Member access
CB, French payment system
CB, a card payment system, is the leader in France with more than 10 billion transactions per year. The system is managed by the Groupement des Cartes Bancaires CB.

Fondamentals

Universality and interbank operation

It is not by chance that more than a third of commerce in France is affiliated to the CB system, which in 2014 represented turnover of €420 billion in card payments and €124 billion in cash withdrawals.
Its major principles are interbank operation and universality, leading to the widest-possible acceptance of the CB card.
Lastly, the CB system has security imperatives, which ensure that everyone can use their cards anywhere in complete confidence.

The major basis of the CB system is interbank operation. This is the ecosystem that allows the CB card to be accepted, whatever the name of the merchant’s bank or the customer’s bank.

 

  • A system is known as a "four-corner model" when it brings four players into contact: the holder of the card, the merchant, the holder’s bank (known as the "issuer" because it issues cards) and the merchant’s bank (known as the "acquirer" because it acquires card transactions). Examples of a "four-corner model" system: CB, MasterCard and Visa.
  • A system is known as the "three-corner model" when it relates three players: the cardholder, the merchant and the system that alone issues the cards and acquires the transactions. The banks in the "three-corner model" system distribute and market the system’s products and services. Examples of "three-corner model" systems: Amex, Diners and other private or credit cards

 

CB payment transaction

A few figures summarise the success of the CB card:

 

It is accepted in more than 1,300,000 local shops, almost 617,000,000 remote sale transactions, and more than 58,000 automated teller machines. 

 
This same card, depending on its functionalities, can also be used everywhere throughout the world via the partnerships that the CB system has established with international systems.
 
Abroad, holders of CB cards that are cobranded with an international partner system can withdraw cash from more than 2 million ATMs and can also use them at several tens of millions of merchants.
 
This payment universality means that CB must constantly move and closely follow new usage patterns and new technologies, or even initiate them.
 
Thus, the CB card has widely contributed to the development of online commerce and currently represents more than 80% of payment transactions over the Internet.

The essential prerequisite for interoperability is standardisation: for the CB card to be accepted everywhere in France and abroad, it must comply with shared standards. This is why CB is heavily involved in the working groups aiming for broader standardisation, and therefore greater interoperability, particularly at the European level.

 

In this three-stage mechanism, CB participates in public standardisation bodies such as the ISO, and also in worldwide private standardisation initiatives such as EMVCo and European initiatives within SEPA, with the very strong involvement of the various European working groups. 

 

 

THE "NORMS"

The norms are formalised by the documents produced by the institutional organisations (AFNOR, CEN, ISO). They constitute the building blocks for constructing standards and specifications. In relation to the card, they may apply to all manufacturers or to given sectors (banks, telecoms, health, transport, administration, etc.).

 

"STANDARDS"

Standards are formalised by documents based on norms and are produced by a set of players for customisation to a more restricted level (see specifications).

 

"SPECIFICATIONS"

Specifications are formalised by documents based on norms and standards, in a context that is narrower than the production of the standards themselves (for example within a company or a professional organisation).

A huge standardisation movement accompanied by appropriate legislation was launched at the European level as part of the SEPA (Single Euro Payments Area).

 

CB is playing a driving role in this context alongside other key players in card payment systems in various European countries, including: Germany, Belgium, Denmark, Spain, Holland, Italy, the United Kingdom, Norway, the Netherlands, Portugal and Sweden.

 

This European standards and legislative process covers all elements of the card payment value chain, namely:

 

  • The payment terminals 
  • The exchange protocols
  • The harmonisation of security requirements
  • The bank cards
  • The certification of products/solutions stated below

All of this work goes beyond the framework of SEPA and now covers all requirements of the international e-cash community.

 

 

NEXONEXO is an international non-profit-making association resulting from the merger of EPASOrg, the OSCar consortium and the working group EMV Common Implementation Recommendations (CIR). It includes 64 members including all players in the e-cash value chain (merchants, card payment systems, payment solutions providers, payment transactions processes, bank acquirers and international associations).

 

Its objectives are:

 

  • to produce standards which meet the requirements of the card payments market;
  • to harmonise European standards to guarantee interoperability and strengthen the security of exchanges;
  • to provide fluidity in transactions and cost optimisation to merchants operating mainly internationally.

To perform these tasks, Nexo uses innovative specifications and protocols: the EPAS protocols (international ISO 20022 standards) the SEPA-FAST and OSCar specifications (OIS specifications).

 

 

ECPA

The European Card Payment Association covers the domestic card systems of each European country and the organisations responsible for fundamental functions such as the certification of hardware used in the card payments value chain.

 

The ECPA is a vector of cooperation and the representative voice of its members to European institutions such as the European Commission, the European Central Bank, the European Banking Authority and other stakeholders on subjects such as legislation, security and standardisation in the field of card payments.

 

ECPA

 

 

OSeC (Open Standards for Security and Certification) is a European payment systems initiative extending the European work of the CAS (Common Approval Scheme) group in the field of payment terminals (POI – Point of Interaction).

 

The objective of OSeC is to coordinate pilots intended to validate the feasibility of security developments to the POI according to the Common Criteria (CC) methodology.

 

The certificates obtained may then be recognised by the various payment systems in their respective certification processes, thus simplifying and reducing the cost of the certification process in the SEPA.

 

 

 

MORE:

 

NEXO, see WWW.NEXO-STANDARDS.ORG

ECPA, see WWW.EUROPEANCARDPAYMENTASSOCIATION.EU

OSEC, see WWW.OPEN-STANDARDS.EU

CB is a major player in the work initiated under the various standardisation organisations, whether at the national level (French standardisation association or AFNOR), the European level (European Committee for Standardization or CEN) or internationally (International Organization for Standardization or ISO).

 

These organisations define the standards relating to all the links in the CB system, such as:

 

  • The card media,
  • The various technologies present in the card, such as those for the contact or contactless smartcard,
  • The interface with the reader,
  • The management of the confidential code,
  • The messages between the merchant’s bank and the cardholder’s bank,
  • The NFC technology allowing mobile telephones to make contactless transactions,
  • The user interface for card systems, to offer the best accessibility possible, etc. 

“CB” presides over several AFNOR standardisation commissions, the European inter-sectoral committee on cards, personal identification and digital signatures (CEN/TC224), and the ISO group that defines the standards for the contact smartcard used throughout industry and user sectors.

The SEPA project (Single Euro Payments Area) follows on from the European Directive on Payment Services (2007/64/CE, dated 13 November 2007), which aims to ensure equitable and open access to payment markets and to strengthen consumer protection.

 

In this context, the SEPA specifies the harmonisation of means of payment in three areas: bank transfers, direct debits and payment cards in Europe. 

 

To reach these objectives, the European banks and their professional organisations created the EPC (European Payments Council) in 2002. It established the SEPA Cards Framework, which defines the high-level principles aiming to allow cardholders to make payments by bank cards in Europe with the same ease of use as in their own countries.

 

 

FOR MORE INFORMATION, DOWNLOAD THE FOLLOWING DOCUMENTS:

 

Some thoughts on the "Green Paper" SEPA for cards : work in Progress  (31.01.2011)EPC card fraud prevention - forum  (22.07.2010)SEPA, un nouveau paradigme pour les systèmes carteA l’échelle européenne, le SEPA aboutit à une redéfinition de l’interbancaritéResponse to the eurosystem questionnaire for the SEPAEuropean payments market needs "level playing field" (extract from parliament magazine)CB POSITION paper on mif regulation and psd 2

EMV is an international standard for smart debit or credit cards initiated by the EMVCo consortium. It provides a level of security much higher than for cards with magnetic tracks and is largely based on the original CB smartcard.

 

France, together with Great Britain, was one of the first countries to entirely migrate to the new EMV standard. Today, most European countries have adopted it and are migrating the installed base, and it is the same for certain countries in Asia and America.

 

Users of the EMV standard have formed the CIR (Common Implementation Recommendations) to specify the EMV specifications and facilitate their implementation. CB contributes to this working group, which has also given rise to SEPA-FAST (Single European Payments Area – Financial Application Specifications for Terminals). The participation of CB does not stop there and extends to other groups working on the standardisation of payment systems in Europe.

 

EMV DEPLOYMENT

 

Trust in the CB card is based on security. To ensure it, the CB card must have the best security systems, which must constantly evolve along with the sophistication of fraud.

 

CB also takes care to preserve a balance between security and ease of use. Security must not reduce the ease of use of the payment system that is preferred by the French.

 

  • Since 1992, the CB card has been fitted with a chip. This key security element checks for each payment the confidential code entered by the cardholder and performs security checks.
  • Since 2002, CB cards have been fitted with a chip to the new international standard EMV.
  • Since 2005, an additional encryption system, DDA (Dynamic Data Authentication), has been added to "third generation" cards, which generates a unique signature for each transaction, calculated from random data, and so enhancing the security of payments.

These elements contribute to making the CB card one of the safest means of payment in the world. 

 

MORE

 

For more information on the history of CB …

 

Security that is constantly improving 

 

Improvement of the security of payments by CB card is continuous work. 

 

Your next CB card will be even more secure than the current one, which is itself more secure than the previous one. 

 

Prevention and the fight against fraud are the ongoing principles driving CB to constantly improve preventive security systems, whether they are for cardsterminals or remote payments

 

Of course, this does not discharge users from following a few elementary precautionary rules.

Fraud in payment cards can be defined as the use of a card by a person who is not the legitimate holder. There are three cases:

 

  • The use by a third party of a lost or stolen card;
  • Card counterfeiting;
  • The use of the card’s identifiers (number, expiry date, etc.), by a person other than the cardholder and with the holder still in possession of their card. This type of fraud concerns remote sales.

Cases of counterfeiting concern the card’s magnetic track. Reproduction of the track can allow fraudulent use in countries where smartcard technology is not used. Copying the magnetic track – either by a malicious person or through a system placed on the payment terminal or the ATM – is known as "skimming".

Detecting and characterising frauds

The CB system has a database that is constantly supplied: the Cartes Bancaires Information System (SICB). This tool is essential for the finest possible characterisation of the frauds that are observed (operating procedure, place, etc.). It also allows very quick detection of potentially-suspect transactions, for example: unusual withdrawals in a foreign country where the level of security of card transactions is lower than in France.

 

Cooperation with the police and the legal system  

CB cannot fight fraud alone. It cooperates firstly with its members, to whom it reports all suspicions of fraud, so that they can warn the cardholders concerned. The fight against fraud is a community process where each bank takes the final decision. Within the CB, a dedicated team cooperates with the legal system and the police.

 

The core element in the security of CB bank cards is the chip. It is a sort of strongbox, highly secured through cryptography. This "strongbox" contains data for which the level of protection must be maximum. In particular, these include: the cryptographic keys specific to each card, the confidential code which forms a unique pair with the number of the card, and the attempts counter, which allows the card to be blocked after three erroneous codes.

 

CB

 

 

The technical characteristics of the chip are constantly evolving. Under the auspices of CB, the manufacturers of electronic components for CB cards must also submit their products to "state-of-the-art" security tests to independent laboratories approved by the national information-systems security agency (ANSSI).

 

As it is an industry that is constantly developing, your next card’s chip will be even more secure than the one in your current card.

 

One of the factors in securing remote transactions is the three-digit number written on the back of the card, in the signature panel. Associated with other characteristics of the card (number and expiry date), it forms a combination specific to each card.

 

All of these elements constitute card-personalisation data, calculated by the cryptographic tools of each issuing bank; they are then sent to the card-personalisation workshops approved by CB and regularly audited. These workshops have a level of protection, both physical and logical, that is equivalent to those that manufacture notes for the Banque de France.

 

Cryptography is a discipline that is used here to perform card authentication, to contribute to the confidentiality of the dialogue between the card and the payment terminal or ATM, and to supply a transaction "signature" from the chip. For this, it uses encryption algorithms and secret keys whose configuration is constantly evolving to remain at the state of the art. 

 

For an even greater degree of security, the cryptography used in the CB system is based on a "DDA" or Dynamic Data Authentication technique. It consists of incorporating, into the chip-terminal exchanges, variable elements specific to each transaction thus identified as unique, so that this identifier cannot be copied or replayed.

Automated systems and payment terminals meet the requirements for standardisation and security that are mainly established internationally by PCI-SSC for terminals (Payment Card Industry - Security Standards Council).

 

This organisation updates and disseminates its specifications over a cycle of 3 years, at the end of which a new version is applicable to manufacturers who wish to obtain the "PCI" certification for their new terminal models. 

 

Starting from initial data-security requirements covered by PCI-DSS, PCI-SSC specifically defined two very important reference frameworks, one for payment applications PA-DSS, and the other for terminals and the protection of the confidential code PCI- PTS (Pin Transaction Security). 

 

In Europe, CB actively participates in the  EAST (European ATM Security Team) working group, which concentrates on attacks specific to ATMs.

 

Physical and logical protection

Each type of terminal automated system has its own security reference framework. Protection is firstly physical, with systems designed to make it extremely difficult to copy the magnetic strip (AFAS Anti Fishing-Anti Skimming standards from CB) particularly on ATMs and automated payment terminals, and to protect the entry of the confidential code (visual protection of the keyboard by a privacy shield).

 

It is then logical, in accordance with the PCI- PTS reference framework and with the demanding requirements for encryption protecting the confidential code when it is entered through the keyboard and throughout the dialogue between the card and the terminal.

 

Lastly, transactions on ATMs, automated payment terminals and particularly automatic fuel distributors are always subject to authorisation. 

 

Payment terminals connected in IP mode are subject of specific security requirements for their communications with the acquisition systems. All sections between the terminal and the acquisition server must be encrypted according to a protocol using asymmetric cryptography and certificates.

 

The authentication of the server by the terminal must use a certificate issued by a Certification Authority authorized by CB.

 

The list of authorized Certification Authority is the following:

 

  • PayCert – Certification Authority: STCA Certificates (Secure Transaction Certification Authority)

On information systems belonging to certain merchants, e-commerce sites or card payment platforms that are insufficiently secured; sensitive data from CB cards can sometimes be the target of compromise and then be used fraudulently to make payments for remote sales, face-to-face payments and withdrawals, mainly abroad on payment systems with little security.

 

It is therefore of the utmost importance that, whatever the size of the players concerned (banks, merchants and service providers), appropriate investment is made in securing the sensitive data of card transactions. Ensuring the confidentiality of this information gives the holders of CB cards protection against the risk of fraud and also against possible breaches of privacy.

 

This is why the banking community and “CB” share the objectives of the PCI-DSS reference framework, which is itself derived from ISO standards on the security of information systems, aiming for a high level of protection of sensitive card-related data. The community considers that the security objectives defined by the PCI-DSS reference framework correspond to the state of the art of what is currently recommended by experts for securing databases, the exchange of information and for access control. 

 

Several years ago, all of the players concerned initiated programs to secure this sensitive data; currently, numerous merchants and service providers have already finished or are about to finalise their compliance with PCI-DSS.

 

Remember that the PCI-DSS reference system was defined by PCI-SSC (Payment Card Industry Security Standards Council), an organisation founded in 2005 by the main card payment systems: MasterCard, Visa, American Express, Discover Financial Services and JCB. This standard defines the security requirements concerning the protection of sensitive data from bank cards. It applies to all players that process card payment transactions, particularly to merchants and e-commerce sites, and also to those who host card payment systems, including the banks. The process of checking the level of compliance with these players in relation to the PCI-DSS varies in proportion to the volume of transactions processed.

 

Every two years, the PCI-SSC calls the participating organisations to designate their representatives to the advisory committee, the "Board of Advisers". In this context, CB has just been selected to sit on the select committee of experts whose composition has been set until 2012.

Since 2005, “CB” has decided to grant CB referencing to certain companies that are already certified "QSA" (Qualified Security Assessor) at PCI-SSC to perform PCI-DSS audits.

 

CB referencing ensures, for merchants and CB acquirers, that a range of services exists in the French language, adapted to the CB market and that there is total confidentiality of the data collected during these audits.

 

6 "QSA" companies currently have CB referencing granted :

 

 

MORE AND DOWNLOAD:

 

PCI... What are DSS and SSC?Guide for the attention of developers/hosts for merchant websites

In an e-commerce transaction, the customer must provide at least the number of their CB card, its date of expiry and the 3 figures shown on the back of the card.

 

CB

 

An additional layer of security has been introduced for online transactions with "3D Secure": this is a set of procedures for authenticating the holder of the card who ordered the payment.

 

Specific authentication procedures have been implemented in three areas (3-D): the relationship between the bank and its cardholder customer, the relationship between the bank and its e-merchant customer, and the relationship between the customer’s bank and the e-merchant’s bank. 

 

In concrete terms, for the holder who makes a "3D-S" e-commerce purchase, this results in procedures that may vary from one bank to another: 

 

  •   A non-replayable code sent by SMS to the portable telephone number given to your bank
  •  A procedure of the "battleship" type, during which, using a grid supplied by your bank, you enter the code located in the box specified during the transaction
  •  Portable smartcard reader, which calculates a cryptogram specific to the transaction
  •  A token, a screen dedicated to calculating a value
  • Request to enter data chosen by the holder of the card

 

How does an on-line payment proceed? 

 

secure payment transaction over the internet

 CB settlement transaction

For safe online purchasing, as well as the general precautionary rules:

 

  • Never store your bank card number in your computer or send confidential information in an ordinary e-mail
  • Check the security of the site with the padlock appearing at the bottom of the screen, the HTTPS that precedes the Internet address of the site in the browser, and the routing towards the bank’s site during payment
  • Be vigilant concerning "phishing" attempts by often badly-spelled e-mails asking you to supply sensitive data (see image below).
  • Contact the merchant if necessary or in case of doubt
  • Carefully check your bank statements and report any anomalies to your bank
  • Carefully choose your merchant by checking their details (address, telephone number, contact with customer services) and read the general sales conditions.

                                                                            "PHISHING" E-MAIL EXAMPLE

The security of the CB bank card does not mean that you must not follow a few commonsense rules for using it in complete security:

 

  • Do not write down your confidential code anywhere, or communicate it to any third party;
  • Always enter the confidential code away from prying eyes, for example by protecting the keyboard with your other hand;
  • Do not enter an erroneous code 3 times when making a withdrawal or payment;
  • Do not allow yourself to be distracted by a third party when making a withdrawal;
  • Keep your card in a safe place and do not let anyone else have it;
  • Keep your receipts (including electronic ones) and regularly check your bank statements;
  • Immediately report any anomaly on your bank statement to the bank;
  • Never lose sight of your card during payment at a merchant;
  • Immediately report the card for invalidation if it is retained by an ATM, lost or stolen;
  • Keep the card number and its expiration date in a secure place to speed the invalidation process.

 

WHAT SHOULD BE DONE IN CASE OF LOSS OR THEFT?

 

"The legislator has covered the case of loss or theft of bank cards and the effects of invalidation on the holder of the card. Thus, article L133-19 (ordinance n°2009-866 dated 15 July 2009) of the French monetary and financial code specifies: -I -In case of unauthorised payment transactions consecutive to the loss or theft of the payment instrument, the payer shall bear, before the information specified in article L133-17, the losses stemming from the use of this payment instrument within the limit of €150. Nevertheless, the responsibility of the payer is not implicated in case of unauthorised payment transactions carried out without use of the personalised security mechanism".

  

In other words, in case of loss or theft of the bank card, an excess charge of a maximum of €150 is applied to the amounts debited before the invalidation date except where these transactions have been made without the confidential code.

 

In practice:
 

  • In case of loss or theft of your CB bank card, you must immediately have the card invalidated by calling your bank’s invalidation centre or, failing this, 0892 705 705 (0.35 euros/minute, accessible seven days a week and 24 hours a day). 

 

  • You must also quickly confirm this invalidation in writing to your bank according to the procedures specified by it (ordinary letter, registered letter with return receipt, fax, etc.), and, in case of theft, lodge a complaint with the police. 
  • Before a visit abroad, we recommend requesting your bank to provide you with the necessary telephone number to have your card invalidated from the place where you will be staying.

 

VISITS ABROAD

 

Before leaving:

 

  • Look at your card’s expiration date and, if necessary, request its early renewal. 
  • Make sure that your withdrawal and payment limits are appropriate. If they are not, see your bank to determine whether it is possible to have them increased, even temporarily. 
  • Check that your card is accepted in the country where you are going. Take your bank’s telephone number with you, so that you can reach it easily in case of need. 

Your place of stay:

 

  • Sometimes, abroad, a slip with signature is used, after the card’s magnetic strip is read and the payment authorisation is transmitted. Payment authorisation requests are almost always made, whatever the amount of the purchase. 
  • Check the amounts: thoroughly check the slip before signing and particularly make sure that you approve the total amount on the slip, because there is sometimes an intermediate total followed by an additional line for a tip.
Betatilt