Previous Lesson

DIM-04-01 Physical Use of Bank Cards

Debit and credit cards have been in use for more than 50 years, auto teller machines (ATMs) for at least 40 years, and online shopping was introduced more than 20 years ago.

What are the risks associated with bank cards and how can we manage them?

We carry these with us personally, use them at stores, draw cash at ATMs, and may also shop online.

Each of the ways in which we use the cards has some risk associated with it.

Where is information kept, and what information is kept on the card

Physically the card has a magnetic strip on the back, and may have a ‘chip’ if it is a smart-card. Information is stored on tracks in the magnetic strip, and on the smart-card chip. This includes information about the cardholders account:

  • Full name
  • Card number (linked to issuing bank’s account number)
  • Expiry date of card; and
  • Card verification value (CVV). This is used for fraud protection in card-not-present scenarios

This information is also embossed or printed on the card for all to see.

How is information captured from the card?

Historically, manual card imprinters were used and transaction slips were sent to the bank for processing. Customers signed each transaction for verification purposes.

Today, ATMs, point of sale (POS) terminals, and even mobile phone connected accessories are used to scan cards:

  • If a card is ‘swiped’, information is scanned off the magnetic strip by the POS terminal.
  • If a smart-card card is ‘inserted’, the information is scanned off the chip by the smart-card scanner or POS terminal. This is more secure than magnetic strip scanning as a one-time transaction codes are added to the transaction data.
  • If a card is ‘tapped’, the information is transferred from the chip using near field communication (NFC) to an NFC enabled POS terminal. “Tap and Go” eliminates the potential for traditional approaches to card skimming.

In all cases, card data is combined with transaction information and authorised for processing. At some point in the transaction the customer may be asked to enter an authenticator (something he knows, a PIN for example) to verify identity.

The requirement for an authenticator may depend on bank and merchant conditions. For low value transactions, there may be no request for an authenticator. For higher risk transactions there be a call for an authenticator or even personal identity verification (ID document etc.).