Project of the Year Awards: Egg

Egg cracks the challenge of chip-and-PIN credit cards

All UK banks face the challenge of issuing new credit and debit cards to support the introduction of Chip-and-PIN anti-fraud technology in shops by 2005.

Issuing so many new PIN numbers to customers is a potential security nightmare, with the obvious risk of numbers going astray or cardholders forgetting their four-digit code.

Online bank Egg wanted to offer its 2.5 million credit card users a quick and easy way to receive their PINs and to retrieve the number if mislaid. The company decided to develop a system to issue PINs securely through its web site.

What were the business objectives of the project?

'We wanted to provide the facility for all Egg credit card customers to securely request and receive their PIN at any time, from anywhere,' says Tracy-Ann Willis, head of technology security at Egg.

'This means customers no longer have to write down their PIN because they are worried they might forget it and if they do forget, retrieving it via the PIN Browser is simple, quick and effective.'

The aim was to eliminate the large cost normally associated with posting PINs and operating a telephone service for re-issuing lost or forgotten numbers. Removing the use of the postal network also helps to cut fraud.

Security was clearly major factor - Egg had to ensure that only the customer is able to view their PIN.

What were the key milestones in the implementation?

A 45-person team started work late last year, first assessing the feasibility of delivering PIN numbers over the web. The team worked with Egg's credit card service provider to design and test a hardware security module that would underpin the necessary architecture.

The project was launched as a live service to Egg customers in May.

What technology was used?

'Egg utilised a new hardware security module device that allows the customer to establish a secure "tunnel" between their web browser and a third party credit card service provider who holds their PIN,' says Willis.

'The cryptographic functionality required to establish a secure tunnel has not until now been easily available in the web browser. Through the use of basic web protocols and the new hardware security module, Egg is able to provide all web browsers with the functionality required to establish a secure tunnel through which the PIN can be delivered.'

Customer PIN numbers are held by a third-party credit card issuer, whose infrastructure is based on legacy mainframe technology and hardware security modules that utilise symmetric key cryptography. The secure tunnel uses public key (PKI) cryptography, so Egg worked with its provider to update their infrastructure to support PKI exchange, says Willis.

How did you manage the business change and people issues involved?

Willis says a business programme manager was appointed oversee the initiative.

The project was split into a number of streams, such as IT development, security, infrastructure, marketing, fraud, card operations, and so on.

'The business change was managed via regular project meetings which were held to agree business deliverables as well as IT deliverables, to make sure all areas were well informed and kept up to date with any issues or dependencies,' she says.

'Technology and business people worked very closely and effectively together as one team.'

For customers, the marketing stream of the project ensured that there was adequate information available at the launch of the PIN Browser, which was co-ordinated with the start of the roll-out of Egg Chip-and-PIN cards.

What results were achieved?

Willis says the project achieved its aims in terms of providing a new, cost effective and secure approach to customers' requests for and receipt of PIN's.

'We successfully used an innovative approach to technology to radically improve this area of Egg's customer experience and it will provide significant cost savings on an ongoing basis,' she says.

Customer r eactions have been very positive, and the PIN Browser has received interest from a number of organisations due to its potential for use in government and public sector initiatives

What were the lessons learnt?

'Aligning everyone to a common goal ensured smooth delivery of the project,' says Willis.

All the relevant departments were in involved making sensitive security changes, and the adoption of a quick and easy to use cryptographic development environment contributed to the success of the project, she says.

'You need to be clear about the project's objectives, agree these with all concerned, and involve relevant people from business and technology,' says Willis.

'You should design security from the outset to achieve best results, and wherever possible use open industry standards and identify opportunities to set new standards for the rest of the industry.'

What were the business benefits and return on investment?

The PIN Browser project will deliver an initial multi-million pound cost saving, along with a large and permanent annual maintenance saving, says Willis.

'The PIN Browser has enabled Egg to provide a better experience for the PIN request and receipt process. It removes delays and frustration for the customer, helps eliminate the need for customers to write their PIN down and tackles the issue of possible PIN interception,' she says.

How do you plan to build on the project further?

'We intend to further develop the Chip-and-PIN solution as part of Egg's strategic security architecture. It has excellent prospects for the future, not just for the issue of PIN's but for other customer and business applications,' says Willis.

Computing says:

Building trust with online customers is an issue facing every company providing products and services over the web. For a credit card provider such as Egg, security is a critical issue, and well-publicised fears over the theft of PIN numbers made this a challenging area to internet enable.

The PIN Browser service uses innovative security technology that will have further uses in Egg - and potentially elsewhere - as well as offering cost savings and improving customer satisfaction.

Project at a Glance

* Egg wanted to develop a service to issue PIN numbers to its 2.5 million credit card users over the internet.

* The PIN Browser project supports the roll out of Chip-and-PIN anti-fraud technology across the UK

* The online bank developed a secure, PKI-based method for allowing customers to access their PIN number using a standard web browser

* The development started in late 2003 and was launched to customers in May

* The system speeds up the issuing of PINs and allows customers to retrieve their number if they lose or forget it.

* The security technology Egg developed will have further uses in the company, and is also attracting interest from other organisations

IEE backs our Awards for Excellence

Computing is pleased to announce that the IEE - the Institution of Electrical Engineers - is sponsoring the Public Sector, Private Sector and Innovative Project of the Year categories in this year's Computing Awards for Excellence.

With over a third of its membership employed in the IT industry, the IEE acts as an international voice for information professionals to government and the public and plays a major role in promoting technology in schools.

'The IEE is delighted to be sponsoring Computing's IT Project Awards, which reward excellence in the design, implementation and management of IT projects,' says Dr Alf Roberts, chief executive of the IEE.

'Excellence can only be delivered by appropriately qualified individuals and our association with these prestigious awards underlines the IEE's commitment to professionalism in IT. We are dedicated to providing the qualifications and access to training and professional development to ensure IT professionals can develop their careers.'