Common Misconceptions About Bank Cards
Working for a long time in the field of banking software, and in particular for all kinds of electronic payments, together with my colleagues, I composed a mini-FAQ on the subject of bank plastic cards. Many questions are obvious, and some can be very vague. In Russia, the business of plastic cards is gaining momentum, which is nice, and it’s better to be savvy by “hardware”.
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a conventional credit or debit card (even if it’s with a chip). The card is just an identifier. There are exceptions in the form of special additional applications-wallets on cards with a chip. Usually it can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something unrelated directly to the usual use of the card. But such special applications are accepted only in retail outlets that are involved in supporting this particular type of card.
')
2. Anyone who wants to accept payments through bank cards can connect directly to the Visa, Mastercard or any other international system.
You can’t just connect anyone directly to Visa or Mastercard. This can be done only by rich banks or independent processing centers, as you need special equipment, considerable insurance accounts, security certification and many other “little things” (even not every bank can afford it). All others who wish to receive cards use their services.
3. ATMs or payment terminals are connected directly to the Visa or Mastercard.
Major international payment systems do not keep their ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see p.2) connected to the payment system.
4. I have $ 200 on the card. That's all I can spend.
The balance on the account and the amount that can be spent per day from the card are strongly untied. Constructive to talk about the daily limit on the map. The daily limit depends on many factors, and there can be both less balance in the account and more. For example, even if there is a million in the account, you will hardly be allowed to withdraw more than a few thousand per day at an ATM (and this is not a restriction of the ATM as a device). And vice versa, but if you are a VIP client, who usually has millions in his account, and now you are at the casino and have already blown everything, then after a call to the bank, on an individual basis, some of the high managers can give the command to set the right person for you limit so that you can still pay. In this case, the bank takes the responsibility that you will give it to him later.
5. When using the PIN-card, check the ATM itself or the payment terminal.
In the overwhelming number of cases, any use of the card means a connection with the bank that issued the card. If you are hustling a Sberbank card at an ATM in Australia, permission to issue money will still be requested directly from Sberbank right before your eyes. All this is because the PIN can only be verified by the bank that issued the card. Exceptions are cards with a chip. Such cards can verify the PIN themselves (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes to use the card to pay for the purchase (rather than withdrawing cash), the outlet may not contact the authorization center for each purchase, if the amount is less than a certain limit. This may be true for small amounts, when the amount of the purchase is less than the cost of an exchange session through an electronic channel. Since the amounts are small, and sometimes daily counters are used for cards authorized in this way, the risks of running into large losses due to fraudulent transactions are also small.
6. A PIN is recorded on the magnetic strip, which can be “stolen” by any employee of the bank; you only have to turn away while your card is in his hand.
In fact, a crypto-convolution of a PIN and a card number obtained with a cryptographic key, which is stored inside a super-protected piece of iron in a bank, is recorded on a magnetic strip. That is, using data from a magnetic strip, you can only verify the PIN, and even then, if you know the secret key. Typically, 3DES is used as the encryption algorithm. A “super-protected piece of iron” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) in this device, they are never transmitted outside the physical case in their pure form.
In addition to serious measures for the physical protection of these devices, they themselves have protection against penetration. For example, if you try to open its case to connect the "sniffer", then all the keys will be automatically erased.
An interesting technique is the initial entry of keys. For example, such a scenario is real. N bank security officers are chosen, for example, 3 (ideally, they should not even know each other personally). Each generates a key option and, of course, does not show it to anyone. Then, they in turn go into the room where there is equipment for the storage of keys, and each enter their own key. Then, when all keys are entered, the device does an XOR operation between them, and it saves inside of itself as a key. It turns out that no one knows the key at all. And in order to restore it, it is necessary to obtain the original components from each of those N security officers who are obliged to take care of their candy storage.
As I already wrote , there is no half-measure in security, and such administrative measures are necessary when the strength of cryptography ends and the human factor begins.
Important note: none of the bank employees will never, under any circumstances, ask you for a PIN. But if you knew how many times out of ten, customers who call the bank when asked by the operator about their secret word (which was asked when opening an account), the PIN says.
7. When making a purchase, the money immediately goes directly from the customer’s account to the store account.
Usually the real exchange of money (albeit electronic) takes place at the end of the working day. And at the moment of purchase itself, only the amount from the available limit is blocked (see p.4). The write-off usually takes place in a few days, when a financial representation from the bank through whose terminal the payment was made will reach the bank-owner of the account.
8. The amount written on your check when paying by card will be debited from your account exactly.
In fact, the amount debited during authorization may differ significantly from the amount that is written off in the financial transaction. This is especially evident when paying for rental cars and paying for hotels, since these outlets may “after” write off additional expenses (for example, a shortage of gasoline, or an unpaid mini-bar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account, if the currency of the account differs from the currency of the operation, since the actual withdrawal of funds from the account occurs in 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card, one way or another will be written off from my account.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without a financial confirmation of a transaction from your payment system coming to your bank, it will be unlocked. This is both "good" and "bad." This is “good” when you performed an operation that you want to immediately give up. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is allowed, the operation is “canceled” and the blocking can be removed. In this case, if suddenly a financial confirmation from an outlet (in a couple of days) comes to the operation, the bank itself will deal with it without your participation (and your money). This is “bad”, when you did wait a day or two, and the financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to start a formal trial on this case, which may last for 45 days. During this time, the purchase amount may remain blocked.
10. Holders of debit (and not credit) cards can not be "should the bank."
As mentioned in paragraph 4 - the logic of purchase authorization is not based on the actual amount on the account, but on daily limits, then both for credit cards and for debit cards, you can “get into a minus”, if the bank sets daily limits, a little exceeding the account balance even for debit cards.
I hope this information will help you avoid some unpleasant surprises when using plastic cards.
Posts on the topic:
So, 10 common misconceptions.
1. The amount of money is stored on the card itself.
There is no money counter on a conventional credit or debit card (even if it’s with a chip). The card is just an identifier. There are exceptions in the form of special additional applications-wallets on cards with a chip. Usually it can be discount programs, virtual money (for example, liters of gasoline), etc. In general, something unrelated directly to the usual use of the card. But such special applications are accepted only in retail outlets that are involved in supporting this particular type of card.
')
2. Anyone who wants to accept payments through bank cards can connect directly to the Visa, Mastercard or any other international system.
You can’t just connect anyone directly to Visa or Mastercard. This can be done only by rich banks or independent processing centers, as you need special equipment, considerable insurance accounts, security certification and many other “little things” (even not every bank can afford it). All others who wish to receive cards use their services.
3. ATMs or payment terminals are connected directly to the Visa or Mastercard.
Major international payment systems do not keep their ATMs or payment terminals. Any ATM or terminal necessarily belongs to some bank, which in turn is either itself or indirectly (see p.2) connected to the payment system.
4. I have $ 200 on the card. That's all I can spend.
The balance on the account and the amount that can be spent per day from the card are strongly untied. Constructive to talk about the daily limit on the map. The daily limit depends on many factors, and there can be both less balance in the account and more. For example, even if there is a million in the account, you will hardly be allowed to withdraw more than a few thousand per day at an ATM (and this is not a restriction of the ATM as a device). And vice versa, but if you are a VIP client, who usually has millions in his account, and now you are at the casino and have already blown everything, then after a call to the bank, on an individual basis, some of the high managers can give the command to set the right person for you limit so that you can still pay. In this case, the bank takes the responsibility that you will give it to him later.
5. When using the PIN-card, check the ATM itself or the payment terminal.
In the overwhelming number of cases, any use of the card means a connection with the bank that issued the card. If you are hustling a Sberbank card at an ATM in Australia, permission to issue money will still be requested directly from Sberbank right before your eyes. All this is because the PIN can only be verified by the bank that issued the card. Exceptions are cards with a chip. Such cards can verify the PIN themselves (since the chip card itself is a minicomputer that can perform crypto functions). Also, sometimes to use the card to pay for the purchase (rather than withdrawing cash), the outlet may not contact the authorization center for each purchase, if the amount is less than a certain limit. This may be true for small amounts, when the amount of the purchase is less than the cost of an exchange session through an electronic channel. Since the amounts are small, and sometimes daily counters are used for cards authorized in this way, the risks of running into large losses due to fraudulent transactions are also small.
6. A PIN is recorded on the magnetic strip, which can be “stolen” by any employee of the bank; you only have to turn away while your card is in his hand.
In fact, a crypto-convolution of a PIN and a card number obtained with a cryptographic key, which is stored inside a super-protected piece of iron in a bank, is recorded on a magnetic strip. That is, using data from a magnetic strip, you can only verify the PIN, and even then, if you know the secret key. Typically, 3DES is used as the encryption algorithm. A “super-protected piece of iron” is a hardware device for storing keys and conducting crypto operations based on them. That is, after the initial entry of keys (personalization) in this device, they are never transmitted outside the physical case in their pure form.
In addition to serious measures for the physical protection of these devices, they themselves have protection against penetration. For example, if you try to open its case to connect the "sniffer", then all the keys will be automatically erased.
An interesting technique is the initial entry of keys. For example, such a scenario is real. N bank security officers are chosen, for example, 3 (ideally, they should not even know each other personally). Each generates a key option and, of course, does not show it to anyone. Then, they in turn go into the room where there is equipment for the storage of keys, and each enter their own key. Then, when all keys are entered, the device does an XOR operation between them, and it saves inside of itself as a key. It turns out that no one knows the key at all. And in order to restore it, it is necessary to obtain the original components from each of those N security officers who are obliged to take care of their candy storage.
As I already wrote , there is no half-measure in security, and such administrative measures are necessary when the strength of cryptography ends and the human factor begins.
Important note: none of the bank employees will never, under any circumstances, ask you for a PIN. But if you knew how many times out of ten, customers who call the bank when asked by the operator about their secret word (which was asked when opening an account), the PIN says.
7. When making a purchase, the money immediately goes directly from the customer’s account to the store account.
Usually the real exchange of money (albeit electronic) takes place at the end of the working day. And at the moment of purchase itself, only the amount from the available limit is blocked (see p.4). The write-off usually takes place in a few days, when a financial representation from the bank through whose terminal the payment was made will reach the bank-owner of the account.
8. The amount written on your check when paying by card will be debited from your account exactly.
In fact, the amount debited during authorization may differ significantly from the amount that is written off in the financial transaction. This is especially evident when paying for rental cars and paying for hotels, since these outlets may “after” write off additional expenses (for example, a shortage of gasoline, or an unpaid mini-bar). But not only these types of outlets are also allowed to increase or decrease the final amount.
Also, the amount blocked during authorization may differ from the amount debited from the account, if the currency of the account differs from the currency of the operation, since the actual withdrawal of funds from the account occurs in 1-2 days, and during this time the conversion rate may change .
9. The amount blocked on the account when paying by card, one way or another will be written off from my account.
The amount blocked during authorization may never be debited from the account. After 10 (for an ATM) or 45 (all other terminals) days without a financial confirmation of a transaction from your payment system coming to your bank, it will be unlocked. This is both "good" and "bad." This is “good” when you performed an operation that you want to immediately give up. Immediately after the operation, you call the bank, explain to the operator the reason for the refusal, and if it is allowed, the operation is “canceled” and the blocking can be removed. In this case, if suddenly a financial confirmation from an outlet (in a couple of days) comes to the operation, the bank itself will deal with it without your participation (and your money). This is “bad”, when you did wait a day or two, and the financial confirmation has already arrived at the bank before your call, then it will be more difficult to “roll back” the operation. The bank will be forced to start a formal trial on this case, which may last for 45 days. During this time, the purchase amount may remain blocked.
10. Holders of debit (and not credit) cards can not be "should the bank."
As mentioned in paragraph 4 - the logic of purchase authorization is not based on the actual amount on the account, but on daily limits, then both for credit cards and for debit cards, you can “get into a minus”, if the bank sets daily limits, a little exceeding the account balance even for debit cards.
I hope this information will help you avoid some unpleasant surprises when using plastic cards.
Posts on the topic:
Source: https://habr.com/ru/post/82670/
All Articles