Back to Basics – Software as a Service (SaaS)

August 16, 2018

Instant issuance is emerging as a key element in branch transformation to respond to the on-demand expectations of customers. Financial institutions are discovering that an in-branch instant issuance solution quickly delivers on service and speed, expediting cards into cardholder hands. However, questions often arise when choosing between delivery models.

There are two main categories of instant issuance: Software-as-a-Service (SaaS), where the software is a cloud-based “cloud” service and Software for Purchase (SFP), in which the institution owns the server and software. CPI highlights the differences between the two models in this white paper.

In brief, I have outlined how a SaaS instant issuance solution model works.

What is “Software as a Service”?
Software as a Service is a cloud-based application hosted by a third party and delivered via the internet. “Cloud-based” is an interchangeable term often used to indicate the software is stored in the “cloud” (on a third-party’s servers). Access to the software is gained through an online portal. Common examples of SaaS programs would be internet search engines, social media platforms, and an assortment of online tools, such as banking applications, payroll services, learning systems, service desks, and many others.

A SaaS instant issuance model offers the ability for financial institutions to use an internet connection to create and print a card order to a designated printer, in branch. The leading benefit of a SaaS solution, like CPI’s Card@Once®, is that there is no software or servers for the issuer to maintain – the solution provider securely manages it all. Once network settings are established, there is no need for additional IT staff or resources.

What network set up is needed for SaaS instant issuance?
The SaaS provider directs the settings to access their servers for branch printers to receive remote print commands. Typical network installations can require Dynamic Host Configuration Protocol (DHCP) to ensure each printer has a unique IP address. A reputable instant issuance supplier will provide a set of instructions to access available internet ports, and will assist staff in establishing connectivity.

When a card print is requested, an encrypted message travels via the internet to the remote servers where calculations are performed and a secure print command is then sent out to branch printers.

Who is responsible for the keys?
The SaaS solution provider owns the server and Hardware Security Module (HSM). Key components ship securely from processors to the SaaS vendor and are downloaded by experienced key custodian teams. Keys are stored within facilities that meet PCI compliance for key control and the supplier accepts responsibility for security of the keys and software updates.

The importance of the responsibilities around cryptographic keys cannot be overemphasized. All financial institutions that offer payment cards arrange for encrypted keys from their processor for their specific Bank Identification Numbers (BINs). Production keys are required for each card print to calculate the correct values that appear on the card (i.e. CVV2 or security code that appears on the back of the card). Cryptographic keys must be correctly loaded and used for each print in order for cards to validate. Having a team of experts from a solution provider to handle the HSM and the keys is a major advantage.

What is a plug-and-play solution?
For banks and credit unions that have limited IT resources, a SaaS solution can be attractive because it offers “plug-and-play” availability. Typically, the term plug-and-play refers to a piece of hardware that can be used immediately upon plugging it in without additional programming.

With Card@Once, software programming is already complete, so printers arrive at the branch ready for an Ethernet connection to access the internet and a plug for an electrical outlet. For security, a specialized security key is preprogrammed to match the printer. The key ships in a separate package and must be used to verify authenticity. Once the verification step is completed, card printing can begin right away.

To contrast, with a SFP set-up, the delivery of the dedicated server, HSM and printers is the beginning of the programming process. The financial institution is then responsible for the install of the card printing software, the secure download of key components, all network implementation and the onboarding of employees.

In conclusion, it is important to note that the needs of every financial institution are different, and there is no “one-size-fits-all” solution. However, for decision-makers tasked with finding an instant issuance solution that is the best fit, knowing these terms and having a deep understanding of the options can go a long way towards feeling confident about your decision.


Back to Basics – Card Design

July 19, 2018

Cards are everywhere — relied on to purchase goods, grant access to buildings or memberships, earn brand loyalty points, discounts, and more. Companies can visually enhance cards to appeal to a wide audience, inspiring usage while creating a preferred, top-of-wallet experience. Card designers are able to create a product used routinely in everyday life and capture the vibe of brand, a company’s messaging, or reflection of their audience. However, the personnel most often charged with developing and approving card program designs, typically, are not the card designers. As a guide, below is a back-to-basics breakdown of an approach to the card design process.

A creative brainstorming session is essential to the beginning of any card design. Take a look at what is inspiring and think about how to apply it to card design. The creative brainstorm can pull from a variety of items, such as the geometric pattern in the architecture on a building, the texture of a piece of metal, or the sparkle or shine of a car. This early stage in the process is the time to evaluate design trends and determine what should apply to your card design. Often, a mood board is created to narrow down concepts for the card design. A mood board is an arrangement of different inspiration points (photos, colors, and swatches). From there, you can see which elements work together and incorporate into the card design, and even, determine placement of these elements on the card.

Choosing materials
Once the creative direction is defined, it is time to move to material selection. Material selection influences the unique characteristics of a card, such as a colored or metal edge, added weight and rigidity, a reflective foil appearance, or a unique visual effect created by a color-shifting pigment or spot gloss. Material choices also create texture and can be used to highlight effects when the card is tilted in the light, while creating a tactile experience affecting how the card feels in the hand.

It is important to remember, however, the goal is to create a product crafted for both form and function – a valuable product that can bear significant importance to a cardholder. From premium metal cards to gift cards, to dual interface and technology cards, each card has a purpose and it is important for the design to complement its functionality while resonating with the user. For example, if the card is intended to be a dual interface EMV payment card, choose materials that maintain the integrity and functionality of the technology. Ultimately, the card needs to be built from the correct materials to meet International Standards Organization (ISO) specifications and brand association guidelines to ensure it can swipe, dip, scan and wave as intended.

As material selections are determined and the card moves into manufacturing, this is where it all comes together. Manufacturing decisions should be made with the mindset of ensuring that a card can be produced successfully for a reasonable cost. For instance, once the card exists, how will it be customized for the end user? Using a supplier that can produce cards and personalize them is a major advantage. However, in the case where a card is manufactured separately from the personalization bureau, the two entities will have to work together to manufacture a final product.

If personalization is required, this is the time to decide on the elements that make each card unique to the individual cardholder. If there is a cardholder name, will that name be embossed, flat, or laser printed? Perhaps the designer prepared for one of the new trends such as vertical cards or personalization on the back. This is a great opportunity to “expand the canvas” of the card to include custom carriers and materials that carry the design through, as well.

Outside of the card itself, considerations need to be made about how the card will reach the cardholder. What sort of packaging will it have? Will it go through automated processes to fit into a package, mailer or envelope, or does the card need to be securely displayed in a retail setting? The only limit to packaging options are imagination and budget. Truly high-end experiences can be created for special cardholders with hand-packaged boxes, cartons and priority delivery.

Card design does not end with the graphics; the card is a product where materials and craftsmanship are important to the success of the end product. The experience of receiving a card should be exciting and inspire the end user to use the card again and again. This is true regardless of whether the card is received via mail from a financial institution, issued instantly, or purchased from a retail outlet as a prepaid or gift card. A recipient who is delighted by the way their card looks and performs benefits from the time and attention applied to the design, and that happy experience becomes a reflection of the brand, as well.

Developing a card can feel like a lot of pressure for those charged with the design. However, if the project is approached with the steps from initial creative brainstorming, to material selection, manufacturability and distribution, ultimately there will be a fully functioning, beautiful, and hopefully, valued card product in the cardholder’s hands.


Back to Basics – Dual Interface

June 20, 2018

We get many questions from people about dual interface cards and what happens during a transaction, such as, “When you tap a dual interface card, what is actually happening?” I was asked to go back-to-basics and reveal what happens behind the scenes of a dual interface tap or wave. What if I were to tell you by the time a dual interface card is tapped, all the information between card and reader has already been exchanged? The End. Well, that may make for the shortest blogging career on record, so instead let us take some time to examine what happens during the time a customer is reaching out to make a contactless payment.

Starting from the perspective of the payment terminal, the common card reader in the grocery store checkout line is operating at or near a radio frequency of 13.56MHz. Considered “high frequency,” 13.56MHz compares to an amateur ham-radio operation; higher than AM radio waves, but not as high as FM radio or television broadcasts. When activated, the card reader will produce an alternating magnetic radio field, looking to establish contact with a payment object. “Payment objects” include a variety of devices such as phones, watches, cards or other technologies with payment data; but for now, we’ll focus on cards. Before the data can be received, the card reader has to do three things: establish contact with the card, open a secure communication channel, and then negotiate the communication speed with the card. Finally, the terminal finds the EMV application on the chip and starts reading the data tags to get directions for handling the transaction.

Let us flip our perspective to focus on what is happening with cards during a payment transaction. Cards may also be referred to as “proximity cards,” which are smart cards that become active when in proximity to a card reader, and can be either pure contactless or dual interface. These cards are designed to meet ISO standards. Proximity cards have an embedded antenna that functions at or near a frequency of 13.56 MHz. When a card approaches the radio field of a reader, energy from the reader crosses the antenna in the card and generates a current flow. Usually the needed power level is achieved when the card is within 4 cm of the reader, which causes the chip to come alive to transmit its data.

As the cardholder extends the card towards the terminal, the radio frequency emitted from the reader inductively couples to the antenna in the card and turns on the chip. The card is a passive receiver of energy, harvesting what is needed for the chip with no additional power source required from the card itself. Now the chip is on and ready to share its stored information.

The card waits for the first command from the terminal, and then responds with an “answer.” The terminal finds the EMV application and reads the data tags on the chip to get directions for handling the transaction. Data tags are bits of accountholder information encrypted and securely stored on the EMV chip. Some you would expect, such as cardholder name, expiration date of the card, or primary account number, and others are more obscure, as in “card risk management data object list” (there are two of those!). A complete list can feature more than 30 separate data tags.

So far, the chip has come alive and is transmitting its data tags to the terminal – all in about a half of a second. The cardholder is still moving the card towards the terminal at this point. The reader will use information from the card to determine if the card should be declined, if it should go online to get authorization from the core processor, or if it can be accepted as an offline transaction. If it requires online authorization, an Authorization Request Cryptogram (ARQC) will be sent to the host system for final card validation. The host (core processor) calculates an Authorization Response Cryptogram (ARPC) and sends it back to validate the issuer.

After these two additional snippets of data are exchanged, the card is close enough for a physical tap. As the light flashes and the card reader emits a beep, the cardholder can safely return the card to their wallet because even as they withdraw the card, the transaction is already complete. The entire transaction process of waving the dual interface card usually takes around one second in real time.