terminals that are specific to local regions. Because of the nature of theproposal these terminals have not been included in this offer but Thales would be happy to providefurther details on request.

With considerable expertise of developing EMV certified products in the main European markets, andwith a significant international presence both in and outside of the EU region, Thales e-Transactionsbelieves its is well qualified to be a valued partner of Visa International in the Global Cost EffectiveAcceptance Project.

38

Contact information for companiesmentioned in this document

Company Website ACI www.aciworldwide.comAconite Solutions www.aconite.netAmerican Express www.americanexpress.comAtlantic Zeiser www.atlanticzeiser.comAustria Card www.austriacard.atBell ID www.bellid.comCardag www.cardag.comCardbase www.cardbase.comCards etc. www.cardsetc.comCatuity www.catuity.comCEPSco www.cepsco.comCIM www.cimitaly.itCR2 www.bankworld.ieCryptomathic www.cryptomathic.dkDatacard www.datacard.comDatacard - Gilles Leroux www.gilles-leroux.comDiners Club International www.dinersclub.comDiscover Card www.discovercard.comDNP www.dnp.co.jpE-Funds www.efunds.comEMVco www.emvco.comFabrica Nacional www.fnmt.esFargo www.fargo.comG&D www.gdai.comGemplus www.gemplus.comGlobalPlatform www.globalplatform.orgHitachi www.hitachi.comID Data Systems www.id-data.co.ukIFS www.ifsintl.comIncard www.incard.itInfineon www.infineon.comIngenico www.ingenico.comIris Tech www.iris-technology.co.ukJCB International www.jcbinternational.comKeycorp www.keycorp.netLogika www.logika.itMasterCard www.mastercard.comMatica www.maticasystems.itMosaic Software www.mosaicsoftware.comMuehlbauer www.muehlbauer.comMultos www.multos.comNBS www.nbstech.comNCR www.ncr.comNomad www.nomadsoft.comNovacard www.novacardservices.co.ukOasis www.oasis-technology.comOberthur www.oberthurcs.com

39

Company Website Proton World www.protonworld.comS2Systems www.s2systems.comSchlumbergerSema www.slb.com/smartcardsSetec www.setec.comThales e-Security www.thales-esecurity.comThales e-Transactions www.thales-e-transactions.comToppan www.toppan.co.jpUBIQ www.ubiqinc.comVerifone www.verifone.comVisa www.visa.comWelcome realtime www.welcome-rt.com

40

Card issuing Critical Questions checklist

Does this affect me?

Introduction to EMVWhat is the date of the EMV migration for my country or regionset by the card associations of which I am a member?

What level of testing period do I want to allow myself before goinglive with my EMV card base/infrastructure?

Which vendors will I select to help facilitate my move to EMV?

When do I start migrating my card base to EMV cards, bearing inmind that the cards I am issuing today might still be in circulationafter the EMV migration date?

What extra business can I generate by achieving first moveradvantage in my markets by moving to smart cards

Am I actually losing business by not moving more rapidly to smart cards?

Am I being targeted by fraudsters because competitors havealready migrated?

Financial applicationsWhat payment schemes do I want to support with my cards?

What are the standards and mandates of those schemes?

Do I want to support single applications, multiple applications, or both?

Do I want to offer my customers an electronic purse?

Are there any other legal issues specific to my country that I needto consider such as data protection laws?

Non-financial applicationsMy card will have an anchor financial application. But do I want it to carry other applications such as a retail loyalty scheme?

Do I want the card to support Internet banking?

Will I create the additional applications in house, use third partydevelopers, or accept applications provided by partners?

41

Does this affect me?

Application securityDo I want the extra security of SDA authentication?

What EMV risk management parameters should I select and whatvalues should they be set to?

Will I use the off-line PIN functionality and what other, if any,Cardholder Verification Methods (CVM) should I support?

Is there legislation, such as data protection law, that might impactthe security of my applications?

How can I modify the off-line PIN after the card has been issued?

How can I modify the EMV parameters after the card has been issued?

How do I manage the information flows and business rules when Iallow third-party applications to make use of my card real estate?

Smart card selectionDo I want a single or multi-application card?

Will I select a proprietary card supplied by one supplier, or choosean open platform solution with cards from multiple vendors?

What memory size do I need on the card?

Will I apply segmentation to my card base and will I create a mix of proprietary EMV-cards and Open Platform cards?

Upgrading back office systemsDo I want to source my cards from multiple vendors?

Do I want to support more then one different card type or cardplatform (Gold, Platinum, VISA, MasterCard, TIBC, Credit, Java,Proprietary, debit, M-chip, Mulattos etc)

Do I want to set and dynamically update my EMV (risk) parameters?

Do I want a single application card, multiple application card or a mixture?

How do I ensure that my systems support my future strategies?

How can I interface between my issuance and acquiring systems?

42

43

Does this affect me?

Data preparationHow do I want to do data preparation?

1) Change host system

2) Deploy P3-type solution

3) Outsource

Do I select a standard set of EMV parameters as recommendedby my card association or do I select my own?

Does my data preparation system provide all the key managementfunctionality I require and is it secure?

How do I manage my card products?

How do I handle large volumes of cards to be issued?

How do I manage the workflow?

Card personalisationWhere do I want to personalise my cards?

1) In house bureau?

2) Outsource to a third party bureau?

3) Instant issuance at a branch level?

Do I want to consider post personalisation application load of newapplications to my cards?

How do I manage the workflow?

44

Acquiring and terminal network CriticalQuestions checklist

Does this affect me?

Issuer transaction processing and host systemsDo I want to be able to change EMV parameters on already-issuedcards (for example increasing the card’s transaction value limit)?

Has my interchange or switch been enhanced to accept EMV related data?

Has my settlement process been enhanced to accept EMV related data?

Is my infrastructure capable of blocking cards and applications if needed?

Have I upgraded my host system to accept OMA (Online MutualAuthentication, ARQC/ARPC)?

Will my host system cope with the volume of extra data associatedwith EMV?

Will I need to support the generation of Issuer scripts and, if so,has my host been upgraded to do this?

ATM/EFTPoS networksHave I upgraded my ATM/EFTPoS network to physically acceptEMV cards?

Have I upgraded my ATM/EFTPoS terminal software to acceptEMV cards?

Have I selected terminal and hardware that has already beenappropriately type approved?

Have retailers in my markets agreed to update retailer ownedEFTPoS terminals?

Have the retail outlets in my region been educated about EMV?

Has my ATM/EFTPoS management system been upgraded for EMV?

Have I taken into account the testing and approval process of EMVATM/EFTPoS terminals in my implementation plan?

Is my implementation future proof (i.e. processor speed, memoryand will terminals handle multiple applications in the future?)

Do I replace or upgrade my ATM/EFTPoS network?

45

Does this affect me?

How long will it take to upgrade my ATM/EFTPoS network?

What training will I perform/recommend for retailers?

What do I do with my old terminals?

Host systemsWhat do you do with all your old terminals?

Have I upgraded my host system to accept OMA (Online MutualAuthentication, ARQC/ARPC)?

Will my host system cope with the volume of extra data associatedwith EMV?

CORPORATE OFFICETHALES e-SECURITY LTD.Meadow View HouseLong Crendon, AylesburyBuckinghamshire, HP18 9EQ, UKTel: +44 (0)1844 201800Fax: +44 (0)1844 208550e-mail: emea.sales@thales-

esecurity.com

INDIABLUE STAR LTD.Divisional Head QuartersSahas, 414/2 Vir Savarkar MargPrabhadeviMumbai 400 025, INDIATel: +91 22 24306155Fax: +91 22 24307078e-mail: prosenjit@lineone.net

DISCLAIMERThales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein. THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER.

The Thales policy is one of continuous development and consequently the equipment may vary in detail from the description and specification in this publication. All trademarks are acknowledged. U.S. Patent No. 4,405,829 licensed exclusively by RSA Data Security, Inc.

Publication Number: 102/1102/10412 ©2002.