Card Security For Republic Bank Customers

There is no doubt that most organisations today are becoming essentially dependant on the use of credit cards, arguably its most strategic asset, is to support existing business operations.

However, credit card fraud and identity theft has continues to plague the banking and retail industries as there seems to be no feasible solution to these crimes. Advances in technology have opened a gateway for hackers to restructure their position of attack, intruding on one’s personal life.

The basis of this project is on the new Chip and PIN technology introduced on credit cards. I’ve considered this to be an interesting topic because of the ‘publicity’ this technology has been receiving across the world and it has even reached to our shores, here in Trinidad and Tobago. Hence, Republic Bank Limited one of the local banks would be the case studied in this research.

Chapter two would encompass the existing literature on credit card history and Chip and PIN. This chapter would outline how credit cards have become ‘smart cards’ and how the Chip and PIN cards are used.

Chapter three gives the entire design of the project and the objectives to be obtained for the research. Moving to chapter four, the research framework adopted for this study on Chip and PIN and how it relates to the model undertaken in the research.

The findings from this research would be summarized version of the data collected, with the analysis of the theory and research framework the author undertook in this study.

In concluding, the author would report on the learning aspects of the research and provide an assessment of achievements, giving a position on the research question.

Literature REVIEW

This section is intended to place the scope of the project with literature surrounding the components of the research question.

The Credit Card Transaction Process Discussed

This payment mechanism was formally introduced in 1958, when the BankAmericard card, now known as Visa was franchised across the global community. By introducing an electronic authorization system, the BankAmericard was able to be used globally. Now by partnering with banks across the globe, Visa has been able to provide an international processing system for the exchange of money. The workings of a credit card transaction are such that it comprises of four main steps. These are:

Authorization

Batching

Clearing

Funding

The cardholder requests a purchase from the merchant, which is then submitted to the acquirer by the merchant. The acquirer then sends a request to the issuer to authorize the transaction. Once the authorization code is sent to the acquirer verifying that credit is available, the transaction is authorized and the cardholder receives the product. (This is further explained in detail on page 9 of this document)

This simple process of electronic transacting has opened up a world of e-commerce opportunities. From an information system perspective the processing workflow of an online credit card transaction is shown below:

Figure 1: Online Credit Card Processing Workflow Diagram (Hubbard, 2003)

Because of the vulnerabilities that lay in a transaction, more so the networks across which the information is exchanged, various security breaches can occur.

Types of Credit Card Fraud

There are many different types of credit card fraud. Fraudsters are very innovative in finding new ways of committing credit card crime and as technology changes so does their crime tactics. Security issues surrounding the card fraud has moved from the traditional ways of committing credit card crime (Application Fraud, Intercept Fraud and Lost/Stolen Card Fraud) to the modern techniques namely, Skimming, Site Cloning and most recently Triangulation.

Skimming is the fastest growing type of credit card fraud around because of its simplicity. Pocket Skimming devices can be easily carried around and the cardholder’s data can be obtained by merely swiping the card through the battery-operated magnetic card reader. This technology has also evolved so as to read the data of Chip and PIN cards, with the use of a scanner. These scanners, which can write or even re-write the data on the Chip cards, are fully portable and have high storage capacities. Because some of these devices are not illegal, they are easily accessible to hackers and can be bought over the internet.

Site Cloning involves cloning an entire site or just the pages where customers make purchases. Since the web pages are identical customers are not aware that their personal information is being compromised. Also, confirmation details are sent to the customer just as the official company’s website would, so the crime goes undetected. The details entered on the cloned site are then used by the fraudster to commit credit card fraud.

Another method of credit card fraud is Triangulation. Goods are presented on websites at discounted prices, which can be shipped to the customer before payment. Again, just as with site cloning, the site appears to be legitimate then the customer proceeds to enter their personal data. With this captured information the fraudster can then order goods from legitimate retail websites using the credit card number obtained.

Due to these security issues surrounding credit card information security, there has been global industry-wide concern for the protection of cardholder’s data. Since security management is a systematic issue, a serious look at what can be done to prevent security breaches is necessary-whether it may be legislation, the use of fraud detection system monitors or the application of data encryption/ authentication techniques.

Chip and PIN Technology

Credit cards have been a feasible solution for making payment processing simple and efficient. The history of the credit card dates back to the 1900’s when oil companies and proprietors created their own credit card as a means of obtaining customer loyalty and improving customer service. However, as with advances in technology, the credit cards have evolved from having just encoded magnetic stripes to modern day Chip and PIN cards, with embedded microchips, which can store and transmit data. These Chip and PIN cards were developed to provide an inter-operative system that would combat card fraud (counterfeit and plastic cards). This transaction processing infrastructure has enabled the cash-less revolution, whereby consumers, governments and businesses benefit from the electronic payment network, which has shifted payments by cash and cheques to an efficient electronic payment system.

The mechanics of a credit card transaction is such that the merchant acquirer, usually the bank processes transactions on behalf of the merchant. This payment by credit card represents an offer for issuance of payment in exchange for the goods or services provided by the merchant, (Transaction Processing). There are two parts to this type of transaction processing: the first is front end processing which involves the capture of data messages across communication channels to the point of sale devices; and secondly the back end processing which involves the balancing of accounting information by acquirers and issuers and the submission of the payment to the acquiring merchant’s bank.

As a result of the rapid advances in technology, data security continues to be a major concern as every transaction that involves the transmission data across networks is open to external attacks. Attacks on a consumer’s card information can come from any angle, whether it may be data thieves or network intruders. The Payment Card Industry Security Standards Council (PCI SSC), which comprises of major payment brands namely VISA, MasterCard, Discover and a few others, have created global compliance standards to protect cardholders’ data. These set of standards help govern and educate all merchants and organisations that process, store and transmit data, as well as the manufactures of the devices used in transaction processing.

The PCI SSC (2010), Data Security Standard Quick Reference Guide, as summarized below, outlines the best practices for protecting cardholder data:

Develop and Maintain a Secure Network

Install and maintain firewall configuration to protect cardholder’s data.

Do not use vendor-supplied defaults for system passwords or other security parameters.

Protect cardholder’s data

Protect stored data

Encrypt transmission of cardholder’s data across open public networks

Maintain a vulnerability management program

Use and regularly update anti-virus software or programs

Develop and maintain secure systems and applications

Implement strong access control measures

Restrict access to cardholder data by business need to know

Assign a unique ID to persons with computer access

Restrict physical access to cardholder data

Regularly monitor and test networks

Track and monitor all access to network resources and cardholder data

Regularly test security systems and resources

Maintain an information security policy

Maintain a policy that address information security for all personnel

Nevertheless, despite these procedures in place, there has been amplified instances of the various types of credit card fraud, namely Intercept Fraud, Skimming, Site Cloning as well as Triangulation. This propelled an industry and government–led initiative in the UK to embark on the introduction of Chip and PIN card technology.

Based on the EMV standard (Euro pay, MasterCard, Visa) Chip and PIN technology was launched in the UK on February 14th 2006. This programme was introduced to combat credit and debit card fraud, and to provide an ideal way of validating the cardholder’s identity. By utilizing smart card technology a microchip is embedded with the customer’s information which includes their unique four digit PIN. For transactions to be accepted, the customer PIN entered must match the one encoded on the microchip. These steps are further explained below:

The card is inserted by the customer into the card reader.

The card reader would then prompt the user to insert their PIN.

A four-digit PIN is then entered by the customer. Once the reader accepts the PIN entered the transaction would be approved. Note the PIN entered is not displayed on the reader but rather represented by asterisks.

The customer is issued a receipt as confirmation of the transaction process.

This process removes the responsibility and accountability from the merchant to the customer for point of sale transactions. The card never leaves the customer’s hand and as such prevents skimming of one’s card information. One of the benefits of the Chip and PIN cards is that the Chip itself is encrypted with a range of security features, which the transaction processing system uses to identify the cardholder. These security features are said to be virtually impossible to replicate.

The terminals used for Chip and PIN transactions, use secure transmission technology to ensure the privacy of the cardholder’s data and can operate over a range of connectivity environments, such as wired, wireless and cellular networks. The PCI Security Standards Council also developed a framework of standards which is legally enforced through a merchant/service provider/card brand agreement. These include requirements that support the encryption of the cardholders’ account data and the point of sale terminal integration.

Figure 2: Outline of the process of a Chip and PIN transaction

The PIN entered replaces the request for signature as verification of the transaction. This is why the banking industry in the UK has campaigned for this technology, because signatures can be forged, however the PIN is unique to that person.

Although the United States is yet to convert to this technology, countries such as Japan, China, Canada, Mexico as well as the majority of the European Countries have all introduced Chip and PIN technology and it is gaining momentum in various other countries including Trinidad and Tobago.

Republic Bank Trinidad and Tobago Limited is the first local bank in Trinidad and Tobago to introduce Chip and PIN technology to make the concept of paying by credit card safer for cardholders. The bank adopted this type of technology because this is now an industry-wide conversion from the magnetic-stripe cards and it is also in keeping with the EMV standard.

Conversely, a potential security issue with Chip and PIN card terminals is its capability of processing cards with the magnetic stripe as well. Because of this the request to enter the customer’s PIN can be bypassed by the merchant, with a receipt generated to be signed by the customer. Now because this option is still available it poses an added security threat to card transactions.

So, unfortunately skimming still remains a huge problem for cardholders and sadly enough this includes Chip and PIN cardholders as well. Although this practice is slowly migrating from EMV compliant countries, once a card has been skimmed it can still be used in countries where the magnetic stripe is still prevalent, for example some Asian Countries and the United States. This is why many fraudsters can still create a fake card with stolen magnetic stripe information which can be used in for example the United States.

The United States believes that although Chip and PIN has reduced fraud for face to face card transactions, there are a still a number of issues surrounding the security of the system used for this these transactions. Now as with any new system introduced, there have been a number of studies on whether Chip and PIN cards are really secure. So the question is has Chip and PIN technology impacted on the activities of overall card fraud or has the activities of fraudsters shifted from retail crime.

In a study by Emily Finch (2010) The Impact of Chip and Pin Technology and The Activities of Fraudsters, it was recognised that since the implementation of Chip and PIN technology participants involved in card fraud made varying decisions when it came to their crime of choice.

The Decision to Desist

The Decision to Continue

To work with others

Shift to Distance Transactions

Diversification of Theft into Identity

The study also shows that there is a shift in the attack strategy of fraudsters from point of sale card fraud to Internet and Card Identity Fraud. In an analysis of Internet and Card Identity Fraud, we can note that Chip and PIN technology was not designed for preventing these types of card fraud. So, the question remains, was Chip and PIN successful at what it was set out to achieve......reduce card fraud? This too can be argued further as there are other limitations. How can one link a particular card to a specific owner? Once the PIN is known by the individual a transaction can be completed with ease. Other studies have shown that the card readers used for Chip and PIN transactions can be modified.

In a study by a team of University of Cambridge Computer Scientists, they have uncovered a series of fatal flaws in the Chip and PIN system. One example is where the internal hardware can be replaced without external evidence of this. This new terminal could then be programmed and modified so that it performs just as a typical terminal, where the card details can be collected and allow criminals to make cards with a fake magnetic stripe, which along with the PIN would enable a fraudster to make ‘valid’ purchases. Another example is that fraudsters can insert an electronic wedge between the stolen card and the terminal, which tricks the terminal into believing that the PIN was correctly verified.

Further, with this wedge inserted, any PIN can be entered and the transaction would be verified. This type of fraud makes it difficult for the victims of the attack to be refunded by the bank as the receipt given is authentic and would state verified by PIN. The bank in turn would be accurate in stating that no refund is required as their records show verified by PIN. This type of complaint appears as an act of negligence by the cardholder as he/she allowed their PIN to be compromised. So based on this study the point of sale attacks are much more prevalent, since before the introduction of Chip and PIN cards, consumers only entered their PIN at ATMs. Now with the introduction of Chip and PIN, consumers are using their cards at various other public areas. To combat the compromising of the consumers PIN a shield over the keypad has been used as added security but in many public areas there are video cameras and a person’s PIN can still be captured on footage.

So, although the UK banking industry has claimed to have rolled out this new technology successfully in 2006, there seems to be some negative aspects of this technology. The architecture surrounding Chip and PIN technology is questionable and the onus is on the banking industry to ensure that cardholder’s information is protected.

Additionally, it also seems that Chip and PIN terminals offer no difference to what the magnetic stripe terminals offered. These terminals can be tampered with, which is a clear indication that there needs to be accurate configuration of these terminals so as to secure the cardholders data when transmitting transactions and that is not vulnerable to incident of attack. So the intent of Chip and PIN technology has more so opened a new marketplace for fraudsters than prevent/reduce fraudulent activity.

PROJECT DESIGN, OBJECTIVES AND RESEARCH METHODS

The scope of this project is to outline the features of Chip and PIN technology and whether its implementation thus far has been beneficial. This section of the project would provide the methods involved in achieving the data for the project as well as the results based on the data collected. The chosen approach to this design is online research (journals/scholarly articles) along with a case study on the implementation of Chip and PIN technology in Trinidad and Tobago, with the case being Republic Bank Limited.

Objective 1

A good foundation for this objective would be the interpretation of the credit card’s history. How has this cash-less mechanism moved from a local innovation to a global payment mechanism by use of digital communication across networks? In gaining a clear understanding on the reason for the implementation of this technology, a wealth of research would be conducted on credit card technology and digital security.

Objective 2

A holistic understanding on the basis of credit card fraud and the types of fraudulent activities and the steps taken to prevent credit card crime. What technologies have been implemented and the effects/benefits drawn from these approaches.

Objective 3

Expanding from objective two also discussed would be whether or not since the introduction of Chip and PIN technology in the UK, has there been a cascading effect of this new technology across countries. Analysing the increasing number of fraudulent activities reported from statistics, which compelled the global banking industry to find a seamless solution for the protection of cardholder’s data.

Objective 4

An assessment on the introduction of Chip and PIN technology by Republic Bank Limited, which would include sourcing information on its implementation and the benefits derived. Further research would be on the acceptance (or non-acceptance) of the technology by customers.

Objective 5

Lastly, from the feedback received from the interview conducted and by analysing the incidents of attack on Republic Bank credit cardholders, what was the determining factor in the bank aligning themselves with the UK standards set by EMV?

CONCEPTUAL FRAMEWORK

In identifying the framework to be adopted that can be referenced to the literature in this research, the author considered the Delone and Mc Lean IS Success Model. Using this model, the author would explain the net benefits of adopting Chip and PIN technology, relating it to Republic Bank’s implementation of this technology.

DeLeone and McLean IS Success Model

In evaluating the success of Information Systems, the D&M IS Success Model, ‘systems quality’ measures the technical success, ‘information quality’ measures semantic success and ‘organisational impacts and user satisfaction’ measures the effectiveness of the system. The processes in the model are inter-connected by links, across the dimensions of the system.

Figure 3: Depiction of the Updated Information Systems Success Model (DeLeone & McLean 2002, 2003)

The updated D&M Model interprets the evaluation of a system in terms of the information, system, and service qualities and how these characteristics attribute to user satisfaction. As a result of using the system, certain benefits will be achieved and the net benefits will in turn (positively or negatively) influence user satisfaction and the further use of the information system. So, therefore three basic components make up this model, the creation of a system, its use and the consequences of its use.

Case study as it relates to the ISS model.

Republic Bank has been providing banking and financial solutions to individuals and businesses for over 160 years. Their mission is not only to provide efficient and competitively priced services but also to implement sound policies which will be beneficial to their customers. These factors presented provide clarity and influences the net benefits of the implemented Chip and PIN system at Republic Bank thus far.

By use of the ISS model to map the research done in this project, the author would complete a step by step relay of the framework discussing the implementation of Chip and PIN by Republic Bank.

Information Quality-Information quality refers to the accuracy/protection of the content of the data in transacting. How secure is the personalized data being transmitted across networks. When a customer presents their card to make a purchase, are they confident that their card information is protected because of the added security enabled on this card.

System Quality-The system quality refers to the reliability of the network and the response time in transacting, notwithstanding the approved devices that accept personal identification numbers for all PIN based entries (the ease of use of the system functionalities). Therefore in rolling out this new technology the bank along with their partner merchants would train staff so that they are familiar with the best practice guidelines when using Chip and PIN.

Service Quality-This refers to the back-end support systems that assist in usage of the technology. How reliable are Republic Bank’s servers and IP networks?

User Satisfaction- This encompasses measuring the user’s entire experience-the purchase payment, receipt and service (the ease of purchasing without the fear of being a victim of fraudulent activity).

Net Benefits -This is the most important success measure and it encapsulates the cost savings and the decrease in the value of fraudulent transactions arising from stolen credit card data. Was the implementation of this technology beneficial in reducing the incidents of card fraud? Are Republic Bank cardholders satisfied that their bank is on par with global industry changes?

The focus of this success model lies in determining the impact the features of technology (information, system, and service quality) have on the variables user satisfaction, use, and net benefits. The main objective for using this ISS model is to establish the ultimate benefits derived from the use of information system both in individual and organizational terms.

FINDINGS

This chapter will illustrate the findings from the questionnaires submitted to a sample of the Republic Bank’s credit card customers as well as a formal interview conducted with an employee of Republic Bank Credit Card Centre. The aim of the chapter is to source an awareness of the topic area Chip and PIN by cardholders and the personnel interviewed.

Primary Data Collection

For the basis of the findings of this research the author conducted a formal interview with a middle management employee at Republic Bank and also distributed questionnaires to a sample of the bank’s credit card customers. A summarized version of the responses from the interview is represented in this chapter, based on the interviewee’s knowledge.

The questionnaires distributed were mostly closed questions so as to deliberately avoid open-ended respondent answers. Approximately 120 questionnaires were distributed to Republic Bank Customers. Only the answers to the key questions are represented in this chapter.

Summarized responses from the interview

This interview was conducted with the Supervisor, Card Services, which prove to be very insightful. The Supervisor spoke about the bank’s vision for their credit card market, and how they plan to continuously innovate so as to maintain their customer base and attract new ‘profitable’ customers. Since the credit card industry is a highly competitive one, the bank is constantly reviewing their interest rates and looking for new ways to give customer returns from the use of their credit card. Due to his long tenure at the bank and having the customer service background, the supervisor was able to give insight on what infuriates a credit card customer. He explained that customers become frustrated when they see added charges and puffed up late fees placed by the bank on their card statements. In view of the fact that most customers do not read the fine print when completing a credit card application, they are not totally aware of all the charges that can arise from delinquent payments. He further added that although queries like this can be explained by representatives at the bank who can provide valued solutions to the cardholder’s problem, the most infuriating of all queries from customers are unexplainable purchases on their account. At Republic Bank, fraudulent activity on a card can be detected from the use of their state-of-the-art security systems and their experienced fraud expert team that are in place to monitor and detect any unusual activity on a customer’s credit cards, but even with these measures in place, fraud can occur.

The supervisor expressed that by implementing Chip and PIN technology for credit cards, the bank was able to be a step ahead of the competition and most importantly the card criminals. He also stated that although credit card fraud is not as prevalent in Trinidad and Tobago as in the developed countries, continuous education in counteracting fraudulent activities for their customer base is an effective method of addressing credit card fraud. He explained that Republic Bank has not had many eye-opening occurrences of notified credit card fraud but they believe that Chip and PIN technology is an innovative solution to the likelihood of this problem.

He was also truthful in expressing that this technology is still new to the industry and all merchants have yet to convert to Chip and PIN enabled machines, therefore there is a window of opportunity for fraud until merchants are mandated to have these Chip and PIN enabled machines. He used the term mandate, because eventually all Republic Bank debit cards would also be chip enabled.

In summing up the interview the author probed the supervisor on the bank’s position on the studies done by the University of Cambridge team on Chip and PIN technology and the tested flaws of the system. His response was quite interesting, because it ventured into a thought-provoking discussion on research. He lamented that the sphere of research done on any topic would result in the researcher seeking out the positive and negative aspects of it. How the data is interpreted, reflects the real value of the research done.

Questionnaire Findings

Question 5: How often and where do you frequently use your credit card to make purchases?

Aim: To assess how often the average Republic Bank cardholder uses their credit card.

Findings: Most Republic Cardholders in this study used their credit card regularly, at least five times per month. Credit Cards are used for purchases at the supermarket, restaurant and retail clothing stores.

Question 6: Has your credit card information ever been compromised? If yes provide details.

Aim: To determine the number of incidents of attack on Republic Bank credit card holders.

Findings: Less than 50% of the respondents have never had their credit card data compromised.

Question 7: Do you understand the workings of Chip and PIN technology introduced to Republic Bank credit cardholders and the value to be derived from using this technology?

Aim: To determine the extent of the customer’s perception of this technology’s value and how the card is used.

Findings: Although some customers are guarded about the use of their credit cards, most of the respondents are confident in the service that Republic Bank provides and believes that implementing Chip and PIN gives them that added security against fraudulent activities, especially those customers that frequently travel abroad.

Question 8: How do you think by using Chip and PIN cards for making payments will make it easier in transacting?

Aim: To establish the efficiencies in the use of Chip and PIN cards, on the time taken to complete a transaction.

Findings: Many customers applaud this technology as it reduces the time taken at the cash register when making purchases. It is simple, easy and convenient and most customers are truly happy as there is no need to write their signature. For this reason they find the system most efficient as it prevents their signature from the likelihood of being forged.

ANALYSIS

The main objective for the research completed on this topic, was to show how and to what extent the adoption of Chip and PIN technology has improved credit card security for Republic Bank cardholders.

At a glance, before Chip and PIN technology was introduced in the UK, there was nation-wide educational literature on the benefits of the technology for banks, merchants and most importantly, the customers. However, it seems that this programme led by EMV, created more enthusiasm in the build-up to its implementation rather than the actual usage of the system. From the research, the mounting negative features of the technology and use of the system is outweighed the decreasing positive ones. It seems that the card theft criminals were focused on a solution to obstruct the successful use of the technology before the intention to use.

The question remains, which facet of credit card fraud has Chip and PIN really reduced? The research show that for point of sale transactions Chip and PIN has been useful in the prevention of skimming one’s card information, however the fraudsters have found alternative ways to improve on that tactic. Chip and PIN technology can only be used “successfully? for point of sale transactions and not online transactions, so fraudsters have modified their techniques as with the modifications of the technology.

Based on the research framework adopted, Republic Bank has measured their net benefits of adopting the Chip and PIN technology by encircling the information, service and system qualities to deliver user satisfaction and usage of the system with this technology. The success of any information system is multi-dimensional and the relationships among the constructs relate to the comprehensive evaluation of the system. The variable dependent on these constructs are the net benefits of this system, and for whom?

This local company has applauded this development and they are moving to enable all their plastic cards with embedded chips. For a regional bank that has not been plagued by customers being victims’ card fraud, they value Chip and PIN as immensely beneficial in giving the bank a market advantage. It seems that Chip and PIN technology provides greater benefit to smaller banking industries than those on the wider scale.

The data obtained from this research does not give conclusive evidence that by implementing Chip and PIN technology to reduce overall card fraud is not effective. In some markets such as Trinidad and Tobago, Chip and PIN has been a huge success in the bank’s operations, but in others and more so the ones where credit card transactions are used most frequently, transaction are open to attack.

As iterated by the Supervisor at Republic Bank, there would always be positive and negative aspects of newly implemented technologies and system, sometimes the negative outweighs the positive. However, how the negative aspects are addressed and reworked shows the strength and stability in the technology and how it can be further developed.

CONCLUSION

Report Assessment

The insight gained from this project has made be aware of not just accepting ‘the next big thing’ in technology. I’ve discovered that there are always drawbacks to new systems, and some systems may be suited for a particular environment. Additionally, the implementation of any new technology is not a hard and fast method; there is always room for improvement.

Further the author believes that if an interview was secured with at least one person from upper management, namely the Chief Information Officer, the scope of the research paper may have taken a different angle.

Nevertheless, the author has achieved the objectives sought and that is to show that Chip and PIN technology has enhanced the card security at Republic Bank. Although the company has not had many instances of card fraud on a large scale, this Chip and PIN technology is a major step in their protection of cardholder’s data against card crime.

Learning Outcomes

From writing this research paper, the author has realised and has come to appreciate the work presented by other researchers and the dedicated effort that must be placed into it. Writing a research paper gives an author the opportunity to really search deep within the study and present their views from a somewhat unexpected angle standpoint.

Another learning experience from this research is reading and seeking out the important aspects of a topic and developing your views, but the main goal for any research is to carefully map your tasks and stick to the schedule.

Although developing this research paper has been a huge sacrifice the wealth of knowledge gained from the study surmounts any other course that I have studied for this degree programme.

References and Bibliography

Bibliography

Conford, T. and S. Smithson. Project Research in Information Systems.

(London: Palgrave, 2006) second edition [ISBN 1403934711]

Gillham, B. Developing a Questionnaire. (London: Continuum, 2000) [ISBN 0826447953]

Hart, C. Doing a Literature Review. (London: Sage, 1998) [ISBN 0761959750]

Oates, B. J. Researching Information Systems and Computing. (London, Sage, 2006)

[ISBN 141290224X]

References

Stephen Hubbard, (2003), card processing workflow [ONLINE].

Available at: http://www.techrepublic.com/i/tr/cms/contentPics/u00220030530gcn01_A.gif

[Accessed 10 December 10]

Muller Benjamin, (2002), Depiction of Updated Information Systems Success Model (DeLeone & Mc Lean 2002, 2003) [ONLINE].

Available at:http://www.fsc.yorku.ca/york/istheory/wiki/images/9/91/D%26M2002.jpg

[Accessed 16 December 10]

EMVCo, “About EMV,? November 2009 [ONLINE]. Available at:

http://www.emvco.com/about emv.aspx

[Accessed 12 December 10]

Murdoch, Stephen J. et al (2010) Chip and PIN is Broken: 2010 IEEE Symposium on Security and Privacy held at the University of Cambridge, UK.

Finch, E 2010. Strategies of adaptation and diversification: The impact of Chip and PIN and the activity of fraudsters. Security Journal, Vol.00, 0, 1-18

Watts, S. (11 February 2010) New flaws in Chip and PIN system revealed. Available from:

www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

[Accessed 4 January 11]

De Leone, W, et al (2003) The DeLeone and McLean Model of Information Systems Success: A Ten-Year Update. Journal of Management of Information Systems, Vol 19 No.4, 9-30

PCI Security Standards Council (2010), PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

[Accessed March 15 11]

appendices

appendix 1

Topic Area Proposal

Author: Sherryce Wilson

Date and Revision Number: December 18th Draft 4

Working Title: An analysis into the evolution of Chip and PIN card technology as a solution to providing a secure medium for information security in the UK and the wider global community. Has this technology proven to be a successful security measure in transaction processing? Is this technology beneficial to the banking industry in Trinidad and Tobago?

Main Theme: Information security continues to be a major concern for credit cardholders worldwide. Because of the current surge of identity theft and credit card fraud across the world; within the past decade many advances in smart card technology has been geared towards creating an efficient system to protect the cardholders’ information when cards are used locally and across geographic boundaries. The main question by banking industry is whether the introduction of chip and pin technology has proven to be an answer to this problem?

Research Questions:

Explain the evolution of credit card technology?

How can one’s credit card information be compromised?

What is Chip and PIN technology and how has it supported in providing cardholder information security?

Has Chip and PIN technology gained user acceptability across the banking industry in the UK and wider global community?

What are the changes required and the implications of implementing Chip and PIN technology in Trinidad and Tobago?

Outline of Argument or Position: In this project I will investigate the evolution of card technology to Chip and PIN. I would also illustrate the how a cardholders’ information can be intercepted and thereby impede on one’s financial stability.

Also, I would show how the EMV (Euro Pay, Visa, and MasterCard) has partnered with the British government to implement Chip and PIN technology as part of a national program and also how its use has resulted in a domino effect across countries. Additionally, I would try to argue the end-user perspective on Chip and PIN technology, and whether it has maintained the expectations as a secure identity verification tool for point of sale transactions, or whether there are fatal flaws in this new technology. Lastly, I would analyse the credit card industry in Trinidad and Tobago via case study with the case being Republic Bank Trinidad and Tobago Limited and the benefits and implications surrounding the use of this technology in this country.

Links to wider Information Systems Issues: This project encompasses the discussion on the topic of Security Issues and the Digital Environment. Other units in this degree for example Sociology and Information and Communication Technologies have also contributed to the groundwork of this project.

Five key words or phrases for use in an online research:

Chip and PIN Technology

EMV (Euro Pay, Visa and MasterCard)

Credit Card Fraud

Digital Security/Credit Card

Transaction Processing Systems

Alternative ways to research the topic and to collect data:

National Library and Information Systems Authority (NALIS)

IS Journals and Scholarly Articles

Online Research

Formal Interview with IT personnel at Republic Bank Limited

Research Framework: De Leone and Mc Lean IS Success Model

Required Resources and Issues of Access: The main resource for research of this topic would be online research, case studies on the topic area as well as scholarly articles. A formal interview with banking personnel on the implementation of Chip and PIN in Trinidad and Tobago would be conducted and questionnaires distributed to Republic Bank credit cardholders. Foreseeable issues would be the availability of the banking personnel as well as articles on the implementation of Chip and PIN technology in various countries.

Assessment of Required Skills and Techniques: Excellent research techniques and analytical thinking is required for the basis of this research.

Reference to five articles or books relevant to the topic, that have been read by the author:

Doing a Literature Review

How to Research

Strategies of Adaptation and Diversification: The impact of Chip and Pin Technology and on the Activities of Fraudsters

Chip and PIN is Broken (2010 IEEE Symposium on Security and Privacy)

Project Research in Information Systems

Justification of Interest to Others:

This topic is important because it opens insight into the protection of your personal information and the vulnerabilities of data being exchanged across networks.

APPENDIX 2

Project Specification

Research Question: Has the adoption of Chip and PIN technology enhanced credit card security for Republic Bank customers.

Objective 1: To examine the process involved in a credit card transaction and how it has become a popular medium for purchases.

Activities: Read the history of credit cards, review online research articles

Deliverable: To discuss and explain the evolution of credit card technology from the automated chip credit card to Chip and PIN cards.

Objective 2: To review the global perspective on the issue of surrounding digital security mainly credit card fraud and identity theft.

Activities: Analyse case studies on the nature of credit card fraudsters and how it has developed into this new familiar crime, identity theft.

Deliverable: Use literature from Journals for write up in the Introduction

Objective 3: Link the theories in the research framework to the research done in this study

Activities: Review Journals, Case Studies and Articles on the IS theories that relate to the information surrounding this research.

Deliverable: Develop my own views on Chip and PIN technology, linking this to the IS theories in my research.

Objective 4: Give an explanation on the reason for the implementation of Chip and PIN technology in the UK and include any articles which give an account of tested flaws in the system.

Activities: Review studies on the implementation of chip and pin technology. This is the basis of the Data Findings, which should envelop the introduction of Chip and PIN in the UK, the processes involved in using this new system and studies done by University Research Centres.

Deliverable: Give a detailed account on the implementation of this technology. Is the system used for chip and pin transactions (point of sale and online) an accepted transaction processing system.

Objective 5: To determine the whether the implementation of Chip and PIN technology in Trinidad and Tobago brought the success intended.

Activities: Distribute questionnaires to customers and conduct interviews with persons from one of the well-respected banks in Trinidad and Tobago. Explain the banks approach to moving in this direction in providing customer satisfaction.

Deliverable: Findings & Analysis