Card payments ecosystem has been designed with safeguards at various stages to ensure protection of various parties involved in the value chain. I would like to dedicate this post to list down these safeguards to make users familiar with them. Every entity, system and process handling card information needs to adhere to Data Security Standards established by Payment Card Industry (in short PCI-DSS) which ensures all sensitive information is protected at any point in time.
Card Issuer Controls
Card Printing: At the time of card issuance card printing file is created and transported to print shop in encrypted format and is destroyed after the card printing is complete. I have been to one such print shop and experienced their security standards first hand. On top of data security they also have strict controls for physical security. Personals visiting there are taken through multiple locked doors and are not allowed to even wear cloths that has pockets in them.
Chip (EMV): Earlier card transactions used to be performed using magnetic stripe. The problem with magnetic stripe was that card information stored in the magnetic stripe is stored in clear form and can be stolen by fraudsters by swiping the card on a card reader. This process of stealing card information is referred as skimming. In order to protect users against this, RBI has now made it mandatory to use EMV cards. The benefit of EMV card is that all the card information is stored in the Chip is encrypted form.
PIN Printing: PIN of your card is not stored in any system anywhere. At the time of PIN issuance, a PIN block is generated using a complex logic and encryption and sent directed to the PIN printer. PIN is printed in sealed form and can be seen only by tearing the PIN mailer.
The level of caution at this stage is to the level that card plastic and PIN are both printed at different locations (in HDFC Bank cards are printed at Chennai, while PIN printing usually happens in Mumbai), this is done to ensure that your card and PIN are never together unless they are delivered to the customer. In addition to this cards are delivered with addressee specific delivery. The delivery guy usually asks for ID proof before handing over the card kit to you.
PIN Validation: At the time of transaction PIN is encrypted at the key pad itself and an encrypted PIN block is generated. PIN travels to issuer system for authentication in encrypted format. PIN block is generated in the issuer system using the information available at the back end. Both the PIN blocks are compared and if matched PIN authentication is successful.
CVV or CVC: This is a three digit code linked to your card and a variation of same CVV2/CVC2 is printed at the back of your card. This three digit code is available only on the card plastic and presence of CVV/CVC or CVV2/CVC2 (for CNP transactions) means that the person providing the detail is in possession of the card plastic.
It is very important that one does not share PIN and CVV details with any person except for on the card details capture page at the time of transaction.
2 Factor Authentication: According to RBI mandate all the card transactions in India are processed with 2 factors of authentication. Typically these two factors are combination of any two from below three:
- What you have? In case of card world it is usually your card plastic or if you are transacting through your registered mobile device, it can be your mobile device.
- What you know? Your PIN or Passwords fall in this category. It is a shared secret that only you and your issuer knows and can validate.
- Who you are? All biometric forms of authentication would fall under this category. Most common biometric is your finger print. In future we might even see iris, voice, behavior, face etc also being used for authentication.
In case of card present transaction these two factors are your card plastic and PIN, while in case of card not present transactions it is your card details (card number, expiry and cvv2/cvc2) and OTP or password.
Merchant Acquiring Controls
POS Terminal: PoS device consists of following components, a. card reader, b. key pad, c. network connectivity, d. memory storage and e. receipt printer. Card reader and key pad are programmed to encrypt the data at the time of entry itself. Memory stored this information in encrypted form and deletes as soon as the merchant processes the settlement. Communication on this network happens in encrypted format through a protected line. Receipt is programmed to mask sensitive information like your card number while printing the receipt.
The encryption logic used for card transaction is called TripleDES or 3DES; which is one of the most advanced data encryption standard in practice today and encryption is used for each terminal is unique and dynamically updated in order to ensure protection from any possible compromise at key level itself.
Void and Refund
Void and refund are transactions used to undo a transaction by the merchant himself. For example if merchant has swiped your card for a wrong amount or you have changed your mind about transaction immediately after making the payment, merchant and recall that transaction from terminals memory and cancel the transaction. This process is called void and in this case when merchant processes the settlement this transaction is omitted from the same and not claimed further. In lack of any claim against the transaction issuer automatically reverses the transaction in customer’s account after designated settlement time is over.
In case merchant has processed the settlement on the machine and transaction has already been deleted from the device, it cannot be canceled/voided. In this case merchant performs refund transaction, i.e. send instructions to credit the customer account by debiting merchant account. When merchant settles this transaction appropriate credit instruction is passed on to the issuer by acquirer via interchange. These days interchanges have come up with ways to process instant refunds.
As you are now aware that there are many controls in place to ensure safe transaction at the time of card issuance and transaction processing. Chargeback is a process to protect customer’s interests after the transaction. As part of chargeback process if there is any issue with with transaction like duplicate billing, services not rendered, goods not delivered etc, a customer can reach out to his/her issuer to raise a dispute with all the evidence supporting his/her claim. In such cases issuers approach the merchant through acquirer via interchange and asks the merchant to provide necessary evidence or accept the dispute and reverse the transaction. Merchant either provides the evidence either in the form or delivery confirmation, payment receipt etc. If the merchant is unable to prove that it was a genuine charge the case is closed in customer’s favour and transaction is reversed. If the merchant is able to prove is necessary evidence that the charge was genuine, dispute is closed in merchant’s favour.
If you read all the study material sent along with your card, in many cases you will find a section labeled as zero liability. Zero Liability applies to your purchases made in the store, over the telephone, online, or via a mobile device and ATM transactions. As a cardholder, you will not be held responsible for unauthorized transactions if:
- You have used reasonable care in protecting your card from loss or theft; and
- You promptly reported loss or theft to your financial institution.
If you believe there has been unauthorized use of your account and you meet the conditions above, rest easy knowing you have the protection of Zero Liability promise. Please read this clause carefully in your card kit and ensure you understand the same.
Please ensure contacting your bank with the fastest mode available to report the loss of your card or any suspicious activity on your card. Every card issuer ensures that there are methods to report this through telephone call (at a dedicated number, please keep this number handy with you), mobile banking, internet banking etc.
What can mean a suspicious activity? Some examples are as follows:
- You receiving an SMS/e-mail regarding an activity in your account that you are not aware of
- Receiving an SMS/e-mail informing you about an OTP generated for a transaction that you did not initiate
- Someone calling you and inquiring about sensitive information about your card like card number, cvv, PIN, OTP etc. No bank ever asks for this information to be shared over a phone call to any person.
Hope this information has been helpful and make you more confident about using your card for payment next time you go shopping. In next part I will be covering various types of frauds happening in the card world and how to protect yourself from them. Most of the banks actually send mailers/SMS regarding this kind of information, you might be aware of same if you have been paying attention to those mailers.