Bank cards, including credit and debit cards, are used by cardholders to make purchases, cash withdrawals, and other financial transactions at bank card machines, such as automated teller machines (ATMs), point-of-sale (POS) terminals, and the like. For example, one type of bank card has a magnetic stripe that holds information about a credit or debit account. The cardholder can then access the credit or debit account by, for example, swiping the bank card by a magnetic stripe reader on the bank card machine. A newer type of bank card, generally referred to as a “chip card,” “smart card,” or “integrated circuit card” includes an on-card electronic chip such as a processor, microprocessor, memory, another type of electronic chip, or combinations of these devices.
Such chip cards provide the opportunity for localized storing of application(s) and data such as one or more personal identification number(s) (PINS) in a secure format. During a transaction, authentication can be performed locally at the POS terminal without requiring online authentication. Such local authentication is more effective than previous attempts for local authentication because of the possibility of additional security such as encryption of PINs stored on chip cards.
When a chip card is issued by an issuing bank, the PIN is determined beforehand and stored in the memory of the chip card. The PIN can be changed by the account-owner (referred to as a “customer”) by establishing an online connection to the backend systems maintained by an issuing bank through an ATM. In fact, in some arrangements, card issuers and/or regulators require changes of the PIN periodically in order to strengthen security. Chip card interface devices (CCIDs) such as the CCID discussed in patent application Ser. No. 12/752,567 titled “Personal Identification Number Changing System and Method” and discussed below provide an interface with the chip cards, such as, for reading and/or writing data to and/or from the chip card. Unfortunately, some or all data stored on a CCID and/or a chip card is sensitive and, in some cases, compromise of such data would be considered a significant security breach by the customer and the issuing bank. Fraudsters could potentially gain access to sensitive data saved on a CCID and/or accessed by a CCID during an interaction between the CCID and the chip card in a variety of ways. For example, in one scheme, a fraudster breaks into a housing of a CCID and installs a keylogger device for recording data from any chip card interacting with the CCID. For example, in another scheme, the fraudster installs a replacement, fraudulent processing device in the CCID.
Therefore, systems, methods, and computer program products are needed for authenticating a chip card interface device with a backend system during a transaction.