A European bank wanted to implement smart-card-based biometric authentication for its customers and ensure the security of data moving between the bank's backend transactional systems. Here's how a consultant delivered this complex solution on time.
Any system integration (SI) project can be a nightmare or a blessing depending on how it is planned and executed—more so if the project is complex, involves disparate applications and systems, and has to be executed in conjunction with third parties. Under these conditions, it becomes challenging to deliver within the desired timelines and at the benchmarked quality.
This case study illustrates how risks were minimized during one such project, along with some lessons on doing the same for your project. While the implementing team cracked several technical issues of integration, I'll concentrate on the managerial aspects pertaining to complex SI deliveries.
A leading European bank with interests in many diverse financial products and a large regional reach wanted to implement smart card-based biometric authentication for its customers. It also had plans to ensure the security of the data moving between the bank's backend transactional systems and its customer-facing ATM network.
If customers had a multi-application-enabled smart card (a card with an embedded chip that can read data written on and write/overwrite data on itself) as their identity card from either the local government or their employers, this card would also be enabled to transact business on the ATM network so that the customer could avoid the hassle of using multiple cards with multiple PIN codes.
To make this happen from concept to finish involved working on multiple technologies, across multiple third parties, and on hardware platforms that ranged from legacy to modern systems. What eventually was produced was a very complex SI.
The banking industry has evolved substantially in recent years. There is a proliferation in the usage of ATMs, credit cards, debit cards, and smart cards. Several channels of transacting with a bank have come to various degrees of maturity. Channels such as ATMs, the Web, customer care call centers, SMS/mobile phones, and now WiFi-enabled handhelds are giving people freedom to transact money. Financial services sector providers are falling over one another to enable customers to deliver the quickest, smoothest access to their funds.
Smart card usage has also increased globally due to the cards' capability to securely store large amounts of information and reduce fraud. Their ability to carry digital certificates and private keys that individuals will need to operate within a PKI framework is also beneficial to network security. All these developments are forcing the traditional ATM-based delivery model to innovate itself.
For starters, new open standards such as compatibility with those based on non-OS/2 operating systems, e-commerce capabilities, and advertising capabilities are coming up for ATMs, which ensure that they can integrate better with the bank's channel mix. A unified view of customer accounts, leading to a more seamless cross-channel banking experience, is now possible.
With all these developments, a security threat has emerged. Smart cards and biometric technology are being used to recognize customers by their physical characteristics and as a tool to guarantee cardholder verification. Banks are implementing secure solutions that effectively combine customer convenience with secure transaction ability.
What the bank wanted
Whenever the bank has to sign on a new customer, the customer fills out basic information on paper (which is then keyed by the bank's back-end staff into the databases) or uses a Web interface. The customer is then given a magnetic stripe card or a smart card. If the customer already has a smart card given by the government or his employer as a proof of his identity, he would typically have two or more cards.
When customers interact with the bank through a branch office or ATMs, they would use the card given by the bank. So, they would end up using multiple cards for different purposes. To unify all the cards and pave the way for a single sign-on for all customer interactions, the bank needed to integrate some of the back-end systems while integrating forward with the front-end customer interfaces at the bank's branch offices or ATMs.
At the outset of the project, the client came up with the following requirements:
- Pick up the basic customer information residing on a card, bring it into the appropriate bank system, and capture/authenticate the cardholder's thumbprint by designing and implementing appropriate hardware or system interfaces such as a smart card reader to read the data on the card and pass it on to the bank's systems.
- Make the solution scalable, serving an increasing number of ATMs, bank physical teller branches, or customer loads as the clientele grows both in number and in qualitative demands and expectations.
- Make the solution highly portable, use an appropriate TCP/IP framework, and don't adversely affect the working of other devices on the bank's LAN.
- Incorporate open architecture, interoperability, and easy manageability.
- Address main security concerns of authentication, nonrepudiation, and data integrity.
The joint team, made up of my firm, the bank's representatives, and several third-party consultants, defined some nonnegotiables or prerequisites before embarking on the integration work.
- A unified view of information to a business user—customer or employee—will be critical. Often, due to islands of applications, a unified view becomes difficult to a business user wanting to review growth in customers enrolled for online banking services vs. those enrolled for normal banking services.
- The framework must offer a flexible range of interfaces that allows the most appropriate solution to be picked for a particular job. In some scenarios, for example, straight-through database access may be sufficient.
- Often, integration work is seen to imply application integration within an enterprise. But extra-enterprise integration (with business partners' applications such as payment gateways, for example) is as important.
The implementation methodology involved going through the following stages:
- Defining a joint review team with members drawn from the client, implementing consultant, and the more significant third parties in the consortium
- Establishing project parameters, in terms of defining phase-wise purpose and corresponding end deliverables and time constraints
- Implementing a detailed project schedule, in which the project manager (PM) prioritizes work items, decides dependencies, and estimates the effort required and the schedules
- Defining team structure and providing warm-up for the team to acclimatize with the project environment and define risks for their teams as they perceive
- Establishing the project environment, in terms of selecting methods and tools for the project to use, team communication needs (networking, e-mail, voice), arranging for training, etc.
- Defining project progress tracking (modalities and templates)
Financial services organizations are increasingly using chip cards for ATMs as a multi-application/multi-utility option compared to cards with magnetic stripes. This serves to enhance security and add convenience as well. In this context, the bank decided to implement this solution. Our solution involved:
Issuing the smart card as an ATM card, in a personalized form, with the flexibility of removing the ATM functionality in case the customer ceases to be a customer.
Writing code to the smart card by which it securely generates and delivers the personal identification code to the customer.
Allowing cash that is loaded on the card to be transferable to the bank's account, and vice versa, since the smart card can also be an electronic purse (e-purse).
Downloading the master key in the handheld device and securing it using encryption, followed by downloading the session key used to encrypt the ATM PIN.
Issuing the ATM PIN using the session key and delivering it securely. Biometric authentication is an add-on to ascertain the identity of the user in a non-repudiable manner.
The challenges faced were many. The existing banking applications ran on a legacy system. As a result, no high-level language could be used to provide the solution. The entire solution was provided in ANSI C. The OS of the entire network of various branches of the bank was such that it did not support smart cards and biometrics devices. A handheld device, which has a built-in smart card and biometric scanner, was used with Windows CE. The solution provided had to deliver all features residing on the OS at the back end, interfacing with Windows CE at the front end, while using encryption to ensure that the confidentiality and integrity of data were maintained.
The solution delivered the following business and technical benefits to the client:
The main advantage is the lower cost of operating the retail business, because the entire operation is one of seamless integration of authentication and authorization for transactions.
Improved productivity and supervisory effectiveness
Operating personnel would not be required to make manual entries during the authentication process in the branches, removing unproductive and frustrating duplication.
With such two/three-factor security, fraud at the branches will come down.
Branch personnel can address customer-related issues instead of being tasked with data-entry jobs.
Reduction in internal threats from internal sources
Employees are more accountable since authentication and authorization are non-repudiable (although most of the process is automated, their movement into and out of permitted work areas, systems, applications, files, etc. is logged).
All of the above leads to major benefits to all stakeholders of the bank: customers, the bank's employees, and the system administrators who operate the solution.
After all of our work, we took these lessons from this engagement:
Don't try to reengineer too many processes. Focus on a core few while designing and implementing reengineered processes.
Question the customer
The customer may not always be right. Hire an integrator because of the specific expertise in systems integration, not to carry out instructions of the client's CIO.
Treat as one
The principle integrator has to induct associated third-party vendors into the success plan for the project. Often, the other vendors who have to deliver to your team, so you can deliver a more complete piece to the customer, are treated as not part of "my project delivery system" by the principle integrator. Also, remember that co-participants in the project hate to hear "I told you so" from you when something from their part goes wrong in front of the client.
Deliver to the customer every day
Have at least a five-minute chat every day with the client sponsor to appraise status. Make the process of delivery frequent and transparent. By "delivery," I mean that the psychological delivery is as important as a QA-tested code delivery. Make sure that the sponsors can freely voice their concerns.
Make sure the sponsor delivers to his committee every day
It is in your interest as a system integrator for a mission-critical project that your sponsor delivers to the approving committee every day. Facilitate or enable this if the client organization is a hierarchy-bound structure, and the sponsor is finding it difficult to cross layers, by leveraging your status as an external agent.