Skip to content

Forensic Examination of Credit Cards and Similar Materials

Credit card anatomy, magnetic stripe and EMV chip, skimming and cloning detection, IT Act Sections 66C and 66D.

Last updated:

Share

A payment card is a forensic document in two senses: physically, it is a multi-layer PVC laminate carrying printed, embossed, and optically variable security features; electronically, its magnetic stripe and EMV chip carry account data governed by ISO/IEC standards and the IT Act 2000. Forensic examination covers the card's anatomy (PVC body, magnetic stripe per ISO/IEC 7811, EMV chip, hologram, signature panel, CVV, BIN), detection of skimming and cloning attacks, and the Indian statutory response under the IT Act and Bharatiya Nyaya Sanhita 2023. The classical questioned-documents toolkit, including UV inspection, stereomicroscopy, and signature comparison, forms the first-pass examination layer, with chip and NFC analysis added for electronic data.

In the modern statutory frame, a payment card is a "document". The Bharatiya Nyaya Sanhita 2023 definition of document covers any matter expressed by letters, figures or marks on a substance, and the IT Act 2000 treats card-resident data as an electronic record. Forensic examination of payment cards covers two principal areas: the physical and electronic anatomy of a card (PVC body, magnetic stripe per ISO/IEC 7811, EMV chip, hologram, signature panel, CVV, BIN) and the cloning and skimming workflow with its statutory response (IT Act Sections 66C and 66D, BNS Sections 318, 319 and 336, RBI Master Directions, NPCI rails).

Card forensics sits alongside handwriting and document examination because the early techniques (UV inspection, microscopy of laminate edges, signature comparison) come straight from the questioned-documents examiner's bench.

By the end of this topic you will be able to:

  • Identify and describe the physical layers of a standard payment card, including ISO/IEC 7810 dimensions, PVC laminate construction, and visual security features.
  • Decode a Primary Account Number (PAN) into its MII, IIN/BIN, account number, and Luhn checksum components per ISO/IEC 7812.
  • Distinguish skimmer and shimmer attack hardware, explain how each targets magnetic-stripe versus EMV-chip data, and list the physical indicators of ATM/POS tampering.
  • Apply UV inspection, stereomicroscopy, magnetic-stripe dumping, and APDU-based chip reading to detect card forgery or re-encoding.
  • Identify the applicable Indian statutes (IT Act Sections 66C, 66D, 43A; BNS Sections 318, 319, 336) and RBI customer-liability rules for card-fraud casework.
Key terms
PVC card body
Standard payment card construction: polyvinyl chloride core sandwiched between two transparent laminated overlays. Card dimensions 85.60 by 53.98 mm per ISO/IEC 7810 ID-1.
Magnetic stripe
Ferromagnetic strip on the card reverse encoding account data on three tracks per ISO/IEC 7811. Track 1 alphanumeric (79 chars), Track 2 numeric (40 chars, the primary track), Track 3 rarely used today.
EMV chip
Integrated-circuit chip following the EMV (Europay-Mastercard-Visa) specification. Contact interface per ISO/IEC 7816, contactless per ISO/IEC 14443. Generates dynamic cryptograms that defeat static-data cloning.
Hologram
Diffractive optical security feature: Visa dove, Mastercard interlocking globes, RuPay tricolour. Hard to reproduce without specialised embossing equipment.
Signature panel
White panel on the card reverse printed with a tamper-evident background (often the issuer name repeated or the word VOID appearing if scratched). The CVV2 is printed beside it.
CVV / CVC
Card Verification Value (Visa) or Card Verification Code (Mastercard). CVV1 is encoded on the magnetic stripe, CVV2/CVC2 is the 3-digit printed code on the reverse, CID is the 4-digit code on the Amex front.
BIN / IIN
Bank Identification Number, formally the Issuer Identification Number under ISO/IEC 7812. The first six digits of the PAN identify the issuing institution and network.
Embossing
Raised characters on older card fronts produced by an embosser; modern cards are increasingly flat-printed because POS imprinters are obsolete.
NFC
Near Field Communication, the 13.56 MHz contactless radio interface used for tap-to-pay. Built on ISO/IEC 14443 and underlies UPI Lite and RuPay contactless.
Skimmer
Overlay device fitted on an ATM card slot or POS terminal that reads and stores the magnetic stripe data of cards swiped through it.
Shimmer
Thin sliver-shaped device inserted inside the chip reader of an ATM or POS to intercept data exchanged with the EMV chip.
Tokenisation
RBI-mandated mechanism that replaces the PAN stored at merchants with a token usable only by that merchant, reducing the value of stolen card-on-file data.

Card anatomy: PVC body, stripe, chip, hologram, panel, CVV

A standard payment card is a three-layer PVC (polyvinyl chloride)sandwich. A pigmented PVC core carries the printed design and embedded magnetic stripe, with two transparent PVC or PETG laminated overlays fused on top and below by heat and pressure. Card dimensions are fixed by ISO/IEC 7810 at 85.60 by 53.98 mm and 0.76 mm thick (ID-1 format). The first job of the forensic examiner is to inspect the laminate edges under microscopy: a cloned or relaminated card often shows uneven seams, trapped air bubbles or solvent residue where the overlay was cut and re-fused.

The magnetic stripe on the reverse is described by ISO/IEC 7811. Three tracks sit within the stripe:Track 1 is alphanumeric, up to 79 characters at 210 bits per inch, carries the PAN plus cardholder name and expiry;Track 2 is numeric, up to 40 characters at 75 bits per inch, carries the PAN, expiry and service code (this is the track ATMs and POS readers actually use);Track 3 is read-write but rarely used by modern card networks. The stripe is encoded by F2F (Aiken biphase) recording so any commodity magnetic-stripe reader can decode it, which is the central security weakness.

The EMV chip is named for Europay, Mastercard and Visa the three networks that wrote the original specification in 1996. Contact chips use ISO/IEC 7816 contactless chips use ISO/IEC 14443 at 13.56 MHz. Unlike the magnetic stripe, the chip generates a dynamic cryptogram(a one-time authentication code computed by the chip's onboard secure element) for every transaction, which is why cloning a chip is far harder than cloning a stripe.

The remaining features are visual security. The hologram(Visa dove, Mastercard interlocking globes, RuPay tricolour Ashok-Chakra-style design) is a diffractive optical element produced by precision embossing of a metallised film, hard to reproduce without industrial equipment. The signature panel carries a tamper-evident background that exposes the word VOID or similar text when scratched. The CVV/CVC family includes CVV1 encoded on the magnetic stripe, CVV2/CVC2 printed in 3 digits beside the signature panel, and the 4-digit CID on the front of Amex cards. Older cards have embossed PAN and name; modern issues are increasingly flat-printed because mechanical POS imprinters are obsolete and the embossing is itself a security weakness when re-embossed by fraud rings.

Front of a standard payment card showing chip, embossed or flat-printed PAN, name, expiry and hologram; reverse showing magne
Front of a standard payment card showing chip, embossed or flat-printed PAN, name, expiry and hologram; reverse showing magnetic stripe (three tracks), signature panel and CVV2/CVC2.

Card numbering: PAN, MII, IIN/BIN, Luhn checksum

The Primary Account Number (PAN)is the 13 to 19 digit number on the card front, structured by ISO/IEC 7812. Three substructures are forensically significant.

The Major Industry Identifier (MII)is the first digit of the PAN: 1 and 2 for airlines, 3 for travel and entertainment (Amex, Diners),4 for Visa5 for Mastercard6 for Discover, RuPay and Maestro 7 for petroleum, 8 for healthcare and telecom, 9 for national assignment (used by some country-specific schemes).

The Issuer Identification Number (IIN)popularly called the Bank Identification Number (BIN)is the first six digits(extended to eight in newer ISO/IEC 7812 revisions). The IIN identifies the issuing bank and the card network. In India RuPay BINs are allocated by NPCI in the 6 and 8 series.

The Luhn algorithm(also called modulus-10 or mod-10) is the checksum that occupies the last digit of the PAN. Doubling every second digit from the right, summing all digits, and checking that the total is divisible by 10 is a quick first-pass validity test the examiner runs before any deeper analysis. A PAN that fails the Luhn check is fabricated.

Digit 1MIIDigits 1-6 IIN / BINDigits 7 to N-1 Account NumberDigit NLuhn CheckMII values3Amex/Diners4 Visa5Mastercard6RuPay/Discover7Petroleum9 NationalIIN / BIN detailFirst 6 digits (ISO/IEC7812)Extended to 8 digits (newerrevision)India: NPCI allocates RuPay BINs (6and 8 series)Luhn mod-10: double every second digit from right, sum all digits, total must be divisible by 10. Fail =fabricated PAN.
PAN decode: first digit = MII (4 Visa, 5 Mastercard, 6 RuPay/Discover); digits 1-6 = IIN/BIN (issuer); digits 7 to N-1 = account number; last digit = Luhn checksum. A PAN failing mod-10 is fabricated.

Skimming and cloning detection

Card-fraud workflows in India and worldwide use three classes of hardware. A skimmer is a thin device fitted over the card slot of an ATM or the magnetic-head channel of a POS terminal; it reads the magnetic stripe of every card swiped through it and stores the data to internal flash, sometimes also relaying it by Bluetooth or GSM. A shimmer is a paper-thin sliver inserted inside the EMV chip reader to intercept the contact-pad data; shimmers do not give the attacker the chip's secret keys, but they let the attacker harvest enough static data to clone the magnetic-stripe fallback. A Magnetic Stripe Reader/Writer (MSR)often sold openly as an MSR605X, is then used to re-encode a blank white card with the stolen Track 1 and Track 2 data.

Physical examination of a suspect ATM or POS terminal looks for tell-tale signs. The bezel around the card slot may be slightly larger or shaped differently from the bank's standard fitment. Glue residue on the bezel edges, exposed wires inside the cabinet, an unfamiliar pinhole near the keypad (a camera pointed at PIN entry), or an overlay keypad with stiffer keys all flag tampering. RBI advisories under the Master Direction on Digital Payment Security Controls 2021 require banks to inspect ATMs at defined intervals and to deploy anti-skimming devices on terminals; the CERT-In(Indian Computer Emergency Response Team) issues alerts when a new skimmer family appears in the field.

Indian skimmer-fraud context that has produced casework includes the 2018 Cosmos Bank Pune ATM heist(a malware attack that pushed cloned Rupay and Visa cards through ATMs in 28 countries to extract roughly 94 crore rupees), and the Pune and Mumbai skimmer rings broken by state cybercrime cells in 2019. The forensic-laboratory side sits in the cyber units of CFSL Hyderabad, CFSL Chandigarh and the state FSLs that have notified digital-forensics divisions.

Examination techniques: UV, microscopy, chip and NFC analysis

The first pass on a suspect card is UV inspection. Genuine Visa and Mastercard cards carry UV-fluorescent printing: a flying dove appears on Visa, the letters M and C appear on Mastercard, and the issuer logo appears on many RuPay variants. A cloned card produced on commodity equipment usually lacks these features or shows uniform fluorescence from the laminate itself.

Stereomicroscopy of the laminate edge, signature panel and hologram catches re-lamination (uneven seam, trapped bubbles), re-embossing (ghost outlines of the original digits under or around the new ones), and counterfeit holograms (flat-printed metallic foil instead of true diffraction). The signature panel is examined for chemical or mechanical erasure of an original signature.

The magnetic stripe is read with a forensic MSR to dump Track 1, Track 2 and Track 3. The examiner compares the dump against the printed PAN, name and expiry on the card face: a mismatch indicates re-encoding (typical of a stripe-cloned card). Magnetic-force microscopy and developer fluids can reveal the recording pattern when the stripe has been overwritten.

The EMV chip is examined by reading the chip's publicly accessible data with an APDU-capable reader (issuer identifier, application identifier, public-key certificate chain). For deep examination, the chip module can be desoldered and the silicon die analysed under microscopy or with logic-analyser probes; this is reserved for high-value cases because it destroys the card.NFC sniffing uses a passive antenna and an SDR (software-defined radio) to capture the air interface between card and reader and check for replay attacks.

Statutory and regulatory frame

Card-fraud cases in India are charged under a stack of statutes.

The Information Technology Act 2000 Section 66C punishes identity theft(fraudulent or dishonest use of another person's electronic signature, password or any other unique identification feature) with imprisonment up to 3 years and fine up to 1 lakh rupees.Section 66D punishes cheating by personation using a computer resource with the same maximum penalty.Section 43A imposes a civil liability on a body corporate that fails to implement reasonable security practices for sensitive personal data, which covers card data held by merchants.

The Bharatiya Nyaya Sanhita 2023 carries forward IPC provisions in renumbered form.Section 318(cheating, formerly IPC 415/420),Section 319(cheating by personation, formerly IPC 416), and Section 336(forgery, formerly IPC 463-465) typically run alongside IT Act charges. A counterfeit card is a "false document" under BNS Section 335, and the BNS definition of document expressly covers "any matter expressed or described upon any substance by means of letters, figures or marks", which is why payment cards fall within the scope of questioned-documents examination.

The financial-regulation layer is governed by the Payment and Settlement Systems Act 2007(which gives RBI the power to regulate payment systems) and the RBI Master Direction on Digital Payment Security Controls 2021(security baseline for issuers, acquirers and payment-system operators, including anti-skimming, EMV-only acceptance, tokenisation and incident reporting). The RBI customer-liability circular RBI/2017-18/15(Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions) gives a cardholder zero liability if the fraud is reported within 3 working days and limited liability between 4 and 7 days, which is the single key regulatory point on this bullet.

The National Payments Corporation of India (NPCI)operates the domestic rails:RuPay(card scheme),UPI(Unified Payments Interface),IMPS(Immediate Payment Service) and NFS(National Financial Switch). RBI's 2022 tokenisation mandate routes through NPCI for RuPay and through the international schemes for Visa and Mastercard; merchants can no longer store the raw PAN, which dramatically reduces the value of merchant-side breaches.

Electronic-evidence handling follows the BNS and BSA 2023 framework for electronic evidencethe seized card, the ATM CCTV, the skimmer device and the dumped stripe data are all electronic records that need the BSA 2023 Section 63 certificate at trial, and the chain of custodyis probed by defence counsel before the technical content.

Why does the syllabus place credit card examination under Questioned Documents?
Because the modern statutory definition of a document covers any matter expressed by letters, figures or marks on a substance. The Bharatiya Nyaya Sanhita 2023 definition (carrying forward IPC Section 29) is wide enough to include payment cards, and the IT Act 2000 treats the card's electronic data as an electronic record. The QD examiner's classical toolkit (UV inspection, stereomicroscopy of laminate seams, signature panel comparison) is also the first-pass card examination toolkit, so the two areas share method as well as legal frame.
How many tracks does a payment-card magnetic stripe have, and which one is the primary track?
Three tracks per ISO/IEC 7811. Track 1 is alphanumeric, up to 79 characters at 210 bits per inch, carrying PAN, name and expiry. Track 2 is numeric, up to 40 characters at 75 bits per inch, carrying PAN, expiry and service code; this is the primary track that ATMs and POS terminals actually read. Track 3 is read-write and was meant for offline balance storage but is rarely used today.
What does EMV stand for and how does an EMV chip defeat magnetic-stripe cloning?
EMV stands for Europay, Mastercard and Visa, the three networks that wrote the original specification in 1996. The chip is an integrated-circuit secure element with onboard cryptographic keys; for every transaction it computes a dynamic cryptogram (a one-time authentication code derived from a transaction counter and the chip's secret key) that the issuer verifies before authorising. A clone that copies only the static data cannot generate a valid cryptogram, which is why chip cards are far harder to clone than magnetic-stripe-only cards.
What is the difference between a skimmer and a shimmer in card fraud?
A skimmer is an overlay device fitted on top of the card slot of an ATM or the magnetic-head channel of a POS terminal; it reads and stores the magnetic stripe data of every card swiped through it. A shimmer is a much thinner, sliver-shaped device inserted inside the chip reader to tap the contact pads of the EMV chip during a transaction. A skimmer harvests stripe data for direct re-encoding on blank white cards; a shimmer harvests enough static chip data to clone the magnetic-stripe fallback profile, but it cannot extract the chip's secret keys.
Under Indian law, what is the cardholder's liability if a fraudulent transaction is reported to the bank promptly?
The RBI customer-liability circular RBI/2017-18/15 (Customer Protection: Limiting Liability of Customers in Unauthorised Electronic Banking Transactions) gives the cardholder zero liability when the unauthorised transaction is reported to the bank within 3 working days, provided the fraud was not due to the customer's own negligence. Reporting between 4 and 7 working days caps liability at a graded amount (typically 5,000 to 25,000 rupees depending on account type). Delayed reporting shifts more loss to the customer.

Test yourself on UGC-NET Forensic Science with free, timed mocks.

Practice UGC-NET Forensic Science questions

Found this useful? Pass it along.

Share

Spotted an error in this page? Report a correction or read our editorial standards.

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.