Overview
Payments made by electronic methods, known as EFT or Electronic Funds Transfers range from multi-million pounds or dollars transferred between banks down to the small values paid in shops. Electronic payments in shops are called EFT/PoS or Electronic Funds Transfer at the point of sale. PoS can be interpreted as 'Point of Service' where service includes the sale of goods. EFT/PoS schemes present interesting and somewhat difficult problems of security which are the subject of this Chapter.
EFT/PoS is not an entirely new development but can be seen as either an extension of the ATM (Automatic Teller Machine), which dispenses cash or an extension of the way that credit cards are used. The ATM provides cash which can be regarded as another kind of service resulting from electronic funds transfer. The credit card results in a funds transfer to the shopkeeper and an entry in the credit card account. Although the nature of the transaction is different, the mechanisms for supporting it can be very similar to those of EFT/PoS. Since the established mechanisms for ATMs and credit cards are entirely different, the one using on-line access to a central system and the other depending mainly on paper vouchers and signatures, there tend to be two different ways of looking at the EFT/PoS, depending on which existing system is used as the point of reference. Consider a way in which an EFT/PoS transaction progresses. The person making the payment carries a plastic card (which may be a smart card) and this is his method of entry into the system. We shall call this person the card holder. Before the payment is made, the card holder and shopkeeper have agreed the amount of payment and this has been entered into the system. This might be keyboarded by the shopkeeper or transferred from a petrol pump or it may be part of the point of sale system at a supermarket checkout .
The transaction begins by the reading of data from the card holder's card. This serves to identify the card and may to some extent authenticate the card as genuine. A smart card is more able to provide authentication than a magnetic stripe card (see discussion below). Since the card might have been stolen and it is really the person we wish to authenticate, not the card, the next step is to require something from the person, namely either a signature on a piece of paper or a personal identification number (PIN). This PIN is no more than a password, usually rather short such as four decimal digits. If a signature is used, authentication of the person depends on the sales person comparing this signature with the one on the card but we know that this process is more often skipped than carried out.
About Thales
Thales is a leading international electronics and systems group, addressing Defense, Aerospace and Security markets worldwide. Thales's leading-edge technology is supported by 22,000 R&D engineers who offer a capability unmatched in Europe to develop and deploy field-proven mission-critical information systems. To this end, the group's civil and military businesses develop in parallel and share a common base of technologies to serve a single objective: the security of people, property and nations. The group builds its growth on its unique multi-domestic strategy based on trusted partnerships with national customers and market players, while leveraging its global expertise to support local technology and industrial development.
