It is not by chance that more than a third of commerce in France is affiliated to the CB system, which in 2016 represented turnover of €465.6 billion in card payments and €126.9 billion in cash withdrawals.
Its major principles are interbank operation and universality, leading to the widest-possible acceptance of the CB card.
Lastly, the CB system has security imperatives, which ensure that everyone can use their cards anywhere in complete confidence.
The major basis of the CB system is interbank operation. This is the ecosystem that allows the CB card to be accepted, whatever the name of the merchant’s bank or the customer’s bank.
A few figures summarise the success of the CB card:
It is accepted in more than 1,500,000 local shops, almost 850,000,000 remote sale transactions, and more than 57,000 automated teller machines.
The essential prerequisite for interoperability is standardisation: for the CB card to be accepted everywhere in France and abroad, it must comply with shared standards. This is why CB is heavily involved in the working groups aiming for broader standardisation, and therefore greater interoperability, particularly at the European level.
In this three-stage mechanism, CB participates in public standardisation bodies such as the ISO, and also in worldwide private standardisation initiatives such as EMVCo and European initiatives within SEPA, with the very strong involvement of the various European working groups.
The norms are formalised by the documents produced by the institutional organisations (AFNOR, CEN, ISO). They constitute the building blocks for constructing standards and specifications. In relation to the card, they may apply to all manufacturers or to given sectors (banks, telecoms, health, transport, administration, etc.).
Standards are formalised by documents based on norms and are produced by a set of players for customisation to a more restricted level (see specifications).
Specifications are formalised by documents based on norms and standards, in a context that is narrower than the production of the standards themselves (for example within a company or a professional organisation).
A huge standardisation movement accompanied by appropriate legislation was launched at the European level as part of the SEPA (Single Euro Payments Area).
CB is playing a driving role in this context alongside other key players in card payment systems in various European countries, including: Germany, Belgium, Denmark, Spain, Holland, Italy, the United Kingdom, Norway, the Netherlands, Portugal and Sweden.
This European standards and legislative process covers all elements of the card payment value chain, namely:
All of this work goes beyond the framework of SEPA and now covers all requirements of the international e-cash community.
NEXO is an international non-profit-making association resulting from the merger of EPASOrg, the OSCar consortium and the working group EMV Common Implementation Recommendations (CIR). It includes 64 members including all players in the e-cash value chain (merchants, card payment systems, payment solutions providers, payment transactions processes, bank acquirers and international associations).
Its objectives are:
To perform these tasks, Nexo uses innovative specifications and protocols: the EPAS protocols (international ISO 20022 standards) the SEPA-FAST and OSCar specifications (OIS specifications).
The European Card Payment Association covers the domestic card systems of each European country and the organisations responsible for fundamental functions such as the certification of hardware used in the card payments value chain.
The ECPA is a vector of cooperation and the representative voice of its members to European institutions such as the European Commission, the European Central Bank, the European Banking Authority and other stakeholders on subjects such as legislation, security and standardisation in the field of card payments.
OSeC (Open Standards for Security and Certification) is a European payment systems initiative extending the European work of the CAS (Common Approval Scheme) group in the field of payment terminals (POI – Point of Interaction).
The objective of OSeC is to coordinate pilots intended to validate the feasibility of security developments to the POI according to the Common Criteria (CC) methodology.
The certificates obtained may then be recognised by the various payment systems in their respective certification processes, thus simplifying and reducing the cost of the certification process in the SEPA.
CB is a major player in the work initiated under the various standardisation organisations, whether at the national level (French standardisation association or AFNOR), the European level (European Committee for Standardization or CEN) or internationally (International Organization for Standardization or ISO).
These organisations define the standards relating to all the links in the CB system, such as:
“CB” presides over several AFNOR standardisation commissions, the European inter-sectoral committee on cards, personal identification and digital signatures (CEN/TC224), and the ISO group that defines the standards for the contact smartcard used throughout industry and user sectors.
The SEPA project (Single Euro Payments Area) follows on from the European Directive on Payment Services (2007/64/CE, dated 13 November 2007), which aims to ensure equitable and open access to payment markets and to strengthen consumer protection.
In this context, the SEPA specifies the harmonisation of means of payment in three areas: bank transfers, direct debits and payment cards in Europe.
To reach these objectives, the European banks and their professional organisations created the EPC (European Payments Council) in 2002. It established the SEPA Cards Framework, which defines the high-level principles aiming to allow cardholders to make payments by bank cards in Europe with the same ease of use as in their own countries.
FOR MORE INFORMATION, DOWNLOAD THE FOLLOWING DOCUMENTS:
Some thoughts on the "Green Paper" SEPA for cards : work in Progress (31.01.2011)EPC card fraud prevention - forum (22.07.2010)SEPA, un nouveau paradigme pour les systèmes carteA l’échelle européenne, le SEPA aboutit à une redéfinition de l’interbancaritéResponse to the eurosystem questionnaire for the SEPAEuropean payments market needs "level playing field" (extract from parliament magazine)CB POSITION paper on mif regulation and psd 2
EMV is an international standard for smart debit or credit cards initiated by the EMVCo consortium. It provides a level of security much higher than for cards with magnetic tracks and is largely based on the original CB smartcard.
France, together with Great Britain, was one of the first countries to entirely migrate to the new EMV standard. Today, most European countries have adopted it and are migrating the installed base, and it is the same for certain countries in Asia and America.
Users of the EMV standard have formed the CIR (Common Implementation Recommendations) to specify the EMV specifications and facilitate their implementation. CB contributes to this working group, which has also given rise to SEPA-FAST (Single European Payments Area – Financial Application Specifications for Terminals). The participation of CB does not stop there and extends to other groups working on the standardisation of payment systems in Europe.
Trust in the CB card is based on security. To ensure it, the CB card must have the best security systems, which must constantly evolve along with the sophistication of fraud.
CB also takes care to preserve a balance between security and ease of use. Security must not reduce the ease of use of the payment system that is preferred by the French.
These elements contribute to making the CB card one of the safest means of payment in the world.
Security that is constantly improving
Improvement of the security of payments by CB card is continuous work.
Your next CB card will be even more secure than the current one, which is itself more secure than the previous one.
Of course, this does not discharge users from following a few elementary precautionary rules.
Fraud in payment cards can be defined as the use of a card by a person who is not the legitimate holder. There are three cases:
Cases of counterfeiting concern the card’s magnetic track. Reproduction of the track can allow fraudulent use in countries where smartcard technology is not used. Copying the magnetic track – either by a malicious person or through a system placed on the payment terminal or the ATM – is known as "skimming".
The CB system has a database that is constantly supplied: the Cartes Bancaires Information System (SICB). This tool is essential for the finest possible characterisation of the frauds that are observed (operating procedure, place, etc.). It also allows very quick detection of potentially-suspect transactions, for example: unusual withdrawals in a foreign country where the level of security of card transactions is lower than in France.
CB cannot fight fraud alone. It cooperates firstly with its members, to whom it reports all suspicions of fraud, so that they can warn the cardholders concerned. The fight against fraud is a community process where each bank takes the final decision. Within the CB, a dedicated team cooperates with the legal system and the police.
The core element in the security of CB bank cards is the chip. It is a sort of strongbox, highly secured through cryptography. This "strongbox" contains data for which the level of protection must be maximum. In particular, these include: the cryptographic keys specific to each card, the confidential code which forms a unique pair with the number of the card, and the attempts counter, which allows the card to be blocked after three erroneous codes.
The technical characteristics of the chip are constantly evolving. Under the auspices of CB, the manufacturers of electronic components for CB cards must also submit their products to "state-of-the-art" security tests to independent laboratories approved by the national information-systems security agency (ANSSI).
As it is an industry that is constantly developing, your next card’s chip will be even more secure than the one in your current card.
One of the factors in securing remote transactions is the three-digit number written on the back of the card, in the signature panel. Associated with other characteristics of the card (number and expiry date), it forms a combination specific to each card.
All of these elements constitute card-personalisation data, calculated by the cryptographic tools of each issuing bank; they are then sent to the card-personalisation workshops approved by CB and regularly audited. These workshops have a level of protection, both physical and logical, that is equivalent to those that manufacture notes for the Banque de France.
Cryptography is a discipline that is used here to perform card authentication, to contribute to the confidentiality of the dialogue between the card and the payment terminal or ATM, and to supply a transaction "signature" from the chip. For this, it uses encryption algorithms and secret keys whose configuration is constantly evolving to remain at the state of the art.
For an even greater degree of security, the cryptography used in the CB system is based on a "DDA" or Dynamic Data Authentication technique. It consists of incorporating, into the chip-terminal exchanges, variable elements specific to each transaction thus identified as unique, so that this identifier cannot be copied or replayed.
Automated systems and payment terminals meet the requirements for standardisation and security that are mainly established internationally by PCI-SSC for terminals (Payment Card Industry - Security Standards Council).
This organisation updates and disseminates its specifications over a cycle of 3 years, at the end of which a new version is applicable to manufacturers who wish to obtain the "PCI" certification for their new terminal models.
Starting from initial data-security requirements covered by PCI-DSS, PCI-SSC specifically defined two very important reference frameworks, one for payment applications PA-DSS, and the other for terminals and the protection of the confidential code PCI- PTS (Pin Transaction Security).
In Europe, CB actively participates in the EAST (European ATM Security Team) working group, which concentrates on attacks specific to ATMs.
Each type of terminal automated system has its own security reference framework. Protection is firstly physical, with systems designed to make it extremely difficult to copy the magnetic strip (AFAS Anti Fishing-Anti Skimming standards from CB) particularly on ATMs and automated payment terminals, and to protect the entry of the confidential code (visual protection of the keyboard by a privacy shield).
It is then logical, in accordance with the PCI- PTS reference framework and with the demanding requirements for encryption protecting the confidential code when it is entered through the keyboard and throughout the dialogue between the card and the terminal.
Lastly, transactions on ATMs, automated payment terminals and particularly automatic fuel distributors are always subject to authorisation.
Payment terminals connected in IP mode are subject of specific security requirements for their communications with the acquisition systems. All sections between the terminal and the acquisition server must be encrypted according to a protocol using asymmetric cryptography and certificates.
The authentication of the server by the terminal must use a certificate issued by a Certification Authority authorized by CB.
The list of authorized Certification Authority is the following:
On information systems belonging to certain merchants, e-commerce sites or card payment platforms that are insufficiently secured; sensitive data from CB cards can sometimes be the target of compromise and then be used fraudulently to make payments for remote sales, face-to-face payments and withdrawals, mainly abroad on payment systems with little security.
It is therefore of the utmost importance that, whatever the size of the players concerned (banks, merchants and service providers), appropriate investment is made in securing the sensitive data of card transactions. Ensuring the confidentiality of this information gives the holders of CB cards protection against the risk of fraud and also against possible breaches of privacy.
This is why the banking community and “CB” share the objectives of the PCI-DSS reference framework, which is itself derived from ISO standards on the security of information systems, aiming for a high level of protection of sensitive card-related data. The community considers that the security objectives defined by the PCI-DSS reference framework correspond to the state of the art of what is currently recommended by experts for securing databases, the exchange of information and for access control.
Several years ago, all of the players concerned initiated programs to secure this sensitive data; currently, numerous merchants and service providers have already finished or are about to finalise their compliance with PCI-DSS.
Remember that the PCI-DSS reference system was defined by PCI-SSC (Payment Card Industry Security Standards Council), an organisation founded in 2005 by the main card payment systems: MasterCard, Visa, American Express, Discover Financial Services and JCB. This standard defines the security requirements concerning the protection of sensitive data from bank cards. It applies to all players that process card payment transactions, particularly to merchants and e-commerce sites, and also to those who host card payment systems, including the banks. The process of checking the level of compliance with these players in relation to the PCI-DSS varies in proportion to the volume of transactions processed.
Every two years, the PCI-SSC calls the participating organisations to designate their representatives to the advisory committee, the "Board of Advisers". In this context, CB has just been selected to sit on the select committee of experts whose composition has been set until 2012.
Since 2005, “CB” has decided to grant CB referencing to certain companies that are already certified "QSA" (Qualified Security Assessor) at PCI-SSC to perform PCI-DSS audits.
CB referencing ensures, for merchants and CB acquirers, that a range of services exists in the French language, adapted to the CB market and that there is total confidentiality of the data collected during these audits.
6 "QSA" companies currently have CB referencing granted :
MORE AND DOWNLOAD:
In an e-commerce transaction, the customer must provide at least the number of their CB card, its date of expiry and the 3 figures shown on the back of the card.
An additional layer of security has been introduced for online transactions with "3D Secure": this is a set of procedures for authenticating the holder of the card who ordered the payment.
Specific authentication procedures have been implemented in three areas (3-D): the relationship between the bank and its cardholder customer, the relationship between the bank and its e-merchant customer, and the relationship between the customer’s bank and the e-merchant’s bank.
In concrete terms, for the holder who makes a "3D-S" e-commerce purchase, this results in procedures that may vary from one bank to another:
How does an on-line payment proceed?
For safe online purchasing, as well as the general precautionary rules:
The security of the CB bank card does not mean that you must not follow a few commonsense rules for using it in complete security:
WHAT SHOULD BE DONE IN CASE OF LOSS OR THEFT?
"The legislator has covered the case of loss or theft of bank cards and the effects of invalidation on the holder of the card. Thus, article L133-19 (ordinance n°2009-866 dated 15 July 2009) of the French monetary and financial code specifies: -I -In case of unauthorised payment transactions consecutive to the loss or theft of the payment instrument, the payer shall bear, before the information specified in article L133-17, the losses stemming from the use of this payment instrument within the limit of €150. Nevertheless, the responsibility of the payer is not implicated in case of unauthorised payment transactions carried out without use of the personalised security mechanism".
In other words, in case of loss or theft of the bank card, an excess charge of a maximum of €150 is applied to the amounts debited before the invalidation date except where these transactions have been made without the confidential code.
Your place of stay: