Using ID-card for payments

Allikas: eid.eesti.ee

Using ID-card for payments


Overview

Compared to a loyalty card system, a payment card system is oriented to secure and certified transactions. Electronic fixation of transaction usually results through use of particular payment card, therefore there are significantly stricter security requirements established for a payment card – the card must be fraud proof; unauthorized use of the card must also be excluded. Due to high falsification safety and great security level, an ID-card is hence a perfect tool to use it as a payment card.

A specific implementation example is presented in Edelaraudtee ID-card based payment card.

Advatages of using an ID-card within payment solutions:

  • An ID-card is physically and electronically designed in consideration of security and fraud proof. Issuance, constant development and management of a card with analogous safety is very costly and and requires highly skilled specialists.
  • ID-card is practically fraud proof – there has been no fraud identified with this type of card.
  • An ID-card enables physical personal identification, electronic personal identification and digital signing.
  • A payment service provider do not have to deal with card issuance or card lost and closing procedures – these are already covered by the state.


Purpose

An ID-card is used as an automated customer identification tool in the ID-card based payment card system. Using a safe and fraud proof card in the system enables solutions where a customer does not have to promptly pay for services with cash or card. Instead, a held transaction is proved with an ID-card and actual payment comes about either later or automatically in a card-linked payment system. Such approach gives significant time gains during a transaction; also it offers additional convenience to loyal customers, who frequently consume products and services.

The ID-card based solution enables to achieve a super high security level, which even exceeds the level of chip card based payment card systems used in banking today.


Solution description

The ID-card based payment card system enables realization of payment services with different security level; depending on how comfortable and fast the fixation of the transaction must be, and how strict the requirements for secure transaction verification are.


General logic of all payment card solutions is relatively similar – a customer is identified electronically by their ID-card, thereafter they are able to use payment functionality. The use of an ID-card gives the operator of the payment system certainty that a person is identified with sufficient accuracy; it also helps to hedge the risks of the misuse of payments. The payment functionality itself is not necessarily always linked to the ID-card.

The real financial transaction can be realized very differently in ID-card based payment schemes – either linked by a bank card payment, by mobile payment solution of mobile operators, or a customer is simply granted a credit at the moment of payment and the customer undertakes to compensate for this under the subsequently issued invoice.

In principle, the following type schemes are distinguishable within the ID-card based payment schemes:

  • An ID-card is used to enter into an agreement with a customer; then the ID-card is no longer used when performing payments. Such a scheme is used in cases where at the time of payment an ID-card cannot be used due to a nature of service; or its use is inconvenient from payment perspective.
  • An ID-card is used to perform payments without entering a PIN code. In such a case, a customer agreement, whereby the customer consents the use of such a payment scheme, should be concluded beforehand. This scheme is suitable when a speed of the payment is important.
  • An ID-card is used to perform payments by entering a verification PIN code. Similarly to the aforementioned schemes, a customer usually enters into an agreement whereby they consent the use of such a scheme.
  • An ID-card is used to perform payments by entering digital signature PIN code. In such a case, a prior agreement with a customer is not necessary, because a certain agreement could be linked even to signed payment messages. The authenticity of transaction verification in the solution is guaranteed. This scheme is used in cases where a possible maximum level of payment transaction verification must be achieved.

All used schemes are described in detail below.


An ID-card is used to enter into an agreement with a customer; when performing payments, the ID-card is no longer needed

In such a payment solution, an ID-card is only used in order to enter conveniently and electronically into a customer agreement, whereby the customer undertakes to follow the payment scheme principles. In approving a transaction, various mechanisms can be used for performing a payment; the choice depends on peculiarities of the technical solution of the transaction performance. A payment service provider/operator (realiseerija?) must pay particular attention to the safety of payment transaction mechanism in order to avoid false use. A service provider inevitably bears all such risks, since there is no reliable electronic method for the identification of payment performer’s identity and will.


An ID-card is used to perform payments without entering a PIN code

Such a scheme offers a customer a convenient payment, since an ID-card is inserted to a card reader without entering a PIN code. Moreover, this solution offers a service provider an automatic electronic personal identification option.

If necessary, a service provider must be able to prove to a customer that at the time of payment a genuine ID-card was indeed used (which in this case means ensuring the physical authenticity of the card) and that the user of the ID-card was surely its owner (employee must make sure of person’s identity). Identity assurance could be contractually given to a customer – obliging them to immediately notify the service provider of the lost ID-card.


An ID-card is used to perform payments by entering a verification PIN code

Such a solution is typically used in web-based schemes, where a user logs in to the environment with their ID-card and at the time of payment, additional confirmation is asked only by, for example, pressing a button.

The identity of a payer is electronically verified in the solution, but a service provider does not have the electronic verification of transaction details like sum, basis, etc.


An ID-card is used to perform payments by entering digital signature PIN code

It is the most secure method for verifying that the transaction has occurred. Using such a payment service, a service provider does not theoretically have to enter into a prior agreement with a customer because the terms and conditions of an agreement can be linked directly to payment data – with a signature, a customer simultaneously verifies transaction details as well as the acceptance of payment service terms of use.

A digital signing guarantees a service provider protection of law. A service provider must make sure that after signing digitally, a customer will be able to immediately download the document signed by them – it ensures that a customer can see themselves what documents they have signed. It eliminates future disputes.

Disadvantage of digital signing is the need to obtain a timestamp on the document being signed – this inevitably requires an online connection at the place of signing.


Challenges

Although the security of an ID-card is equal to or even exceeds the security of special chip card based payment cards, a payment application (which would allow carrying out risk control, managing off-line card use, etc.) cannot be downloaded to the ID-card.

Another significant problem of realizing the ID-card based payment solution is the fact that there are no proven and widely used ready-made solutions. Each payment service provider is inevitably compelled to develop a solution that matches their needs. Therefore a couple of risks must be inevitably taken into account:

  • Risk of security of the payment service business processes – a risk that the payment service business processes are not thoroughly thought through enough and therefore criminals are able to find the process shortcomings that could be used for misuse.
  • Risk of errors of the technical solution of the payment service – a risk that some kind of technical error, which could be misused by criminals, is found in payment service software.

Solutions used by international card organizations are sufficiently tried and tested throughout the decades; therefore the level of aforementioned risks in them is significantly lower. Hence, the payment services realized by an ID-card should be considered relatively risky, despite the good electronic security of the card. A company, who wants to realize such payment services, must acknowledge all important risks and work out a risk management plan in order to hedge them.


Action plan

Realization of the ID-card based payment card system depends largely on the business logic of entire solution. Typically there is a specific solution of the specialized payment card system – ready-made general purpose consumer software does not exist.

The development broadly consists of the following actions:

  • Analysis. Placing accurate business processes, elaborating a conception of technical solution, defining the volume of development. Since the entire ideology of business solution has to be worked out, the duration of this stage would at least be one month.
  • Development of a component that communicates with an ID-card. Hardware and software solution for payment card functionality to communicate to the necessary extent with an ID-card – identifying an ID-card, reading personal info, activating digital signing. Necessary low-level components are available in the form of an ID-card app, but it is necessary to develop high level software, through which all the required functionality will be linked as whole. A work content of developing and testing a component communicating with an ID-card is approximately 40 hours. However, realization of the entire business logic of the solution can be very labor-intensive.
  • Realization of necessary business processes – transaction account, invoicing, reporting, etc. Work content depends greatly on the nature of the solution.