Forensic Examination of Credit Cards and Similar Materials
UGC-NET Paper 2 Unit IX notes on credit card anatomy, magnetic stripe and EMV chip, skimming and cloning detection, IT Act Sections 66C and 66D.
Last updated:
Credit and debit cards close Unit IX of the UGC-NET Forensic Science syllabus because, in the modern statutory frame, a payment card is a "document". The Bharatiya Nyaya Sanhita 2023 definition of document covers any matter expressed by letters, figures or marks on a substance, and the IT Act 2000 treats card-resident data as an electronic record. NTA tests two clusters on this bullet: the physical and electronic anatomy of a card (PVC body, magnetic stripe per ISO/IEC 7811, EMV chip, hologram, signature panel, CVV, BIN) and the cloning and skimming workflow with its statutory response (IT Act Sections 66C and 66D, BNS Sections 318, 319 and 336, RBI Master Directions, NPCI rails).
Treat the topic as one labelled card diagram plus one fraud workflow. The diagram carries the physical and machine-readable layers and answers most identification MCQs. The fraud workflow carries the skimmer, the shimmer, the magnetic-stripe writer and the legal response, and answers most application questions. Card forensics sits next to handwriting and document examination because the early techniques (UV inspection, microscopy of laminate edges, signature comparison) come straight from the QD examiner's bench.
- PVC card body
- Standard payment card construction: polyvinyl chloride core sandwiched between two transparent laminated overlays. Card dimensions 85.60 by 53.98 mm per ISO/IEC 7810 ID-1.
- Magnetic stripe
- Ferromagnetic strip on the card reverse encoding account data on three tracks per ISO/IEC 7811. Track 1 alphanumeric (79 chars), Track 2 numeric (40 chars, the primary track), Track 3 rarely used today.
- EMV chip
- Integrated-circuit chip following the EMV (Europay-Mastercard-Visa) specification. Contact interface per ISO/IEC 7816, contactless per ISO/IEC 14443. Generates dynamic cryptograms that defeat static-data cloning.
- Hologram
- Diffractive optical security feature: Visa dove, Mastercard interlocking globes, RuPay tricolour. Hard to reproduce without specialised embossing equipment.
- Signature panel
- White panel on the card reverse printed with a tamper-evident background (often the issuer name repeated or the word VOID appearing if scratched). The CVV2 is printed beside it.
- CVV / CVC
- Card Verification Value (Visa) or Card Verification Code (Mastercard). CVV1 is encoded on the magnetic stripe, CVV2/CVC2 is the 3-digit printed code on the reverse, CID is the 4-digit code on the Amex front.
- BIN / IIN
- Bank Identification Number, formally the Issuer Identification Number under ISO/IEC 7812. The first six digits of the PAN identify the issuing institution and network.
- Embossing
- Raised characters on older card fronts produced by an embosser; modern cards are increasingly flat-printed because POS imprinters are obsolete.
- NFC
- Near Field Communication, the 13.56 MHz contactless radio interface used for tap-to-pay. Built on ISO/IEC 14443 and underlies UPI Lite and RuPay contactless.
- Skimmer
- Overlay device fitted on an ATM card slot or POS terminal that reads and stores the magnetic stripe data of cards swiped through it.
- Shimmer
- Thin sliver-shaped device inserted inside the chip reader of an ATM or POS to intercept data exchanged with the EMV chip.
- Tokenisation
- RBI-mandated mechanism that replaces the PAN stored at merchants with a token usable only by that merchant, reducing the value of stolen card-on-file data.
Card anatomy: PVC body, stripe, chip, hologram, panel, CVV
Three plastic layers, three magnetic tracks, one chip, one hologram.
A standard payment card is a three-layer PVC (polyvinyl chloride) sandwich. A pigmented PVC core carries the printed design and embedded magnetic stripe, with two transparent PVC or PETG laminated overlays fused on top and below by heat and pressure. Card dimensions are fixed by ISO/IEC 7810 at 85.60 by 53.98 mm and 0.76 mm thick (ID-1 format). The first job of the forensic examiner is to inspect the laminate edges under microscopy: a cloned or relaminated card often shows uneven seams, trapped air bubbles or solvent residue where the overlay was cut and re-fused.
The magnetic stripe on the reverse is described by ISO/IEC 7811. Three tracks sit within the stripe: Track 1 is alphanumeric, up to 79 characters at 210 bits per inch, carries the PAN plus cardholder name and expiry; Track 2 is numeric, up to 40 characters at 75 bits per inch, carries the PAN, expiry and service code (this is the track ATMs and POS readers actually use); Track 3 is read-write but rarely used by modern card networks. The stripe is encoded by F2F (Aiken biphase) recording so any commodity magnetic-stripe reader can decode it, which is the central security weakness.
The EMV chip is named for Europay, Mastercard and Visa, the three networks that wrote the original specification in 1996. Contact chips use ISO/IEC 7816, contactless chips use ISO/IEC 14443 at 13.56 MHz. Unlike the magnetic stripe, the chip generates a dynamic cryptogram (a one-time authentication code computed by the chip's onboard secure element) for every transaction, which is why cloning a chip is far harder than cloning a stripe.
The remaining features are visual security. The hologram (Visa dove, Mastercard interlocking globes, RuPay tricolour Ashok-Chakra-style design) is a diffractive optical element produced by precision embossing of a metallised film, hard to reproduce without industrial equipment. The
Card numbering: PAN, MII, IIN/BIN, Luhn checksum
First digit names the industry, first six digits name the issuer, last digit checks the rest.
The Primary Account Number (PAN) is the 13 to 19 digit number on the card front, structured by ISO/IEC 7812. Three substructures matter for NET MCQs.
The Major Industry Identifier (MII) is the first digit of the PAN: 1 and 2 for airlines, 3 for travel and entertainment (Amex, Diners), 4 for Visa, 5 for Mastercard, 6 for Discover, RuPay and Maestro, 7 for petroleum, 8 for healthcare and telecom, 9 for national assignment (used by some country-specific schemes).
The Issuer Identification Number (IIN), popularly called the Bank Identification Number (BIN), is the first six digits (extended to eight in newer ISO/IEC 7812 revisions). The IIN identifies the issuing bank and the card network. In India RuPay BINs are allocated by NPCI in the 6 and 8 series.
The Luhn algorithm (also called modulus-10 or mod-10) is the checksum that occupies the last digit of the PAN. Doubling every second digit from the right, summing all digits, and checking that the total is divisible by 10 is a quick first-pass validity test the examiner runs before any deeper analysis. A PAN that fails the Luhn check is fabricated.
Skimming and cloning detection
Overlay on the slot, shimmer in the slot, MSR on the bench.
Card-fraud workflows in India and worldwide use three classes of hardware. A skimmer is a thin device fitted over the card slot of an ATM or the magnetic-head channel of a POS terminal; it reads the magnetic stripe of every card swiped through it and stores the data to internal flash, sometimes also relaying it by Bluetooth or GSM. A shimmer is a paper-thin sliver inserted inside the EMV chip reader to intercept the contact-pad data; shimmers do not give the attacker the chip's secret keys, but they let the attacker harvest enough static data to clone the magnetic-stripe fallback. A Magnetic Stripe Reader/Writer (MSR), often sold openly as an MSR605X, is then used to re-encode a blank white card with the stolen Track 1 and Track 2 data.
Physical examination of a suspect ATM or POS terminal looks for tell-tale signs. The bezel around the card slot may be slightly larger or shaped differently from the bank's standard fitment. Glue residue on the bezel edges, exposed wires inside the cabinet, an unfamiliar pinhole near the keypad (a camera pointed at PIN entry), or an overlay keypad with stiffer keys all flag tampering. RBI advisories under the Master Direction on Digital Payment Security Controls 2021 require banks to inspect ATMs at defined intervals and to deploy anti-skimming devices on terminals; the CERT-In (Indian Computer Emergency Response Team) issues alerts when a new skimmer family appears in the field.
Indian skimmer-fraud context that has produced casework includes the 2018 Cosmos Bank Pune ATM heist (a malware attack that pushed cloned Rupay and Visa cards through ATMs in 28 countries to extract roughly 94 crore rupees), and the Pune and Mumbai skimmer rings broken by state cybercrime cells in 2019. The forensic-laboratory side sits in the cyber units of CFSL Hyderabad, CFSL Chandigarh and the state FSLs that have notified digital-forensics divisions.
Examination techniques: UV, microscopy, chip and NFC analysis
Light, lens, logic analyser.
The first pass on a suspect card is UV inspection. Genuine Visa and Mastercard cards carry UV-fluorescent printing: a flying dove appears on Visa, the letters M and C appear on Mastercard, and the issuer logo appears on many RuPay variants. A cloned card produced on commodity equipment usually lacks these features or shows uniform fluorescence from the laminate itself.
Stereomicroscopy of the laminate edge, signature panel and hologram catches re-lamination (uneven seam, trapped bubbles), re-embossing (ghost outlines of the original digits under or around the new ones), and counterfeit holograms (flat-printed metallic foil instead of true diffraction). The signature panel is examined for chemical or mechanical erasure of an original signature.
The magnetic stripe is read with a forensic MSR to dump Track 1, Track 2 and Track 3. The examiner compares the dump against the printed PAN, name and expiry on the card face: a mismatch indicates re-encoding (typical of a stripe-cloned card). Magnetic-force microscopy and developer fluids can reveal the recording pattern when the stripe has been overwritten.
The EMV chip is examined by reading the chip's publicly accessible data with an APDU-capable reader (issuer identifier, application identifier, public-key certificate chain). For deep examination, the chip module can be desoldered and the silicon die analysed under microscopy or with logic-analyser probes; this is reserved for high-value cases because it destroys the card. NFC sniffing uses a passive antenna and an SDR (software-defined radio) to capture the air interface between card and reader and check for replay attacks.
Statutory and regulatory frame
IT Act 66C and 66D, BNS 318, 319 and 336, RBI Master Direction, NPCI rails.
Card-fraud cases in India are charged under a stack of statutes.
The Information Technology Act 2000 Section 66C punishes identity theft (fraudulent or dishonest use of another person's electronic signature, password or any other unique identification feature) with imprisonment up to 3 years and fine up to 1 lakh rupees. Section 66D punishes cheating by personation using a computer resource with the same maximum penalty. Section 43A imposes a civil liability on a body corporate that fails to implement reasonable security practices for sensitive personal data, which covers card data held by merchants.
The Bharatiya Nyaya Sanhita 2023 carries forward IPC provisions in renumbered form. Section 318 (cheating, formerly IPC 415/420), Section 319 (cheating by personation, formerly IPC 416), and Section 336 (forgery, formerly IPC 463-465) typically run alongside IT Act charges. A counterfeit card is a "false document" under BNS Section 335, and the BNS definition of document expressly covers "any matter expressed or described upon any substance by means of letters, figures or marks", which is why payment cards sit inside Unit IX (Questioned Documents) of the syllabus.
The financial-regulation layer is governed by the Payment and Settlement Systems Act 2007 (which gives RBI the power to regulate payment systems) and the RBI Master Direction on Digital Payment Security Controls 2021 (security baseline for issuers, acquirers and payment-system operators, including anti-skimming, EMV-only acceptance, tokenisation and incident reporting). The RBI customer-liability circular RBI/2017-18/15 (Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions) gives a cardholder zero liability if the fraud is reported within 3 working days and limited liability between 4 and 7 days, which is the single most-tested regulatory point on this bullet.