Westpac to serve chips with its credit cards

Westpac Bank is set to improve its security credentials and tackle card swiping scams by issuing credit card holders with chip-embedded smartcards.

Westpac is hoping to fight retail fraud and card skimming scams by moving to chip-based credit cards.

"The smartcards will be a replacement to [Westpac's] current magnetic strip and pin card," said Vince Lee, regional sales manager, ANZ, for banking security vendor SafeNet.

SafeNet recently implemented the secure processing function for Westpac's Europlay, Mastercard and Visa (EMV) standard system.

The EMV standard has been widely adopted in Europe to combat high rates of fraud where criminals copy the information stored on a credit card's magnetic strip.

Although Westpac has implemented the backend infrastructure to support EMV smartcard transactions, it has not said when the system will go live.

The banking industry has been preparing for the adoption of EMV cards. Australian merchants and banks last year made their transaction systems "EMV ready" while upgrading from the Single Data Encryption Standard (DES) to a later standard, Triple DES-based encryption.

"That was a huge project and cost to the industry just to update the system, which affects EFTPOS, ATMs and backend systems," said Lee.

There is also a major financial incentive for banks and merchants to adopt EMV smartcard technology, he said.

"At the moment, with magnetic cards, the liability lies with the issuing bank. So if a transaction is fraudulent for some reason, the liability will rest on the bank. If the transaction is performed under EMV with a pin, it falls back to Visa and Mastercard so there is some benefit there," said Lee.

Not-present transactions still exposed
While EMV cards will improve security for Westpac's customers when making transactions at retail outlets or restaurants, transactions that occur when the cardholder is not present -- such as online or telephone-based -- are still vulnerable to fraud.

"[Card skimming] is very open to card-not-present transactions. To prevent this, cards have a security code, which is a printed three digit number on the back of the card. But obviously if the card is out of sight, there's nothing stopping someone from noting it down or photocopying the front and back of the card," said Lee.

However there is an alternative to the EMV smartcard, which deals with the problem of Internet based fraud, Gabriel Haythornthwaite, director of banking security consultancy firm, Castelain told ZDNet Australia.

"ANZ have two types of cards which they are issuing," said Haythornthwaite. "EMV is for credit cards while true PKI (Public Key Infrastructure) cards, which are under Identrust standards, have been issued for business clients."

ANZ commenced development of its PKI infrastructure three years ago, which is supported by the federal government and allows ANZ's commercial customers to make secure transactions with the government, said Haythornthwaite.

The major difference between the two cards is that PKI card customers are issued with a reader attached to the customer's PC to secure online transactions, while only merchants are equipped with a reader to authenticate transactions using the EMV card.

Despite this, Intelligent Business Research Services (IBRS) analyst, James Turner, said the move to EMV cards is a "substantial and significant milestone" for both Westpac and Internet banking security.

While EMV cards at present do not improve the security of Internet banking, he said: "The cool thing about this is that smartcard readers -- although not widely available in Australia -- are available around the world and can be picked up for around AU$20."

Also, compared to SMS-based two-factor authentication, the move to EMV is good for banks, said Turner.

"SMS authentication is a great as a bridging solution but as it gets more popular, the costs for banks go up. That scenario, where you may be facing variable cost, is untenable. People like predictable costs," added Turner.