Prsentation PowerPoint

1
FROM XIRING Nathalie HA Business Development
Manager ZBP CONFERENCE, 19th February 2007
2
THEME  How to strenghten the security of
E-Banking channels by optimizing investment in
EMV 
3
DEFINITION E-banking e-banking is defined as
the automated delivery of new and traditional
banking products and services directly to
customers through electronic, interactive
communication channels. E-banking includes the
systems that enable financial institution
customers, individuals or businesses, to access
accounts, transact business, or obtain
information on financial products and services
through a public or private network, including
the Internet. EMV EMV is a standard for
interoperation of IC Card ("Chip cards") and IC
capable POS terminals, for authenticating credit
and debit card payments. The name EMV comes from
the initial letters of Europay, MasterCard and
VISA, the three companies which originally
cooperated to develop the standard.
4

• AGENDA
• PART I Introduction
• Company Profile
• Why, What and How for the Banks
• Xiring Certification
• PART II Demonstration
• Cost Versus Security
• Business Case
• Demonstration

5

• PART I INTRODUCTION
• Company Profil
• Why, What and How for the Banks
• Xiring Certification

6

• PART I INTRODUCTION
• Company Profil
• Why, What and How for the Banks
• Xiring Certification

7
Key Figures
Company profil

• Created in 1998

• Capital 3 707 797.20 euros Public Company
  (Alternext-Paris Stock Exchange)

• Turn over 2005 9M 2006 13M
• 7 Millions devices shipped arount 60 countries
• An International network of 60 business Partners

8
Shareholders
Company profil

• Prestigious and Stable Shareholders

9
Who we are
Company profil

• XIRING is a leading European player providing
  smart card-based solutions for strong
  authentication, digital signature and secure
  transactions.

• XIRING has built a strong expertise in smart card
  technologies, such as security and encryption,
  smart card protocols and masks, smart card
  readers and terminals

• XIRING designs, manufactures and markets products
  and solutions leveraging the security mechanisms
  of smart cards.

• 3 Sectors
• Banking
• Healthcare systems
• Others identity, transports, loyalty

10

• PART I INTRODUCTION
• Company Profil
• Why, What and How for the Banks
• Xiring Certification

11
Why, What and How for the banks
Why
-Something I have (a simple token) is not
suffisant for high level of security

• Passive Password, Single Factor has shown it
  weaknesses, numerous and famous banks have been
  attacked during these last years.
•  Financial institutions engaging in any form of
  Internet banking should have effective and
  reliable methods to authenticate customersThe
  risks of doing business with unauthorized or
  incorrectly identified persons in an Internet
  banking environment can result in financial loss
  and reputation damage through fraud, disclosure
  of customer information, corruption of data, or
  unenforceable agreements.  FFIEC, Summer 2006
• Strong authentication based on two factors
  authentication is today the recognised scheme to
  fight against Man in the middle, Phishing,
  Identity Theft.

-Something I have (the bank card the bank
reader) -Something I know (the PIN Code)
12
Why, What and How for the banks
What

• Readers based on Smart Card Technology
• Certified by International Standards (EMV, CAP,
  DPA)
• Nomad
• Secure
• User-Friendly

13
Why, What and How for the banks
How

• Our expertise in Smard Card Technology and
  Authentication Standard Definition Actor give us
  the legitimity
• To offer a product range based on Smart Card
  Security
• To be up to date to the lastest version of
  authentication standards
• To guide specification redactors
• We have conceived the most convenience offers for
  banks in order to
• Optimize current investment on EMV
• Maximise the security of the products delivery
• Facilitate the customer use
• Strongly authenticate banks customer

14

• PART I INTRODUCTION TO XIRING
• Company Profil
• Why, What and How for the Banks
• Xiring Certification

15
Xiring Certification

• First EMV CAP certified device in the industry
  (Xi Sign 4000)

• Xi Sign 4000 is also developed under Visa DPA
  (CAP extension)

• Xi Sign 4000 is CAPv2 EPCI certification

• Xiring is participating in the Master Card CAP
  specification evolution.

• Leading actor in the definition of the
  specification Banksys, CAP, DPA, APACS.

• Visa Vendor member and a Master Card Vendor
  member

• OTHERS
• SESAME VITALE, MONDEX, INTERPAY, MEPS, MONEO, GIE
  CB, FEDICT, Banque CARREFOUR

16

• UNDERSTAND EMV/CAP Authentication
• EMV migration in Europe
• EMV Card OTP and Signature (Challenge/Response)
• Authentication System based on existing investment

17
EMV Migration in Europe
Legend
EMV Deployment
Total Of cards
Sup to 50
EMV Cards
5 to 50
Under 5
Central Europe
21
Eastern Europe
10
145
Nordic Denmark
133
6
2
Baltic
51
6
126
UK Ireland
124
45
Benelux Switz
50
53
Germany Austria
3
182
Eastern Europe TURKEY
Central Europe Greece
35
South Europe
Source 2006 Business Dev Xiring
18

• UNDERSTAND EMV/CAP Authentication
• EMV migration in Europe
• EMV Card OTP and Signature (Challenge/Response)
• Authentication System based on existing investment

19
EMV/CAP Card OTP and Signature (C/R)

• Chip Authentication Program (CAP) from MasterCard
  
• Dynamic Passcode (DPA) from Visa
• Global standards
• Insure Interoperability

Diversify Keys
Diversify Keys
EMV Crypto Engine Algo MAC
EMV Payment Application Environment
EMV Authentication Application Environment (CAP)
Transaction Application Counter
Transaction Application Counter
Card PIN Management
20

• UNDERSTAND EMV/CAP Authentication
• EMV migration in Europe
• EMV Card OTP and Signature (Challenge/Response)
• Authentication System based on existing investment

21
Authentication System Basedon Existing investment
Based on 0.4
Based on 200K
22
Card Not Present (CNP) fraudNow the biggest and
fastest growing category
Benefits Fight against CNP
23
Benefits Customers recruitment and retention

• Major potential benefits
• Average costs of recruiting a new customer are
  very high
• Typical industry estimate 50 per customer
• Industry best practice is that focus on retaining
  best customers is much more profitable than
  indiscriminate growth
• CAP could be a powerful differentiator
• Especially to on-line customers with security
  concerns (attractive, growing market)
• Especially with creative, targeted marketing via
  appropriate channels immediate effect if
  successful
• And customers more locked-in once recruited
• But CAP could also put customers off in some
  markets
• And these benefits only apply to first movers
  CAP as a competitive weapon!
• 1.00 / cardholder / year

24
Benefits Internet Fraud and Related Costs

• Number of transactions increases when security is
  improved
• Number of fraudulent transactions reduced by CAP
  
• Without CAP/DPA 0.050 transactions
• With CAP/DPA 0.013 transactions
• Additional benefit Average transaction value
  with CAP increases from 93 to 220
• 0.50 / cardholder / year

-75
110
() Based on MasterCard clearing and CB
statistics 2004 European Average
25

• PART II DEMONSTRATION
• Cost vs Security
• Success Stories
• Demonstration

26

• PART II DEMONSTRATION
• Cost vs Security
• Success Stories
• Demonstration

27
Cost vs Security
COST
SMS
Token
OTP, Signature
OTP Smart Card
Scratch-List
Electonic Matrix
Login/Static Password
One factor authentication
Two factors authentication
SECURITY
28

• PART II DEMONSTRATION
• Cost vs Security
• Success Stories
• Demonstration

29
SOME REFERENCES WITH THIS STANDARDIZED SOLUTION.
Success Stories

• CURRENT IN PROJECT 2007-2008
• Barclaycard, Pilot (UK)
• Royal Bank of Scotland (UK)
• UBS, Private Smart Card (Switzerland)
• Postfinance, Pilot (Switzerland)
• Nordea, Postgirot (Switzerland)
• Banka Koper ( Slovenia)
• PBZ (Croatia)
• Credit Mutuel (France)
• BNP Paribas (France)

3 TOP UK Banks!
15 TOP Central and Eastern banks!
4 TOP French Banks!
30
UBS (Switzerland), business case of Project
Management
Success Stories

• Bid in 2001. XIRING selected, against US and
  European competition
• Deployment from June 2002
• Specification development of a Smart Card based
  solution by XIRING (same mechanism as CAP)
• Application 2 factor authentication for remote
  banking
• Many Contractors
• - Cards Axalto (former Schlumberger)
• - Card Readers XIRING
• - Personalisation and Fulfilment TRÜB
• - Back office integration UBS IT
• Additional convenient services CASH balance,
  Calculator
• Lessons learned
• - Reader customization and user interface ( 3rd
  generation)
• - Packaging and fulfilment ( Optimisation of
  logistical Costs)
• - User guide ( Reduction of Support Costs)
• Business Benefits Security Level, Customer
  Confidence, Enhancement of Bank Image

31
(No Transcript)
32

• PART II DEMONSTRATION
• Cost vs Security
• Success Stories
• Demonstration
• OTP (against identity theft)
• C/R (against phishing)
• TDS (against man in the middle)

33
They Talk about
34
One Time Password - Authentication Process
(1) Login
Yes
Bank Frontal Web or Intranet
(8) Access control
No
(5) Data formatting
Server
(3) Enter PIN Code
(4) OTP
(7) Crypto Engine
HSM
(6) User ID and rights checking
(2) Insert Card
DataBase
35
Challenge and Response - Signature Process
(1) Login
Yes
(3) Challenge
No
Bank Frontal Web or Intranet
(10) Access control
(7) Data formatting
Server
(5) Enter PIN Code
(6) Response from the reader
(9) Crypto Engine
(4) Enter Challenge in the reader
HSM
(8) User ID and rights checking
(2) Insert Card
DataBase
36
Demonstration
Xi Sign 4000
Bank Website
Bank Card
37
Xiring Banking Range
Turnkey Solutions
Products
Very Nomad Touch Play Secure (OTP)
O2S Banking
Multi-devices Multi-servers Multi-services
Xi Sign 1000
Very Nomad Touch Play Highly Secure (OTP)
Xi Sign 2000
Nomad Comfortable Highly Secure (OTP C/R)
O2S Pilot
Xi Sign 4000
Design for Disabled or Visually Impaired
persons Nomad Highly Secure (OTP C/R)
1000 Xi Sign 4 000 1000 EMV/CAP Cards 1 Server (6
months license)
Xi Sign 4500
Connectable Nomad Comfortable Highly Secure
(OTP, C/R)
Xi Sign 6000
38
DEKUJI !
DZIEKUJE!
n.ha_at_xiring.com 33 686 360 428
With  Bring your smart card to life !  
XIRINGs innovative solutions increase the
smart card value and bring security and
confidence to end users.

•  River Seine  - 25, quai Gallieni - 92150
  Suresnes - FRANCE
• Tel. 33 1 46 25 80 80 - Fax 33 1 46 25 80
  30 - www.xiring.com

39

• Xiring References in other fields

40
Healthcare Clients References
France
France
Belgium

Portable terminal for healthcare professionals
with the SIZ card.
Signature of e-claims by nurses and other
professionals
Internet terminal for  carte vitale  data
updates
 Ambulancier ,  Consulteur Vitale , strong
authentication for CPS cards 50 000 XIRING
readers for healthcare professionals 15 000
XIRING terminals for pharmacies (60 of the
French market)
41
Corporate, administration Service Clients
References
Transportation France
Transportation Europe
Identity Belgium
Xi-Pass terminal for the Belgium e-ID card.
Transportation ticket control
D-Box, download of tachograph card
Port Authority of New-York, RATP, SEMIAC, CTRB,
Glasgow Rangers, Swenska Golffôrbundet,
Connexioncard
42
Business Partner Program Clients References
Bank Europe
Services Brazil
Bank Mexico
Reader for EMV card payment loyalty points
DUET card based payment system
Voucher Management
Savingsbank of Uzbekistan, ID card of Estonia