You are on page 1of 41


How Credit Cards Work?

Credit cards are issued after an account has been
approved by the credit provider, after which cardholders can
use it to make purchases at merchants accepting that card.
When a purchase is made, the credit card user agrees to
pay the card issuer.
The cardholder indicates consent to pay by signing a
receipt with a record of the card details and indicating the
amount to be paid or by entering a personal identification

number (PIN).
Also, many merchants now accept verbal authorizations via
telephone and electronic authorization using the Internet,
known as a 'Card/Cardholder Not Present' (CNP) transaction.
Electronic verification systems allow merchants to verify
that the card is valid and the credit card customer has sufficient
credit to cover the purchase in a few seconds, allowing the
verification to happen at time of purchase.
The verification is performed using a credit card payment
terminal or Point of Sale (POS) system with a communications
link to the merchant's acquiring bank. Data from the card is
obtained from a magnetic stripe or chip on the card; the latter
system is in the United Kingdom and Ireland commonly known
as Chip and PIN, but is more technically an EMV card.
Other variations of verification systems are used by
ecommerce merchants to determine if the user's account is
valid and able to accept the charge. These will typically involve
the cardholder providing additional information, such as the
security code printed on the back of the card, or the address of
the cardholder.
Each month, the credit card user is sent a statement
indicating the purchases undertaken with the card, any
outstanding fees, and the total amount owed.
After receiving the statement, the cardholder may dispute
any charges that he or she thinks are incorrect (see Fair Credit
Billing Act for details of the US regulations).
Otherwise, the cardholder must pay a defined minimum
proportion of the bill by a due date, or may choose to pay a
higher amount up to the entire amount owed.
The credit issuer charges interest on the amount owed if
the balance is not paid in full (typically at a much higher rate
than most other forms of debt).
Some financial institutions can arrange for automatic
payments to be deducted from the user's bank accounts, thus
avoiding late payment altogether as long as the cardholder has
sufficient funds.

Transaction StepsAuthorization
The cardholder pays for the purchase and the merchant
submits the transaction to the acquirer (acquiring bank). The
acquirer verifies the credit card number, the transaction type
and the amount with the issuer (Card-issuing bank) and
reserves that amount of the cardholder's credit limit for the
An authorization will generate an approval code, which the
merchant stores with the transaction.
Authorized transactions are stored in "batches", which are
sent to the acquirer. Batches are typically submitted once per
day at the end of the business day.
If a transaction is not submitted in the batch, the
authorization will stay valid for a period determined by the
issuer; after which the held amount will be returned back to the
cardholder's available credit.
Some transactions may be submitted in the batch without
prior authorizations; these are either transactions falling under
the merchant's floor limit or ones where the authorization was
unsuccessful but the merchant still attempts to force the
transaction through.
(Such may be the case when the cardholder is not present
but owes the merchant additional money, such as extending a
hotel stay or car rental.)
Clearing And Settlement
The acquirer sends the batch transactions through the credit
card association, which debits the issuers for payment and
credits the acquirer. Essentially, the issuer pays the acquirer for
the transaction.
Once the acquirer has been paid, the acquirer pays the
The merchant receives the amount totaling the funds in the
batch minus the "discount rate," which is the fee the merchant
pays the acquirer for processing the transactions.

A chargeback is an event in which money in a merchant
account is held due to a dispute relating to the transaction.
Charge backs are typically initiated by the cardholder.
In the event of a chargeback, the issuer returns the
transaction to the acquirer for resolution. The acquirer then
forwards the chargeback to the merchant, who must either
accept the chargeback or contest it.


Secured Credit Cards
A secured credit card is a type of credit card secured by a
deposit account owned by the cardholder. Typically, the
cardholder must deposit between 100% and 200% of the total
amount of credit desired.
Thus if the cardholder puts down $1000, they will be given
credit in the range of $500$1000.
In some cases, credit card issuers will offer incentives even
on their secured card portfolios.
In these cases, the deposit required may be significantly
less than the required credit limit, and can be as low as 10% of
the desired credit limit. This deposit is held in a special savings
Credit card issuers offer this because they have noticed that
delinquencies were notably reduced when the customer
perceives something to lose if the balance is not repaid.
The cardholder of a secured credit card is still expected to
make regular payments, as with a regular credit card, but
should they default on a payment, the card issuer has the
option of recovering the cost of the purchases paid to the
merchants out of the deposit.
The advantage of the secured card for an individual with
negative or no credit history is that most companies report
regularly to the major credit bureaus. This allows for building of
positive credit history.
Prepaid Credit Cards
A prepaid credit card is not a credit card, since no credit is

offered by the card issuer: the card-holder spends money which

has been "stored" via a prior deposit by the card-holder or
someone else, such as a parent or employer.
However, it carries a credit-card brand (Visa, MasterCard,
American Express or Discover) and can be used in similar
ways just as though it were a regular credit card. After
purchasing the card, the cardholder loads the account with any
amount of money, up to the predetermined card limit and then
uses the card to make purchases the same way as a typical
credit card.
Prepaid cards can be issued to minors (above 13) since
there is no credit line involved. The main advantage over
secured credit cards (see above section) is that you are not
required to come up with $500 or more to open an account.
With prepaid credit cards you are not charged any interest
but you are often charged a purchasing fee plus monthly fees
after an arbitrary time period.
Many other fees also usually apply to a prepaid card.
Prepaid credit cards are sometimes marketed to teenagers for
shopping online without having their parents complete the
transaction. Because of the many fees that apply to obtaining
and using credit-card-branded prepaid cards, the Financial
Consumer Agency of Canada describes them as "an expensive
way to spend your own money".
The agency publishes a booklet, "Pre-paid cards", which
explains the advantages and disadvantages of this type of
prepaid card.

The debit card has emerged from the shadow of its older

sibling, the credit card. Over the past decade, debit card has
grown from accounting for 274 million transactions in 1990
to8.15 billion transactions in 2002, to challenge the credit card
as the preferred payment card.
As it stands, the debit card industry is a multi-billion dollar
engine that helps drive bank profits and point-of purchase
consumer sales - but is also beginning to redefine traditional
payment options in the business and government sectors, such
as food stamps, benefits, and payroll.
A debit card (also known as a bank card or check card) is a
plastic card which provides an alternative payment method to
cash when making purchases.
Functionally, it can be called an electronic check, as the
funds are withdrawn directly from either the bank account or
from the remaining balance on the card. In some cases, the
cards are designed exclusively for use on the Internet, and so
there is no physical card.
The use of debit cards has become widespread in many
countries and has overtaken the check and in some instances
cash transactions by volume.
Like credit cards, debit cards are used widely for telephone
and Internet purchases, and unlike credit cards the funds are
transferred from the bearer's bank account instead of having
the bearer to pay back on a later date.
Debit cards can also allow for instant withdrawal of cash,
acting as the ATM card for withdrawing cash and as a cheque
guarantee card. Merchants can also offer "cash back/cash out"
facilities to customers, where a customer can withdraw cash
along with their purchase.
Debit Cards: Issuers
The banks issuing debit cards include:
Bank of America
American Express
Standard Chartered

Two decades ago, the number of debit cards in circulation
was approximately 19 million. This figure is projected to cross
34.4 million by 2016.
A debit card (also known as a bank card or check card) is a
plastic card that provides an alternative payment method to
cash when making purchases.
Functionally, it can be called an electronic check, as the
funds are withdrawn directly from either the bank account or
from the remaining balance on the card.
In some cases, the cards are designed exclusively for use
on the Internet, and so there is no physical card.
In many countries the use of debit cards has become so
widespread that their volume of use has overtaken or entirely
replaced the check and, in some instances, cash transactions.
Like credit cards, debit cards are used widely for telephone
and Internet purchases and, unlike credit cards, the funds are
transferred immediately from the bearer's bank account instead
of having the bearer pay back the money at a later date.
Debit cards may also allow for instant withdrawal of cash,
acting as the ATM card for withdrawing cash and as a check
guarantee card.
Merchants may also offer cash back facilities to customers,
where a customer can withdraw cash along with their purchase.
Debit cards can also allow for instant withdrawal of cash,
acting as the ATM card for withdrawing cash and as a cheque
guarantee card.
Merchants can also offer "cash back"/"cash out" facilities to
customers, where a customer can withdraw cash along with
their purchase.

The history of debit card implies that the concept of debit
card is not new.
History of debit card dates back around 20 years ago which
highlighted the introduction of e-commerce and alternative

means of payment.

Parts Of The Debit Card

An example of the front of a typical debit card:
1. Issuing bank logo
2. EMV chip
3. Hologram
4. Card number
5. Card brand logo
6. Expiration date
7. Cardholders


An example of the reverse side of a typical debit card:
1. Magnetic stripe
2. Signature strip
3. Card Security Code

There are currently three ways that debit card transactions
are processed: online debit (also known as PIN debit), offline
debit (also known as signature debit) and the Electronic Purse
Card System. It should be noted that one physical card can
include the functions of an online debit card, an offline debit
card and an electronic purse card. Although many debit cards
are of the Visa or MasterCard brand, there are many other
types of debit card, each accepted only within a particular
country or region
Online Debit System
Online debit cards require electronic authorization of every
transaction and the debits are reflected in the users account
immediately. The transaction may be additionally secured with
the personal identification number (PIN) authentication system
and some online cards require such authentication for every
transaction, essentially becoming enhanced automatic teller
machine (ATM) cards.
One difficulty in using online debit cards is the necessity of
an electronic authorization device at the point of sale (POS)
and sometimes also a separate PIN pad to enter the PIN,
although this is becoming commonplace for all card

transactions in many countries.

Overall, the online debit card is generally viewed as superior
to the offline debit card because of its more secure
authentication system and live status, which alleviates
problems with processing lag on transactions that may have
been forgotten or not authorized by the owner of the card.
Offline Debit Card
Offline debit cards have the logos of major credit cards (e.g.
Visa or MasterCard) or major debit cards (e.g. Maestro in the
United Kingdom and other countries, but not the United States)
and are used at the point of sale like a credit card (with payers
This type of debit card may be subject to a daily limit, and/or
a maximum limit equal to the current/checking account balance
from which it draws funds.
Transactions conducted with offline debit cards require 23
days to be reflected on users account balances. In some
countries and with some banks and merchant service
organizations, a "credit" or offline debit transaction is without
cost to the purchaser beyond the face value of the transaction,
while a small fee may be charged for a "debit" or online debit
transaction (although it is often absorbed by the retailer).
Other differences are that online debit purchasers may opt
to withdraw cash in addition to the amount of the debit
purchase (if the merchant supports that functionality); also,
from the merchant's standpoint, the merchant pay slower fees
on online debit transaction as compared to "credit" (offline)
debit transactions.
Electronic Purse Card System
Smart-card-based electronic purse systems in which value
is stored on the card chip, not in an externally recorded
account, so that machines accepting the card need no network
connectivity are in use throughout Europe since the mid-1990s,
most notably in Germany, Austria, Belgium, The major boom in
smart card use came in the 1990s, with the introduction of the
smart-card-based SIM used in GSM mobile phone equipment
in Europe. With the ubiquity of mobile phones in Europe, smart

cards have become very common.

Prepaid debit card
Prepaid debit cards, also called reloadable debit cards or
reloadable prepaid cards, are often used for recurring
payments. The payer loads funds to the cardholder's card
account. Prepaid debit cards use either the offline debit system
or the online debit system to access these funds.
Particularly for companies with a large number of payment
recipients abroad, prepaid debit cards allow the delivery of
international payments without the delays and fees associated
with international checks and bank
Working of Debit Card
The user has to present the card to merchant who will swipe
it through the electronic terminal and enter the amount of
purchase. The customers need to sign the transaction slip.
Account will be automatically debited for the amount of the
purchase and the transaction can be verified by entering the
Debit Card can be used to access the Account from over
5,000Shops, Department Stores, Petrol Pumps and
Restaurants and over 235 ATMs in India .It can also be used at
over 4 million Visa Electron merchant locations and equally
strong MasterCard outlets.
If Debit Card ever gets lost or stolen, card companies
protect from fraudulent usage at the loss.
It is necessary to have a savings or current account with the
debit card issuer; by filling an application form.
The card company then couriers the card across around a
weeks time. The Debit card does have a daily limit which could
be somewhere around Rs. 15,000 at ATMs, and Rs. 10,000 at
merchant locations. This again is subject to the balance
available in the account


The widespread use of debit and check cards have revealed
numerous advantages and disadvantages to the consumer and

retailer alike.

Advantages of debit cards

Debit and check cards, as they have become widespread,
have revealed numerous advantages and disadvantages to the
consumer and retailer alike. Advantages are as follows:

A consumer who is not credit worthy and may find it

difficult or impossible to obtain a credit card can more easily
obtain a debit card, allowing him/her to make plastic
transactions. For example, legislation often prevents minors
from taking out debt, which includes the use of a credit card,
but not online debit card transactions.

Use of a debit card is limited to the existing funds in the

account to which it is linked(except cases of offline
payments), thereby preventing the consumer from racking up
debt as a result of its use, or being charged interest, late
fees, or fees exclusive to credit cards.

For most transactions, a check card can be used to avoid

check writing altogether. Check cards debit funds from the
user's account on the spot, thereby finalizing the transaction
at the time of purchase, and bypassing the requirement to
pay a credit card bill at a later date, or to write an insecure
check containing the account holder's personal information.

Like credit cards, debit cards are accepted by merchants

with less identification and scrutiny than personal checks,
thereby making transactions quicker and less intrusive.
Unlike personal checks, merchants generally do not believe
that a payment via a debit card may be later dishonored.

Unlike a credit card, which charges higher fees and interest

rates when a cash advance is obtained, a debit card may be
used to obtain cash from an ATM or a PIN-based transaction
at no extra charge, other than a foreign ATM fee.
Debit Cards Benefits
They help people to be disciplined financially, since one
cannot splurge with the limited amount of funds deposited for
the card.
A person with poor credit can obtain a debit card too much

Debit cards can be used to make online purchases and

They provide freedom from carrying cash checks while
traveling, herby offering more safety.

Disadvantages of debit cards

The Debit card has many disadvantages as opposed to cash or

Use of a debit card is not usually limited to the existing

funds in the account to which it is linked, most banks allow a
certain threshold over the available bank balance which can
cause overdraft fees if the users transaction does not reflect
available balance.

Some banks are now charging over-limit fees or nonsufficient funds fees based upon pre-authorizations, and
even attempted but refused transactions by the merchant
(some of which may not even be known by the client).

In the UK and Ireland, among other countries, a consumer

who purchases goods or services with a credit card can
pursue the credit card issuer if the goods or services are not
delivered or are unmerchantable.
While they must generally exhaust the process provided
by the retailer first, this is not necessary if the retailer has
gone out of business. This protection is not provided by
legislation when using a debit card but may be offered to a
limited extent as a benefit provided by the card network, e.g.
Visa debit cards.

When a transaction is made using a credit card, the

bank's money is being spent, and therefore, the bank has a
vested interest in claiming its money where there is fraud or
a dispute.
The bank may fight to void the charges of a consumer
who is dissatisfied with a purchase, or who has otherwise
been treated unfairly by the merchant.
But when a debit purchase is made, the consumer has
spent his/her own money, and the bank has little if any

motivation to collect the funds.

In some countries, and for certain types of purchases,
such as gasoline (via a pay at the pump system), lodging, or
car rental, the bank may place a hold on funds much greater
than the actual purchase for a fixed period of time. However,
this isn't the case in other countries, such as Sweden.
Until the hold is released, any other transactions presented
to the account, including checks, may be dishonored, or may
be paid at the expense of an overdraft fee if the account
lacks any additional funds to pay those items.
While debit cards bearing the logo of a major credit card
are accepted for virtually all transactions where an equivalent
credit card is taken, a major exception in some countries is at
car rental facilities. In some countries car rental agencies
require an actual credit card to be used, or at the very least,
will verify the creditworthiness of the renter using a debit
In these unspecified countries, these companies will deny
a rental to anyone who does not fit the requirements, and
such a credit check may actually hurt one's credit score, as
long as there is such a thing as a credit score in the country
of purchase and/or the country of residence of the customer.
Many banks are now charging over-limit fees or nonsufficient funds fees based upon pre-authorizations, and
even attempted but refused transactions by the merchant
(some of which may be unknown until later discovery by
account holder).
Many merchants mistakenly believe that amounts owed
can be "taken" from a customer's account after a debit card
(or number) has been presented, without agreement as to
date, payee name, amount and currency, thus causing
penalty fees for overdrafts, over-the-limit, amounts not
available causing further rejections or overdrafts, and
rejected transactions by some banks.
In some countries debit cards offer lower levels of security
protection than credit cards. Theft of the users PIN using
skimming devices can be accomplished much easier with a

PIN input than with a signature-based credit transaction.

However, theft of users' PIN codes using skimming
devices can be equally easily accomplished with a debit
transaction PIN input, as with a credit transaction PIN input,
and theft using a signature-based credit transaction is
equally easy as theft using a signature- based debit

In many places, laws protect the consumer from fraud

much less than with a credit card. While the holder of a credit
card is legally responsible for only a minimal amount of a
fraudulent transaction made with a credit card, which is often
waived by the bank, the consumer may be held liable for
hundreds of dollars, or even the entire value of fraudulent
debit transactions.
The consumer also has a shorter time (usually just two
days) to report such fraud to the bank in order to be eligible
for such a waiver with a debit card, whereas with a credit
card, this time may be up to 60 days. A thief who obtains or
clones a debit card along with its PIN may be able to clean
out the consumer's bank account, and the consumer will
have no recourse.

CH(7)-Debit Cards vs. Credit



The same financial institutions offer both debit cards and

credit cards. Both cards offer special rewards, such as points
and cash back on purchases made through the card.
Debit cards and credit cards can be used to make online
payments with the help of the pin number assigned to them.
They can be used to withdraw money from ATMs depending
on the cash limit available on these cards.

In the case of a credit card, the issuer offers credit and
overdraft facilities. This facility is not available with a debit card,

which will only debit payments from existing and available

funds within the cardholders account.
A credit cardholder therefore has a monthly bill to pay in
every month that the card is used. If they dont pay that bill,
high interest charges are applied.
A debit card holder is free from the hassle of paying those
bills and from the risk of building up large debts to credit card

Debit Card Problems can be worse than

Credit Card Problems
When an improper charge appears on the credit card it
cannot automatically out the money and simply need to work
with the credit card issuer to have the charge removed from the
When an improper charge occurs with a debit card,
however, the funds are automatically taken from the account
and customer is burdened with attempting to get the money
Meanwhile, he may experience cash flow problems and the
legitimate checks could bounce.

Traveling with your Debit Cards

The reverse side of the debit card will display the names or
symbols of the various ATM systems that will accept the card.
Debit card can be used at any ATM in the world as long as
the ATM displays one of the same system names or symbols
that are on debit card.
When obtaining funds at an ATM in a foreign country the
funds dispersed will be in the currency of the country going to

An ATM card (also known as a bank card, client card, key
card or cash card) is an ISO/IEC 7810card issued by a bank,
credit union or building society. It can be used:

at an ATM for deposits, withdrawals, account information,

and other types of transactions, often through interbank

at a branch, as identification for in-person transactions

at merchants, for EFTPOS (point of sale) purchases

Unlike a debit card, in-store purchases or refunds with an
ATM card can generally be made in person only, as they
require authentication through a personal identification number
or PIN. In other words, ATM cards cannot be used at merchants
that only accept credit cards.
However, other types of transactions through telephone or
online banking may be performed with an ATM card without inperson authentication. This includes account balance inquiries,
electronic bill payments or in some cases, online purchases.
In some countries, the two functions of ATM cards and debit
cards are combined into a single card called a debit card or

also commonly called a bank card. These are able to perform

banking tasks at ATM's and also make point-of-sale
transactions, both functions using a PIN.
Europe's Maestro is examples of networks that link bank
accounts with point-of-sale equipment. Magnetic stripe cloning
can be detected by the implementation of magnetic card reader
heads and firmware that can read a signature embedded in all
magnetic stripes during the card production process.
This signature known as a "MagnePrint" orBlueprints" can
be used in conjunction with common two factor authentication
schemes utilized in ATM, debit/retail point-of-sale and prepaid
card applications.
ATM Cleaning Cards are the primary means of cleaning ATM
machines to ensure that the machine stays functioning

An automated teller machine (ATM) is a computerized
telecommunications device that provides the customers of a
financial institution with access to financial transactions in
public space without the need for a human bank teller on most
modern ATMs, the customer is identified by inserting plastic
ATM card with a magnetic stripe or a plastic smartcard with a
that contains a unique card number and some security
information, such as an expiration date or Security is provided
by the customer entering a identification number" personal
identification number (PIN).
Using an ATM, customers can access their bank in order to
make withdrawals (or credit card cash advances) and check
their account balances as well as purchasing mobile cell phone
prepaid credit.
ATMs are known by various other names including
automated transaction machine, automated banking machine,
money machine, bank machine, cash machine, hole-in-the-wall,
cash point etc.


Don Wetzel has been credited with developing the first
modern ATM. The idea came to him in 1968 while waiting in line
at a Dallas bank, after which he proposed a project to develop
an ATM to his employer, Docutel.22
A major part of the development process involved adding a
magnetic stripe to a plastic card and developing standards to
encode and encrypt information on the stripe.
A working version of the Docutel ATM was sold to New
Yorks Chemical Bank, which installed it in 1969 at its Rockville
Center (Long Island, N.Y.)Office Although the Docutel ATM did
use the modern magnetic stripe access card, the technology
remained primitive compared with todays.
The Docutel ATM only dispensed cash and was an offline
machine. To enable payment processing, the machine printed a
transaction record that was MICR encoded. By the early 1970s,
ATM technology advanced to the system we know today.
ATMs were first accessed primarily with credit cards, but in
1972, City National Bank of Cleveland successfully introduced
a card with an ATM but not a credit function.
24ATMs were developed that could take deposits, transfer
money from checking to savings or savings to checking,
provide cash advances from a credit card, and take payments.





With the overwhelming success of plastic money, fraud and
abuse have become a worry just as the counterfeit and theft of
real money have always been. The facts are clear. As the
number of cards in issue rises, so does the risk of fraud. As
more cards are issued to more people making more purchases,
fraud is likely to continue to increase and new types of fraud will
Figures 7 and 810 are showing the 1996 UK fraud profile
and the UK bank losses from 1993 to 1997 with losses due to
counterfeit shown separately.

figure 7

card not received
lost and stolen

Figure 8160
total amount








Figure 7 show that lost & stolen cards still represent 70% of
the fraud problem. What the figure does not show is that
skimming (cloning of a card without the knowledge of the
original owner) and counterfeit are increasing whereas the
category lost & stolen is remaining at the same level. This is
especially worrying as the Pre-status fraud (fraud that takes
place before the card is reported stolen or lost) is already very
high accounting for 45% of all fraud. A considerable proportion
of this 45% are the six hours it takes to actively suspend a card
after it has been reported stolen. It seems therefore a good
idea to introduce chip cards (they are more difficult to
reproduce) the way France did to fight the growing problem of
counterfeit. France had a similar situation at the beginning of
the 90s with an all time high fraud rate of 0.188 percent of total
turnover and a total amount lost the fraud rate and the fraud
amount dropped considerably to 0.079% and $72m

With reference to the acceptance of the program by

cardholders and retailers, two surveys completed in December
1991 and 1993 pointed out a quite good acceptance of the
newly introduced PIN check procedure by both and a level of
technical incidents on the chip cards comparable to the level on
magnetic cards. Nowadays the fraud rate is still falling whereas
the fraud amount is again rising due to the increasing volumes
of plastic money transactions.
Sales director Steve Callagham of Card Clear Plc, a
company that has specialized itself in card fraud detection and
prevention, holds against that merchants in the UK were
reluctant to adopt a change towards chip cards and that they
were in general not worried about security issues. The UK is at
the moment one of the only countries in Europe that has not
introduced smart cards in the banking and financial sector.
Other sectors on the other hand have adopted the standard
already years ago e.g. telephone cards.



Plastic Money business is definitely going big time here in
Pakistan. In a country where two years back people have
hardly heard the word plastic money or credit card, more than
7000 merchants are accepting above 140,000 cards.
It has been estimated that there are likely to be around half
million potential card users in the near future. This forecasting
derives credibility from the fact that more and more local and
international financial institutions are exhibiting enthusiasm in
this direction.
This in turn reflects prospects in Pakistan market in
accommodating numerous credit card competitors operating on
the circuit, ensuring healthy and competitive card business
Market Scenario
Although credit card was introduced in Pakistan decades
ago when Habib Bank, the largest bank in Pakistan, launched
its gold card, but people had hardly know about this card
because of its very limited issuance. Approximately four years
back, Allied Bank of Pakistan had launched its Master Card.
Two years back Citibank had launched its VISA Card and
that was the turning point in the history of Plastic Money in
Citibank had done a tremendous job to educate people of
Pakistan, as well as, financial industry about credit cards and
its significance in today's world. Because of very aggressive
marketing and heavy investment in technology, Citibank is well
deserved to be called the industry leader of Pakistan's credit
card business. After successful launch of Citibank card, Muslim
Commercial Bank, Bank of America, and National Bank of
Pakistan had launched their credit cards.
Very soon we are expecting more local and international
banks on the horizon of Pakistan's credit card business.
*In alphabetical order

Citibank is the industry leader in credit card business here.

In short span of time, Citibank had issued over 125,000

VISA cards and covers most of the potential market

Muslim Commercial Bank had launched its Master Card
and it is expected that by the end of 1997, MCBcard users
will be over 250,000 (that makes 5% of its total account
Diners Club and AMEX are very selective in credit cards
business and so far entertain a very limited market
Bank of America is the transaction processing hub for
most of the local banks, including Muslim Commercial
Bank, Allied Bank and National Bank of Pakistan. Some
departmental stores have also issued their own branded
cards; however, these stores are operating in a very
restrictive domain.


In order to discourage fraud and to decrease the losses

suffered due to fraud, the industry has adopted certain
standards that can be categorized. The following section of the
report will critically evaluate the following methods of fraud
prevention: magnetic stripes, micro chip cards, biometric
methods, encryption and finally the verification with the help of
hot card files.

A magnetic stripe is the most common method to store data
on a card. Its advantages are the low price and the simplicity
of customization. On the other hand it is an ageing
technology that has been stretched far beyond its original
capacities. The major problem about this method is that it
offers no security on the card itself because the card has no
This indicates that the PIN the user enters has to be verified
by the machine that reads the card since the card itself
cannot compare the PIN it has on the magnetic stripe with
the PIN the user enters. This again is the reason why cards
with magnetic stripes tend to need an on-line verification
which is slower and more expensive than an off-line
The next problem is the simplicity of the manipulation of data
stored on the stripe. Since most cards in use have LOCO
stripes they are easy to read and copy. Hardware to read
magnetic cards is widely available and any PC is therefore
relatively easy to convert into a universal magnetic card
reading and writing terminal. Complete card readers are
already available for 25.
So what about the PIN? The PIN as such is not on the card
itself for reasons of security. So how does the card reading
machine know the PIN that corresponds to the card it reads?
The machine reads the data on the stripe and calculates the

PIN with the help of a 64-Bit DES (Data encryption

The result is the four digits PIN. The DES is a highly
sophisticated encryption method and the key to its 64-Bit
version has to date not officially been figured out. But there
have been repeated unconfirmed rumors about people
having found the key.
The basis of this principle is that every magnetic stripe has a
unique magnetic micro pattern comparable to a magnetic
finger print.


The main advantage of a chip card is the fact that it is smart

as opposed to a magnetic stripe card.
Its microprocessor allows it to communicate with the outside
world. This is the basis for an off-line verification being faster
and cheaper than an on-line verification.
When the user enters his PIN it will be tested against the PIN
stored in the EEPROM.
Therefore, only a simple system is needed to verify the
accordance of the entered PIN with the PIN on the card.
The chip does the hard work of encrypting and decrypting
the data. But this vital advantage is only applicable to the
verification process.
In the whole verification process data is never easily
accessible and manipulative as opposed to magnetic cards.
The security is therefore already in the card and not only in
the machine as.
The scarcity and high price of components, complete cards
and equipment certainly help to prevent fraud as well.
Another strength of chips is its small size which makes it very
difficult to reproduce it or even to find weak points in it.
The chip industry has on top of that found many ways to
construct a chip to make it very difficult for attackers to crack
the chip. But all that has not made the chip fraud proof.

Originally encryption has served to protect data from being
read by a third party which refers to a passive attack.
However this situation has changed and data has nowadays
to be protected against active attacks as well.
Encryption can be subdivided into two main categories: the
symmetric algorithms and the asymmetric algorithms. The
oldest and the best known encryption method is the
symmetric one.
Symmetric means that he sender and the receiver use the
same key to encrypt and decrypt the data transmission. The
advantage of symmetric data encryption is the wide
availability of good algorithms and its speed. The major
disadvantage of it is the high effort needed for the
administration of the keys since the number of different keys
required for a growing number of network participants
increases exponential after the formula: keys required =
number of participants*((number of participants -1)/2)).
A network consisting of 1,000 participants who all encrypt
their data and all want to make sure that only the receiver
can decrypt the message requires therefore already nearly
half a million different keys.
The earlier mentioned DES is an example for a symmetric
algorithm. Another practical application of symmetric
algorithms is the MAC (Message Authentication Code).
In this case the message is once sent in its encrypted and
once in its readable form. The receiver then decrypts the
message and checks if the two messages match. If they do,
the receiver can be sure that the message has not been
If asymmetric algorithms are used every participant has one
private key and one public key.
If A wants to send an encrypted message to B, A has to
encrypt the message with Bs public key. Once the message
has arrived at B he decrypts it with his private key. Of course,
it is not possible to know Bs private key by knowing Bs
public key which makes the encryption asymmetric. This

avoids the need to keep the encrypting key secret since it is

useless to decrypt.
Furthermore are only two keys per participant needed,
meaning that for a network consisting of 1,000 participants
only 2,000 keys are required? The disadvantage of this
method is its time requirement and the lack of commercially
available algorithms.
A typical application of the asymmetric encryption is the
electronic signature. One can think of it as an asymmetric
MAC. Whereas a transmission can only be checked for its
authenticity with a MAC, an electronic signature makes it
impossible for the receiver to fake it and the origin of the data
transmission is therefore detectable.
Applying symmetric and asymmetric encryption methods to
the problems discussed in part E3 of the report helps to
eliminate a large part of all fraud of data.

The days of the PIN are now surely numbered. What was a
convenient; easy to implement method of controlling access
has now reached the stage where it is also easy to defraud.
Biometrics, where an individuals identity is verified by a
unique physical or behavioral characteristic, looks set to
become imminent successor to the PIN.
By 1999 the world market for biometrics for just physical
access control applications is estimated to be worth US$ 100
As the movement of people around the world becomes
quicker and easier, these travelers will expect to be able to
access services from their home country, such as banking,
with as much ease as they do whilst at home.
The PIN is the least secure of three levels of security. It is
something that you know; although in many cases it is
something you have forgotten or written down to remember.
The second stage is something that you have (e.g. a plastic
card) which is possibly linked to something that you know.
The third and ultimate tier is to use something which you are-

biometrics- which can be linked to either something which

you have, something you know or even both.
The problem with the PIN is that it is difficult to remember,
especially if more than one needs to be remembered and
they are chosen for the user.
Paradoxically, if the user chooses their own PIN, they are
very likely to choose something easy to guess such as the
partners birthday. When a password or PIN is chosen for the
user, the problem of having to remember it is sometimes
overcome by writing it down.
This, of course, defeats the point of having something which
is something one person and only that person knows. One in
three people write down their PIN for their bank card,
according to a UK poll conducted by MORI.
Another source estimates that nearly one in five people have
been unable to get money out of an ATM at some point
because they have been unable to remember their PIN. This
and other behavior patterns will be looked at in more detail in
part F of the report. Biometrics, too, have one significant
drawback, however.
Unlike in the case of a PIN or card, a computer cannot give
an absolute yes or no answer to whether the user is the one
he pretends to be.
A PIN is either 1234 or not and the same is true with card
serial numbers etc. A dynamic signature, a voice, a face and
many other biometric characteristics, will vary every time
they are checked.
In most cases it will not vary much but some leeway must be
build in to allow the authorized user to produce a 99%
accurate signature and still be verified. A biometric system,
therefore, cannot say with 100% accuracy that the person in
question is the right one.
To combat this, biometric systems are designed to allow for a
certain variance. The size of the variance depends on the
purpose of the installation. In a financial installation it might
be sufficient to require only 95% accuracy so that valued

customers would not be falsely rejected but so that potential

criminals would also be deterred.
In a military establishment, an accuracy of 99.9999% may be
needed to ensure that there is no possibility of an imposter
being given access. This would, however, mean that
authorized users may often be rejected by the system.
Before a person can be verified by a biometric verification
device, they must first be enrolled. This is the process during
which a new user must produce one or more samples of the
characteristics to be used.
These readings will then be compared and sorted to give one
average reading or all the readings will be kept to indicate in
what manner the users characteristics can vary. This
template is then stored in memory either in the individual
verification terminal, on a plastic card or in a host system.
Different biometric types are better at ensuring a low rate of
rejection of authorized users than are others. This also
means, however, that they are not so good at rejecting
unauthorized users. A trade off of one requirement against
the other must be made.
The inaccuracy of a biometric system in rejecting authorized
users is known as a Type 1 error and the corresponding
inverse error is known as a Type 2 error. Whilst some
systems come very close to zero on one of these, the other
is usually correspondingly high.
Other systems have a medium score on both. Another
important factor is the memory size of the template.
One biometric system requires only nine bytes of data which
could be easily stored on a magnetic stripe card.
Others require the data storage capabilities of a smart card
or a host computer.
There are at the moment six different types of biometric
systems commercially available. Fingerprint, hand geometry,
retinal eye pattern, facial recognition; voice comparison and
dynamic signature verification are now available from a wide
range of suppliers.

The following are descriptions concerning the way the

devices work their reliability and their price range15.

Fingerprint verification systems are heavily associated with
law enforcement. On the side this is good, because it proves
to the public that these systems work, but on the other side,
the introduction of fingerprint verification may put some
people off using it.
The way fingerprint systems operate is by identifying the
location of small marks, known as minutiae, which are found
in the fingerprint.
The readability of the fingerprint depends on a variety of
work and environmental factors. These include age, gender,
occupation and race. A young, female, Asian mineworker is
seen as the most difficult subject. A system that works on the
basis of ultra-sound can overcome these limitations.
The system is user friendly and easy to use since the entire
user needs to do is to place his finger on a platen,
sometimes positioned correctly by finger guides. The
majority of fingerprint systems incorporate live and well
detectors to ensure that the finger being scanned is
connected to a live person.
Performance figures for one of the longest established
fingerprint verification devices are quoted as having a false
acceptance rate of 0.0001 % and a false rejection rate of
less than 1%. Template size requirements differ between
each supplier system, ranging from 24 bytes and upwards of
1,000 bytes. The costs for a single fingerprint verification unit
range from US$695 to US$3,000.

Hand geometry systems have the advantage of a very small
template: one system only requires nine bytes.

Whilst many characteristics of the hand could be chosen for

biometric verification, only two have so far been
One approach uses the geometry of the hand whereas the
other uses the geometry of two fingers.
These systems are relatively easy to use with some
incorporating guide posts to ensure that the hand is placed
correctly. Hand geometry has had no major problems being
accepted in most societies except for Japan.
The geometry systems are not affected by environmental
factors such as dirt and grease although large rings need to
be removed if not worn at the enrolment stage. Some
systems will allow the user to use either hand, while others
are easier with one hand but the other can be used on hand
geometry systems if necessary.
It is possible for the other hand to be placed upside instead
because the geometry of each hand is a mirror image of the
other hand.
Hand and finger geometry systems tend to be seen as good
all rounders with one hand geometry system having a false
acceptance rate of under 0.1%.
The cost for a single hand geometry unit is US$2100 whilst
the components for a finger geometry system are US$900.

Of all biometrics commercially available, retinal scanning has
the lowest false acceptance rate at an effective 0%. Retinal
scanning operates by taking a circular image of the back of
the eye using a very low intensity infrared camera.
Using a retinal scanning device requires some practice and
the use of an infrared beam have caused some public
acceptability worries in the past.
Iris scanning systems have also very good performance
results. Because of its close links to the brain, the eye is one
of the first parts of the body to decay after death, making the
successful use of a dead or false eye unlikely.
The templates for both eye scanning verifications are
comparatively small.

The retinal scan template requires about a 100 bytes and the
iris scan about 250 bytes. The systems cost around
US$3,000 and US$6,000 respectively.

People are already used to being recognized by their face,
since this is the usual way of recognizing a person. This
indicates high user friendliness. Systems currently available
require the user to be standing straight on to the camera as if
posing for a photo.
Distance from the camera, background, facial expression,
lighting, changes to hair styles and spectacles all effect some
systems. Ultimately, facial recognition systems will be able to
identify a person as they walk naturally towards a door.
An error rate of 2.5%is being quoted by one supplier for its
mug-shot type system.
The size of the template stored by facial a recognition
system differs with each supplier but is relatively big. It
ranges from five hundred bytes to 2,000 bytes. The cost for a
facial recognition system is ranges from US$2,000 upwards.

Voice verification has the advantage that it is not intrusive
and that people are used to using the equipment required.
Two types of voice verification systems are available. Access
can be controlled using a standard telephone linked to a
voice verifier on a host computer. Stand-alone units are also
available which perform verification internally.
The verification performance can be affected by background
noise. This can occur when the user is situated in a busy
location and also from electrical noise on the telephone
characteristics which produce speech and not its sound or
This makes it safe from mimics but not from high quality
digital tape recordings. To overcome this, words or numbers
chosen at random can be spoken.

One telephone-based technology provider quotes error rates

of 1% for its system. A stand alone provider is quoting a false
acceptance rate of 0.9% after the first attempt and a false
rejection rate of 4.3% after three attempts.
The templates sizes for voice verification systems varies
between the different suppliers since some just require the
user to say one word whilst others need whole sentences.
The templates are usually upwards of 1,000 bytes.
The cost of systems ranges between US$1,000 and over


Signature verification has the advantage that people around
the world are used to verifying their identity in this matter.
Signature verification devices record the way in which a
signature is written rather than its appearance.
This is measured by a special pen, a sensitive tablet upon
which the signature is written with an ordinary pen or with a
tablet and stylus purchased as a standard computer
Unfortunately some systems are unable to cope with people
whose signature changes radically each time it is written.
Dynamic signature verification devices are easy to use
acceptable to the public and difficult to circumvent.
One product tested by Sandia National Laboratories was
found to have a false acceptance and false rejection rate,
after two attempts of 058% and 2.1% respectively.
The template size is quite small at around fifty bytes but to
reproduce the signature image, more information needs to
be stored.
The cost of a single signature verification unit ranges from
US$320 on upwards.

There are a number of typical fraud methods and
corresponding countermeasures used to prevent fraud from
Taping of a line. The attacker has therefore accessed the
connection between chip card and terminal or chip card and
system. He can read all data that goes through that line but
he cannot change or intercept the data. This is called a
passive attacker. The corresponding countermeasure is the
encryption of the data flow. The attacker can than still read
the data but it has been rendered useless for him.
Change of data during its transmission. In this case the
attacker is active. He can change, manipulate, add or cut
pieces out of the data flow. Encrypting the data makes it
more difficult for the attacker to recognize the relevant parts

to manipulate. Furthermore there is a so called MAC

(Message authentication code) that enables the receiver to
recognize changes in the message.
Unauthorized access on data in the chip during the
production and/or customization process. The attacker want
to access and manipulate now or later data on the chip. This
again is an active attack. To protect the chip form internal
attacks during its production and customization, key
hierarchies are used and security concepts based on it.
Manipulation of the dialogue partner. The attacker pretends
to be the dialogue partner. The best way to avoid that is to
use a dynamic authentication in which the user demands
verification of his dialogue partner. This does not work with a
chip card since it does not have the required processing
Reproduction of smart cards. It is assumed that the attacker
already has the relevant data and a chip card to load it on.
This is made impossible by establishing a write protection on
the chip with the help of a producers key. Before the
customization the key has to be entered like a PIN.
Simulation of the card. If the data exchanged was always the
same it would be sufficient to tap the line once and then
replay the recorded data in order to simulate the card. By
giving the security relevant data an accidental character this
becomes impossible.