a company profile tech talk.pdf · manufacturers in the atm, banking, gaming and kiosk industries....

1

A company profile

Company Profile

ArcaTech SystemsThe Company

ArcaTech Systems is a privately owned, US based company that specializes providing its customers a comprehensive range of products and services for automating cash handling and transactional operations.

Strategically located near North Carolina’s Research Triangle Park, ArcaTech Systems began in 1998 as a distributor of OEM cash dispenser mechanisms to manufacturers in the ATM, banking, gaming and kiosk industries. The company operates from a fully functional, modern 40,000 sq. ft. facility where it is headquartered and houses engineering, design, manufacturing, integration services, sales/marketing, technical and sales training, warehousing. The company also has a sales office in Dundee, Scotland, and a warehouse in Germany.

Today, the company offers a broad range of transactional products, third party options, proprietary software, service/support and consulting.

2

ArcaTech SystemsMulti-dimensional

• Distributors of high end components and parts for the

banking and finance community.• Integrators and providers of innovative

cash handling solutions.

• Providers of OEM (Original Equipment Manufacturer)

transactional products for Self-Service, Kiosk, and point

of sale.• Technical integration specialists.• Consulting and advisory services for

transaction automation• Full Service and support including

technical services.

ArcaTech SystemsVision

• To continuously strive to bring innovative, best-of-breed, transactional solutions that offer efficiency and cost effectiveness to banking, self-service and kiosk market spaces.

• To deliver new ideas and be in the forefront of technological development.

• To provide the best customer experiences in our industry.

• To deliver the best technical support through highly skilled professionals.

3

ArcaTech Systems

Core Markets

• Banking & finance• Self-service• Retail

ArcaTechProduct Overview

OEM ProductsBill DispensersCheck scannersCard readersCard printersMulti-function

productsTriple Des Pin

PadsAccessoriesPower supplies

SystemsCash recyclersCash dispensers

SoftwareDiagnostic tools

PartsCable assembliesSpare partsSafe EnclosuresSecurity fixtures

Desktop ProductsCoin DispensersCheck Scanners

Consulting/advisoryCustom SystemsIntegration SoftwareHardware Selection

4

Sagem Denmark

World Leader in Secure PIN Verification

• Located in Denmark, Copenhagen• 110 Employees• 3 Strategic Business Areas within

Secure Payment Solutions:• Point of Sales Terminals• Encrypting PIN pads for ATM machines• Unattended Payment solutions

• Secure Facility Center for Key Load and Personalisation• ISO9001:2000 Certified Quality Assurance System• Subsidiary of Sagem Defense & Security Division• Appointed SAFRAN Group Competence Center for Secure

Payment Solutions

About Sagem Denmark

5

History

1984 2005

More than 20 years experience inSecure PIN Entry

SAFRAN Group at a glance

• World leading High Technology Group

• 10 billion Euro turnover in 2004*

• 56,200 employees in 30 countries

• Four main business areas:– Propulsion– Communication– Equipment– Defense & Security (Sagem Denmark)

* Pro forma, French accounting standards, non-audited

6

SAFRAN Group in the world

SAFRAN - Security Activities and Products

Multi-biometric identificationsystems(fingerprints, iris and face recognition)

Identity systems

Cards and certification(bank, healthcare, etc…)

Counter-crime

Payment TerminalsEncrypting PIN Pads for ATM Machines

Unattended Payment SolutionLottery Machines

Healthcare card terminals

7

Encrypting PIN pads

OEM PIN pads for: - ATM’s (automatic teller machines)- Unattended Payment Solutions- 3 DES upgrade market

- Visa PED / PCI approved

Unattended Payment Solutions• For:

– Gas Stations– Ticket Vending Machines– Parking systems– Kiosk solutions– Gaming Machines

• PIN pads with or without display

• Secure Card Readers (OEM)

• Generic Payment application

• Universal Controller Module

8

Flexi POS terminal - Key Features

• For integration in the Point-of-Sales environment

• Interactive Merchant Assistance• Focus on user-friendliness • Ideal for High Traffic

Environments• Focus on High Security• Quick EMV Processing

(HW crypto-MPU)• EMV approved

Presentation

Key Issues inSecure Electronic Payment

9

Key Issues in Secure Electronic Payment

• Setting the Scene - Basic Card Transaction

• Risks of Fraud• Adding Online PIN Verification - How

does it work?• Security Requirements for PIN Entry

Devices• The EMV Chip-card Solution (Europe,

Asia)

Electronic Payment - Actors and Flow

Acquirer

Cardholder

Issuer

CardXXXX XXXX XXXX XXXX XXXX

XXXXXX XXXXXXXXXXXX

Funds

Goods, services

Merchant

10

Electronic Payment - The Payment Card

Cardholder

Issuer/Bank - Account

The card represents the account

Different card technologies:•Magnetic Stripe•Contactless•EMV Chip (Europe)

XXXX XXXX XXXX XXXX XXXX

XXXXXX XXXXXXXXXXXX

Cardholder VerificationMethods:•None•SignatureNot ideal for self-service!

Risks of Fraud - without PIN

• “Never been there, never done that”– The simplest kind - Technical Solutions may assist in liability delegation– Requiring a signature is not ideal in self-service situations

• Stolen Cards– It is a risk if anybody can use the card

• Copied Cards– This risk is even higher, since the cardholder may not be alarmed

• Forged Cards– Variant of a copy card in the magnetic stripe world– Data readily available, internet etc.– Issuers sets new requirements for data security


XXXXXX XXXXXXXXXXXX

11

Electronic Payment - Adding PIN Verification

Cardholder

Card

4532PIN

Cardholder Verification Method:•PINWorks well with self-service!


XXXXXX XXXXXXXXXXXX

Electronic Payment - PIN Verification Characteristics

4532PIN

• Advantages– It can be handled securely - in encrypted form– It can be checked securely - even in self-service– The verification is precise and unambiguous

• Disadvantages– If disclosed it is very easy to copy, pass on and misuse– The required security issues adds cost to equipment– The requirements and approval adds complexity

12

Electronic Payment - Elements of Security

4532PIN

• On-site Physical Security– Tamper protection– Privacy Screen

• Production, Personalization and Maintenance– Approved Hardware and Software– Secure Loading of Encryption Keys

• Logical Security– Approved Encryption Algorithm (3DES)– Approved Security Scheme and Key Hierarchy

BOTH are equally important!Neither will work without the other

Cardholder

Online PIN Verification -Physical Security

Encrypted PIN is

transferred to bank for verification

PIN-pad

Cardholder enters PIN

Tamper Responsive Enclosure

PIN is encrypted using a designated key and encryption algorithm (3DES)Important:

Privacy during PIN entry has to be protected!

Acquirer

13

Online PIN Verification -Personalization

Master Encryption key is loaded in a secure manner

Typically as two key halves

PIN-pad


Tamper Responsive EnclosureAcquirer/Bank provides Master keys for PIN-pads

Important:Privacy during PIN entry has to be protected!

Acquirer

Online PIN Verification - Key Hierarchy

The key hierarchy and implemented algorithms ensure that keys can be exchanged and shared

between PIN pad and host

PIN-pad

Tamper Responsive Enclosure

Important:PIN Encryption Key for the session is derived or exchanged when needed

The PIN encryption key is used only once

Acquirer

14

Electronic Payment - Principle of Online PIN

Acquirer

Cardholder

Issuer

CardFunds

KioskCardholder enters PIN

PIN is Encrypted

Encrypted PIN is sent to issuer for verification


XXXXXX XXXXXXXXXXXX

Risks of Fraud - Benefits of PIN Verification

• Stolen Cards• Copied Cards• Forged Cards

– For all of these the risk is reduced, since the PIN has to be obtained• “Never been there, never done that”

– Depending on legislation, the PIN may help settle the liability– No system is flawless - misuse is still a possibility

• Attempts of PIN Disclosure– This is now the main issue! Security is needed!– Card Issuers sets Requirements (PCI PED)

4532PIN

15

Security Requirements for PIN Entry Device

Two sets of PCI PED requirements exist:• Online PIN

– Involves acquirer encryption key requirements– Keys and operations need to be kept safe

• Offline PIN (Currently not applicable in the US)– Chip card reader is part of the security– Devices for unattended use need removal detection and a procedure for

authorised activation of the device after installationPCI = Payment Card Industry PED = PIN Entry Device

MasterCard and Visa have set common requirements for security in the PCI PED documents (previously Visa PED)

Visa/PCI PED Compliance -Found on Visa Web-site

16

Presentation

Secure Electronic Paymentoutside US

EMV Chip Cards


XXXXXX XXXXXXXXXXXX

EMV Chip cards (the Card used in Europe etc.)

• EMV is Europay, MasterCard and Visa– (Originally, now others have joined)

• In order to reduce the very high fraud level in Europe and introduce chip card technology in electronic payment these issuers introduced the EMV chip card specification

• Role-out has started in Europe and is planned in Asia, South America and Africa.

• Controlling body is EMVCo• All cards and payment devices have to be approved by

EMVCo in order to ensure global acceptance of cards.


XXXXXX XXXXXXXXXXXX

17

Traditional Card TransactionsMagnetic Strip Card

Information is read FROM the card•“Magnetic Track 2” is read •Contains 40 characters•Primary Account Number (PAN)


XXXXXX XXXXXXXXXXXX

Contactless

Contactless Card

EMV Chip cards - Card Interface


XXXXXX XXXXXXXXXXXX

Card


XXXXXX XXXXXXXXXXXX

EMV CardIssuers

EMV Cards communicatein both directions!

18

Security Benefits of EMV

• Card Authentication– Aims to prevent false and copied cards– Two methods available: Static or Dynamic Data

Authentication• Secure Transaction Signing

– Keys in the card can “sign” the transaction• Risk Management (using parameters in card and terminal)

– Methods to reduce and detect fraud• Cardholder Verification (if PIN is used)

– PIN checking verifies that the card belongs to the customer and that the customer has “signed” the purchase (even offline)


XXXXXX XXXXXXXXXXXX

Offline PIN Verification - An EMV Card Benefit

PIN is transferred

PIN-pad EMV Card Reader

Result:OK / Failed


EMV Payment Card

For cards using SDA PIN is in clear text !

RISK !

Tamper Protected Enclosure

One important issue!

19

Chipcard Interface Module (IFM)Payment Chipcard (EMV)


XXXXXX XXXXXXXXXXXX

Cardreader

•Chip can store lots of data, many KBytes•Chip may hold one or more applications•Data can be read AND written•Data are organised in files•Communicates through serial command protocol

EMV Level 1 Approved!

EMV Payment ApplicationsPayment Chipcard (EMV)


XXXXXX XXXXXXXXXXXX

EMV Payment Application (software)

Tasks handled:•Application Selection•Read Application Data•Data Authentication•Processing Restrictions•Cardholder Verification•Terminal Risk Management•Terminal Action Analysis•Card Action Analysis•Script Processing•Transaction Completion

EMV Level 2 Approved!

20

EMV Compliance - Found on EMVCo Web-site Level

1

Level 2

www.emvco.com

Thank you for your attention!

Questions, please?

a company profile tech talk.pdf · manufacturers in the atm, banking, gaming and kiosk industries....

Documents