In completing a retail transaction with a smart card, the PIN pad connected to the EPOS system can prompt the user to insert their card into the reader. Once it has detected that the card is a valid one it can prompt the user enter their four digit PIN code to authorise the transaction. In this transaction the credit card has never left the customers hands, and the PIN number has never left the PIN pad as the whole authentication process has occurred within the PIN pad.
However there will be many retail systems where the customer must hand over their credit card to the cashier, as the smart card reader is physically situated in the EPOS system rather than the pad. In this instance when the customer enters their PIN on the pad, a mechanism has to be in place to ensure that the PIN code is carried securely from the PIN pad to the EPOS system for the authorisation algorithm to process it, so that electrically "teeing" into the connecting cable between PIN pad and EPOS unit should not reveal the PIN code to the eaves dropper.
Smart cards have various mechanisms to protect unauthorised persons trying to guess the 4 digit PIN number. Three consecutive entries of an incorrect PIN will cause the smart card to lock out, refusing to accept any further transaction attempts. The only way the card can then be recovered is by the issuing authority providing a PUK code (PIN Un-blocking Key). Entering this special code into the card will switch the card back to its normal operational state. A smart card will not accept PUK codes indefinitely to unlock it; typically after fifteen entries of a valid PUK code, the card will become permanently disabled and has to be replaced.
If thecurrent trials in Northampton, UK, are successful, a roll out across the rest of the UK will take place. The target is to enable the whole of the UK to process Chip and PIN transactions by 2005. Most of the UK=s ATMs and EPOS systems installed in recent years already support magnetic stripe and smart card readers. Thus most of the major retailers have the EPOS systems in place to support the Chip and PIN transactions. Staff training and software updates are all that is then required to implement the system.
It is likely that small retailers with EPOS systems that will only handle magnetic stripe cards will not be forced to discard their equipment and invest in new smart card based EPOS systems immediately. However the banks may make the retailer liable for the value of any fraudulent transaction not performed using Chip and PIN. As it is anticipated it will take some time to completely eliminate the magnetic stripe cards from the system, the practical reality means that retail EPOS systems must be able to handle both types of credit card transactions for several years to come.
The physical size of a smart card and the physical location and electrical features of them have been standardised. Similarly the electronic readers that read and write data to them are also standardised. The standards have been set by the EMV (Europay, Mastercard, Visa) body. EMV level-1 standards address the electrical and physical aspects of the card system. EMV level-2 standards define the data structures and mechanisms used on the smart card. The banking institutions throughout Europe, Middle East and Asia have agreed to these standards, so that eventually the same Chip & PIN system will possibly be used throughout those countries.< BR>
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.