With the ever growing acceptance of e-commerce and the problems with hackers, etc., it is time to pay a lot more attention to security. This is being done at the corporate level but a lot needs to be done at the individual level, particularly with PCs and other portable devices. It is time that we entered the smart card era in earnest.
Those of us that use credit cards will be familiar with the magnetic stripe that resides on the back surface of the card. Anyone receiving new credit cards in recent months may also have noticed the appearance on the front surface of the card (left hand side) of a set of eight silver or gold coloured electrical contacts, an area of approximately one square centimetre. A credit card containing these contacts is a specific example of a "Smart Card" since the contacts provide a mechanism for connecting power and a communication channel through to a microprocessor and memory embedded within the plastic card. I am indebted to Peter Farrar of Technology Concepts Ltd. (http://www.thetcl.com) for advice on the following details.
Smart cards are considerably more expensive to manufacture than the magnetic stripe cards, but they offer a number of advantages over the magnetic card. They can protect the card holder’s information more securely than a magnetic stripe, and they can be used to identify the true owner of the card, through the Personal Identity Number (PIN) which is issued to the owner when they receive their smart card. They also reduce repudiation fraud; you may have been able to argue that Athat signature is not mine, so I did not authorise that transaction", but if a PIN number has been entered at the authorising event it is difficult to argue that case since you are the only person that knows the PIN.
This month sees the start of a trial in the UK, in the town of Northampton, of a new way of performing credit card transactions. Certain retail outlets in the town have installed Electronic Point of Sale (EPOS) equipment that can work with a smart card.
Customers withsmart cards will no longer be asked to sign the transaction receipt but will be requested to enter a four digit PIN as authorisation. The smart card and the EPOS unit will only authorise the transaction if the correct PIN is entered. The smart card will not release the relevant information from its secure memory if the correct PIN is not entered.
The "PIN and Chip"method is sometimes referred to a Atwo factor@ authentication. Two physically separate items are required to identify the person as the true account holder; (i) they must physically possess the credit card and (ii) they must know the PIN number. Thus possessing or copying the credit card without knowledge of the PIN will be of no use in trying to authenticate a credit card transaction, unlike the case with today’s magnetic stripe credit cards.
It is of course most important that the system and the card owner protect the PIN.To help in the retail environment the cashier will hand the customer a small APIN pad@ which looks very similar to a small hand held pocket calculator, the main difference being that it has high sided walls around it to prevent prying eyes seeing which keys are pressed. It is attached to the EPOS unit by a flexible cable, and it probably has a smart card reader slot in it. On the small LCD display on the PIN pad the EPOS system can display the amount to be debited from the customer’s account, which the customer can confirm as correct.< BR>
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.
