Plastic credit and debit cards have become important payment instruments, particularly in the Western world. With the growth of the Internet and wireless networks, the possibility of electronic and mobile commerce is spreading to other parts of the globe as well. Traditionally, each of these cards is coated with a magnetic stripe that contains financial information pertaining to the consumer and to the card issuing authority. Magnetic stripe cards are “dumb,” meaning that they are merely memory cards and have no processing capabilities. The data held on the card is read by a card-reader and transmitted to a remote host for processing where the transaction is rejected or accepted.
Over the years, it has become apparent that dumb cards are vulnerable to fraud. Security infractions are not rare. With the growing importance of network based remote transactions, security violations could increase with the current cards. Better technical protections against fraud are needed, with “smart” cards being one possibility. These are plastic cards embedded with an integrated circuit chip (ICC) instead of the magnetic stripe. Smart cards can store and process data. Assuming they are tamper resistant, their cryptographic features and local processing capabilities would reduce the risk of fraud. Hence, there is certainly a viable business application, in security terms at least, for migrating from dumb to smart cards. This book looks at various aspects of this application.
It begins with a good analysis of the infrastructure that makes credit and debit card payments possible. The author clearly analyzes the design of debit and credit cards, both dumb and smart, for use in face-to-face and remote interactions. This is a comprehensive statement of the scope of the work, and the book does indeed cover all the topics listed. The primary goal of the book appears to be the explanation and documentation of the EMVTM standard for credit and debit card payment systems.
One of the most annoying features of the book is the liberal use of acronyms in the absence of a glossary. So one either has to memorize the meaning of every acronym when it first appears, or search back through the book for its definition. I also found the frequent references to earlier or later sections in the book annoying, requiring the reader to do a fair amount of jumping around to understand the explanation while having to search for the meanings of the acronyms at the same time. For example, on page 21 we are told, “The security protections are implemented with the security mechanisms using symmetric cryptographic techniques (see Appendix D, sections D.5.2 and D.6.1).” In section D.5.2 we find, “The PIN image is produced with a one-way function which can be implemented with a MAC. This CVM is suitable if...” I could not find a definition of MAC or CVM before page 21. So I was sent from page 21 to pages 387 and 388, only to find acronyms and concepts that I had not yet come across. This occurs throughout the book and makes it difficult to follow, much less enjoy. A glossary for the acronyms as well as some key concepts is definitely needed.
Another weakness of the book is that, in some areas at least, it gets bogged down in detail before giving an overview that would put the details into context. For example, in section 3.2.2, we are given a very detailed description of the structure of the card file system long before any practical example of how this file system would be used.
Because of the above-mentioned difficulties, I could not read the book from cover to cover. The style of the book leads one to conclude that it is intended as an engineering reference book, rather than a tutorial type textbook. It is not for the novice; it is more suited for people who already have a basic knowledge of the field, and are seeking to set up an electronic payment system based on the EMVTM specification.
