A short video overview of the

CardHub unit and mobile banking

integration.
 Our certified cloud platform and advanced printers enables us to create any card
(plastic or virtual) on behalf of any integrated issuer from any CardHub machine.

In addition, CardHub machines can also be used to securely host and serve additional
products and services including lending, insurance and savings products via
interactive touch screens or pushed to local mobile devices.

Key Features

CardHub is a complete service - hardware, software, mobile integration, advertising

content management, servicing, maintenance and stocking.
Empowering people to get
on with their lives.
CardHub machines house Entrust Datacard re-transfer printers that emboss, encode
and print debit or credit cards of any design.

● Card creation from blank white card stock to any design

● Supports up to 6 chip types per machine
● 2 minute printing time

We provide a library of APIs to integrate services within existing consumer banking

apps or teller software.

CardHub is a complete PCI-CP and GDPR compliant solution.

It is certified by Visa and Mastercard and has the capability to create and issue cards
on the Visa, Mastercard, Amex and Union Pay schemes.
 CardHub Machine CardHub Cloud Platform

CardHub APIs Data preparation

● <locationservices> ● HSM and PKI

CardHub is configurable and can manage your card ● <stocklevels>
process from Data Preparation through to local ● EMV key management
● <qrcodegenerator> ● 3DES and RSA cryptography
personalisation and issuance. ● <qrcodelife> ● Certs, PIN + CVV
● <2fa>
- Hardware provisioning, maintenance and servicing
- Thin client, cloud based application Personalisation
Monitoring, logging & audit
- Deep analytics and audit logs
- Restocking and supply as standard ● EMV chip encoding
● 24/7 network health
- PCI CP certified, Visa and Mastercard approved ● Mag stripe
● Access control and audit logs
● Embossing
The service is available to acquire as a dedicated ● 600 DPI print + QA
solution for an issuer or to subscribe to as part of the
CardHub out of branch network. Advertising Analytics

● Remote content management ● User behaviour

● Multi-language ● Usage and transactions
● Scheduling ● Surrounding footfall analysis
● Live data feeds ● Emotion monitoring

Out of branch and partner bank

branch network

● 24/7 remote monitoring ● Card stock

● Field agents and onsite ● Consumables and ribbons
maintenance ● Recycling used card stock
We make it easy ● We also provide issuers with advanced issuer ● CardHub is able to instantly issue virtual cards
analytics and data visualisation tools to enable directly to customers’ mobile wallets as it creates
We have designed CardHub to be as simple as possible them to easily understand and manage their plastic cards.
for the consumer and for the issuer. network.
● New features under development include secure
● CardHub is a complete service and includes; We are certified recycling of planned replacement cards,
hardware, software, services, remote management, reinstatement of payment methods across online
mobile banking integration, plastic recycling and All data is encrypted and processes through PCI CP subscriptions, instantly and Open Banking financial
other services. compliant, Visa and Mastercard approved data centres health assessments.
managed by Entrust Datacard.
● We sell CardHub under flexible purchasing models. We can extend your reach beyond your branch
Issuers can choose to purchase the hardware as ● The complete CardHub solution is fully PCI-CP, EMV
capex or opex. They can also subscribe to the out and GDPR compliant. As well as equipping the branch networks of issuing
of branch network and only pay for what they use. banks we are also building our own national network of
Our solution is advanced and is constantly evolving hubs, available to all issuers on a subscription basis.
● We provide a library of APIs for to enable
integration of self-service features with existing We specialise in creating great customer experiences Our issuing partners have access to the complete
digital assets including consumer mobile banking and with this comes a commitment to extensive R&D CardHub network of out of branch machines.
apps and teller systems (i.e. via a tablet in branch). and innovation.
This open infrastructure is designed to increase reach,
● Integration with CardHub can exist in parallel to ● We offer solutions for in branch and out of branch improve customer service and reduces costs for
your central issuance operating model without operations and we have extensive experience issuers and consumers.
disruption to the BAU card business. deploying these solutions in premium and secure
locations including international airports.
● Once up and running CardHub has a low
operational impact - very limited onsite teller and ● Our platform can securely support issuance from
bank staff time is required. multiple issuers.
 #1 Issuer
Request new card from
Bank App #2
New card token issued

CardHub Platform
#7
#5 #11
Retrieve/create card
Verify customer and Activate card
#3 personalisation data
retrieve card token
Time sensitive QR code
issued to app.

#4 CardHub Machine #6
Customer Present token to SAS Send token to
Terminal CardWizard
CardWizard

#9 #8
Dispense card to customer Print Card

#10
Customer retrieves card
from machine
PCI-CP PCI-DSS security management system in place to protect
confidentiality, availability and integrity of assets from
All card production processed by the Cardhub Platform All card production is covered by the PCI-CP external threats or vulnerability.
is hosted in highly secure, connected and high-speed certification, however the CardHub platform also
data centers managed by Entrust Datacard. Including a comprises of another third party cloud provider ISO27017 + ISO27018
production site and separately located disaster certified as a PCI DSS 3.2 Level 1 Service Provider,
recovery data centre in line with PCI specifications. although no PII or payment information is processed The CardHub platform is comprised of two major third
using the secondary platform. party cloud providers both of whom comply with these
Additionally special measures are taken to maintain standards including consensual use of PII, full
background and credit checks for all data center GDPR protection and separation of customer’s virtual
employees, a separate person trap in each data center, environments, virtual machine configuration,
a dedicated security booth behind bullet-resistant The solution requires both SA Systems and Entrust administrative operations and environment alignment.
glass, steel mesh reinforced walls, floors and ceilings, Datacard to act as Data Processors appointed by the
and the ability to maintain a constant temperature on Data Controller (typically the issuing bank). A full PSD2
the floor of the data centers. schedule of processing activities can be supplied
based on the scope of the integration along with full The solution has been designed with PSD2 in mind and
PCI-HSM (optional) policies and procedures for the protection of PII. No PII compliant strong customer authentication methods are
will be held or processed outside of the European used to identify the customer’s device with further
Our solution configuration can incorporate full Economic Area without the explicit permission of the multi-factor authentication loops to verify the user.
management of PKI and provision of HSM to provide a Data Controller.
fully managed platform. All HSM components are
managed by Entrust Datacard, capable of operating to ISO27001
X509 v3 standards and compliant with PCI standards
including tamper proofing, cryptographic key All information security management is maintained in
protection, firmware management and complete audit line with ISO27001 with an organisation information
logs.
Designed for ease of use by all.

Hardware specification - please follow link

- 3 sizes - compact retail / In branch / Out of branch hub

- Intuitive for consumers and DDA approved.
- Quality onshore production, low emission manufacture
- (ISO9001, ISO14001)

*Requires only a power and stable network connection

A network of machines in high footfall locations through which any issuer
can issue cards to any customer.

NaaS - Subscription and pay as you use.

The CardHub is intended to become an open infrastructure for an Open

Banking future.
Any Bank. Any Issuer. Any Scheme. Any Customer. Any Machine.

Out of branch network to commence in Q2 2020.

CardHub Architecture - please follow link
 Cards Card Name + Applet Name + Version Card Name + Applet Name + Version

Card personalization specification Card personalization specification

If pre-perso is specific, pre-perso specifications are required If pre-perso is specific, pre-perso specifications are required

20 test cards per profile 20 test cards per profile

This table summarises the
List and names of the profiles + list of BIN for each profile List and names of the profiles + list of BIN for each profile
fields required in order to Profile Definition

test integration with the VPA in HTML and XML CPV in XLS and XML
platform.
List and type of applications (AIDs) to be personalized List and type of applications (AIDs) to be personalized

Does PSE have to be personalized? (Default is yes) Does PSE have to be personalized? (Default is yes)

Magstripe: CVV Offset for Track 1 and Track 2 Magstripe: CVV Offset for Track 1 and Track 2

Test Input File Input file Input file

Input file specification Input file specification

Test Keys KMC KMC

PEK PEK

MDKac IMKac

MDKsmi IMKmac

MDKsmc IMKenc

IMKcvc3

Modulo length and exponent value to generate test Issuer RSA Modulo length and exponent value to generate test Issuer RSA
keyset keyset

Test Certificate Expiration date Expiration date

Tracking number CA certificate

CA certificate Issuer certificate

CardHub enables issuers to instantly issue sustainable plastic and virtual cards to
customers via advanced self-service machines.

SA Systems London
41 Tabernacle Street
Shoreditch
London
EC2A 4AA
+44 (0) 207 336 0010

Any card. Any bank. Any branch. Any scheme. Anywhere. sales@[Link]