The document discusses the fundamental concept of risk management in banking, emphasizing the relationship between risk and profit. It highlights the importance of a robust security framework in financial transactions, particularly with the adoption of chip and pin technology. Challenges such as fraud and evolving attack scenarios are noted, along with the necessity for continuous adaptation of security measures to maintain efficacy.

1. Risk ManagementFirst lesson of Banking – no Risk, no Profit.Financial Security models are always a balance.No System is Secure but it can be judged Secure Enough.Bankers have been evaluating risk and profit since the days of barter.No Security model exists in isolation.Chip & PIN builds on a considerable existing security framework

2. Business ObjectivesDriven by simple commercial propositionAugmented by reputational elementsIncorporate behavioural evolutionNeeds to account for and predict technology.Needs to be viable for all parties.Subject to review and planned to continuously evolve.

3. CryptoBasis of TrustRSA Public Key SchemeStatic Data AuthenticationDynamic Data AuthenticationTriple (Double Length) DESOnline mutual AuthenticationPINWhat you have: TokenWhat you know: Crypto engine / Keys / PIN

4. Attack ScenariosForced attack / threat e.g. TheftCard not present / non PIN verified e.g. InternetMobile CommerceInternational e.g. Fallback

5. Attack ScenariosHard Attack of Crypto – RSA or 3*DESExploit Procedural Elements e.g. RelayTransaction flow logistics e.g. Terminal MinderDisintermediate parties e.g. WedgeTechnology Element e.g. Differential Power Analysis

6. Investment / Reward800 Million cards and growing.Fraud is a commercial business.Cost / Benefit model based.Requires significant resource dedication.Limited skill set availability.Requires greater resource to exploit.Active detection methods can rapidly terminate activity.

7. Chip & PIN TodayOverall scheme security remains intact and strongHard card attack scenarios provide poor business caseSoft card attack scenarios exploit interfaces and provide little business caseLargest exposure remains non-chip usageNew channels building in support to leverage chip and PIN – e.g. HomePay reader at homeStill fit for purpose !!

8. Chip & PIN @ HomeHomePay Secure e-commerce payments with Chip & PIN