Who ensures my credit/ debit card transactions safety and interoperability?
Scenario 1: Abi travels from India to Waterloo carrying his only credit card and does the hotel payment. If the transaction is declined for no reason of his credit limit, what happens?
Scenario 2: An expired terminal (yeah terminals do have a life that ends) is still in the market and transactions happen on it (my banking brethren!). Assuming a fraudulent transaction happens using the customer card, then who is liable to pay? Would it be the customer, merchant, acquiring bank, payment scheme, or the issuer?
In both the above scenarios the respective “Certification Board” of the payment scheme like Discover, Amex, MasterCard, Visa, RuPay will arrive at the reason and determine who is liable, if there is a fraud.
While the payment scheme certification body manages the compliance of its own rules, it also depends on 2 more certification boards:
- EMVCo (emvco.com) which ensures interoperability of chip cards and chip terminals across the globe
- PCI (https://www.pcisecuritystandards.org/) which ensures the security of card and transaction data
This blog discusses in general the complexities and responsibilities of a Certification Board, not in specific a particular one.
Payment ecosystem complexities and Certification Board
The payment eco-system has various parties that are interdependent – acquiring bank, issuing bank, payment scheme, standard bodies like EMVCo, card manufacturer, chip manufacturer, terminal manufacturer, security testing lab, physical & OS testing lab, card personalization bureau, card applet & terminal kernel vendors. Phew…you get the idea.
Now think of each of these players having several products (D-PAS, Quick Chip, M/Chip, RuPay, payWave, BHIM, UPI, PayPass etc) serving thousands of banks, millions of customers and merchants around the world. Now, it gets interesting…
Managing all these testing and certifications need a system and process which is called a “Certification Board”, very similar to how our Educational Universities maintain our certificates. Now that we know a central certification board is needed, let’s see some of its functions, significance and benefits.
Certification Board – Functions, Significance and Benefits
- Play the roles of a facilitator, initiator and validator among banks, vendors and test labs to ensure that technical and brand needs are complied with.
- The amount of details pertaining to the product is very important to be maintained – once the product is in the market, the major functionalities of the products should not be changed without re-certification. Let’s take an example, if an already certified and deployed terminal goes through change without the payment scheme agreement, then any fraudulent issue raising from the transaction is to be handled by the acquiring bank, which deployed the terminal. This is not easy to ascertain, unless the lab proves that the certified terminal is different from the one in the market.
- Given the nature of international transactions, national financial rules (like India’s RBI), technology upscaling and inter party transfers, there will be occasions where the payment scheme has to waive some of its general rules to countries or even some banks. These “waivers” generally have an expiry period after which the product needs to follow the general rules. This crucial information again needs to be tracked along with the certification details to make it transparent to the banks. This ensures customers are protected, local rules are complied with and helps decision making easier while dealing with liability issues.
- The details of which laboratory, payment scheme tested the product, along with which test specification and tools were used are to be maintained. Without this information, if there is a field issue at a later stage, we won’t be able to ascertain the liability holder – it could be the bank, lab, scheme or the merchant as well.
- The ever growing security attacks pose a threat in card personalization companies which are to be certified with stringent audit procedures. A Bluetooth enabled system can be a potential threat leading to loss of user information. It is not possible to closely monitor a physical facility on a day-to-day basis, that’s the reason the details of the facility are collected, their physical & logical security procedures are audited, before they are allowed to personalize the credit/debit cards that reaches the end customer.
In summary, Certification Board ensures interoperability, traceability, liability, compliances of the products among a complex group of stake holders with well-designed administrative and technical processes. This will help the payment product customers (in this case banks) life much easier to do business and maintain compliances.
After all, banks should focus on customers and transactions, while the compliances and certifications are to be made easier by well-oiled certification board machinery.