CARTECH srl - Tutti i diritti Riservati

CB2 EFT POS PROTOCOL

A USER PERSPECTIVE

1

Claudio Canella

Partner of Argentea CEO Cardtech Italy

former member of the Italian banking association working groups for the adoption of the ISO 8583 protocol

and the standardization of EFTPOS national systems on behalf of a national transaction processor

Member of EU funded projects for Contactless and NFC technologies

2

• A glance to the STARTING POING – A lot of different EFTPOS terminals vendors – A lot of different EFTPOS transactions processors – A lot of different protocols and features – A lot of d i f ferent Secur i ty and Test ing

specifications – Competition at the same merchant by several

Acquirers (Credit and National Debit cards) – Often more than one EFTPOS terminal at the same

merchant and at the same counter – EFTPOS deployment procedures different from one

processor to another one

3

BEFORE CB2 EFT POS PROTOCOL

4

BEFORE CB2 EFT POS PROTOCOL

• PATH1 mostly using proprietary protocols and features • PATH2 depending on PATH1

• STARTING POING – May be acceptable at a «Systemic level» during the

initial development of the Electronic transactions market

– High level of competition – Fast development of competitive services – Focus on investments and market acquistion rather

than on costs and efficiency – Security levels depending on each single EFTPOS

vendor and Processor – No national standards definition

5

BEFORE CB2 EFT POS PROTOCOL

• BUSINESS RATIONALE – Reducing the Total Cost of Ownership of the

EFTPOS terminal • Defining standard EFTPOS:

– Protocols – Security Procedures – Basic Services and Requirements – Deployment Procedures

– Allowing competition on the market by the stakeholders

– Allowing sharing of EFTPOS terminals by several acquirers

6

CB2 EFT POS PROTOCOL

– «Consorzio Bancomat» owned by the Italian banks through the Italian Bankers Associatio is controlling the Bancomat and Pagobancomat brands.

– «Consorzio Bancomat» is the technical body which defines the rules, regulations and specifications to be applied to the national Card Debit Schemes for EFTPOS (PagoBancomat) and ATMs (Bancomat)

– A decision was taken to implement the specifications of the CB2 EFTPOS protocol to satisfy the Business and technical requirements

7

CB2 EFT POS PROTOCOL

– To deploy the Encryption keys on EFTPOS terminals already deployed at merchant sites, without having to collect the terminal to bring it to the «Acquirer» in protected environments managed by the Banks.

– The keys were to protect the card data, the PIN data and the transaction data

– To manage the EFTPOS terminals by more than one Merchant Processor and the capability to replace one Merchant Processor with a different one to avoid EFTPOS terminal pickup and substitution with a similar one.

8

CB2 EFT POS PROTOCOL

– The Highest level of protection was to be assured also to all the «sensitive parameters» of the terminal configuration.

CB2 PROTOCOL

– A PKI Infrastructure has been defined using ISO Digital Certificates

– Mutual Authentication on PATH1 and PATH2 and technical activities (deplyment, substitution, maintenance)

– Highest level of security on all the informations managed to/from the EFTPOS terminals.

– ISO 8583 Standards Protocol implementation

9

CB2 EFT POS PROTOCOL

10

CB2 EFT POS PROTOCOL

– The ISO 8583 «Transport Layer» has been adopted for all the «messages» coming to and from an EFTPOS terminal

– Definition of the meaning, the values and the security level of any information «transported» by the ISO8583 Protocol

– High level of compatibility with ISO8583 Interchange (PATH3) Protocols

11

CB2 EFT POS PROTOCOL

12

CB2 TERMINAL PREPARATION

– We need to manage different requirements in terms of firmware and software updates on terminals, remote configuration, transactions, etc.

– Different entities entitled to execute different operations at different levels • The terminal vendor needs to have full control of the

Operating System, Firmare and Security Libraries, but not of parametrization for payment transactions

• At the same time third parties need to be able to write and load proprietary applications without affecting EMV certifications

• Managing different Terminal Management System (TMS) but limited to specific operations

13

CB2 EFT POS PROTOCOL

14

CB2 MANAGING TERMINALS

– We need to manage different requirements in terms of firmware and software updates on terminals, remote configuration, transactions, etc.

– Different entities entitled to execute different operations at different levels • The terminal vendor needs to have full control of the

Operating System, Firmare and Security Libraries, but not of parametrization for payment transactions

• At the same time third parties need to be able to write and load proprietary applications without affecting EMV certifications

• Managing different Terminal Management System (TMS) but limited to specific operations

15

CB2 EFT POS PROTOCOL

16

CB2 REMOTE CONFIGURATION

17

CB2 REMOTE FIRMWARE/SOFTWARE UPDATES

18

CB2 REMOTE RIGHTS CHANGES

– One National Standard applied – Transparent Procedures for Certification – Full Remote Management of Terminals – Standardization – Enhanced Security

19

WITH CB2 EFT POS PROTOCOL

• From the Business Point of View – Great Flexibility in implementing new

functionalities – Lower Total Cost of Ownership of EFTPOS

Terminals – Remote Management – Reduction of expensive «in-field» technical

activities

20

WITH CB2 EFT POS PROTOCOL