Remember "off line"?
By Dave Birch posted Sep 22 2008 at 6:14 PM[Dave Birch] For reasons not germane to the post, I'm wondering if I can detect the first pangs of crisis in the world of EMV. Have we been rolling out the wrong system? This horrible suspicion obtains vitality from a big picture perspective which says that, in essence, it was mad to start rolling out a system that was designed to allow secure offline payments at the very inflexion point in human history when the whole world went online.
Most consumers still pay offline, like in restaurants or stores. But I have no doubt that in future all these businesses will be connected to the Internet and then, virtually all payments will be made online.
[From Globes [online] - Israel business news - For PayPal, it is only the beginning]
Gulp. We've spent billions installing a legacy payment system and it isn't even finished yet. Everything else is going online, bank-issued cards are going offline.
EMVCo, the EMV standards body owned by JCB International, MasterCard Worldwide and Visa Inc., has today announced plans to broaden industry participation in the development work of the organisation and establish a regular, formal dialogue between EMVCo and the global payments industry, through the launch of a new website subscription programme and annual user meeting.
[From Finextra: EMVCo looks to broaden industry participation]
So is chip and PIN doomed? Well, in the long run, of course it is, just as cheques are doomed. Yet at the very moment the nagging doubts about EMV creep in, there are those in the world's least EMV-centric market, the U.S.A., who are beginning to wonder whether it might be time to start looking at chip and PIN again in the light of massive data breaches (eg, T.J. Maxx) and escalating fraud as the card sharps in, for example, the U.K., begin to target the U.S. on a larger scale.
In one of the first interviews by a top TJX executive following a record security breach, vice chairman Donald G. Campbell told the Globe that the US payment system should follow countries in Europe and Asia that have rolled out credit and debit cards embedded with computer chips. If the cards were in use worldwide, he said, the technology would have ruined a scheme in which thieves stole as many as 100 million account numbers from TJX since 2005, by making the numbers harder to reuse.
[From Could this chip have prevented the TJX breach? - The Boston Globe]
Well, maybe. But card fraud actually isn't that big of a deal in the U.S. is it? WIth charge-offs currently running at something like 600+ basis points, who cares about 6 basis points of fraud?
David Robertson, publisher of The Nilson Report, a trade newsletter that tracks the payment industry, estimates that $1.24 billion was lost to fraud in 2007 in the United States, up from $1.14 billion in 2006. But in both years, that works out to just 5.7 cents for every $100 that customers charged on their credit cards. Worldwide fraud was $5.68 billion, or 4.8 cents per $100 spent.
[From Could this chip have prevented the TJX breach? - The Boston Globe]
In the not-too-distant future, the idea of being off line will seem peverse, so I just can't see how chip and PIN can gain traction in the U.S. in time before cards vanish into mobile phones and other devices. Given the years it would take to migrate the U.S. POS infrastructure, I'm sure that what will actually happen is that terminal replacement because of contactless and mobile will be the key factor. Then, in time, the U.S. will have a chip-based infrastructure (since contactless card and mobile phones both have chips in them). But will it be an EMV infrastructure? That's not obvious.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
imho:
- "of course it is, just as cheques are doomed". Unexpected comparison... Cheque payments are phasing away because their processing is expensive, because it is a long payment process, because it's not secure, etc. Arguments that do not apply to EMV.
- About fraud? Its only an issue because fraud is now coming from organized crime, potentially financing mafia activities or terrorism organizations.
- Online-Offline? There are no incoherence with EMV. It does work either online or offline. And even tho it was one of the original objective of chip, there were many others benefits as card copy protection, cardholder authentication, precise card risk management, etc. Now Offline EMV is definitly of value when the acquirer service is down, network down, to improve speed, quality of service, reduce costs or server load at peak hours, etc.
- Contactless: Contactless cards are not as secure as contact chip cards. If they are lost or intercepted in mail, they are even less secure as they can be used with no cardholder authentication in face to face environments; they wear a magnetic stripe and have printed on the face all necessary data to perform online transactions.
- Now let’s widen the analysis: Almost all important regions or countries have, or are implementing chip, but EMV chip security is only efficient against fraud if we remove the major weakness of the cards, the magnetic stripe, and because of the reluctance of the US to implement EMV, ALL chip cards still have this critical weakness making the EMV investment almost worthless at an international level…
Visa and MasterCard are US companies. They have established the EMV standard, imposed it to the others while being incapable of showing locally its benefits and convincing US issuers and Acquirers.
- EMV Standard: Definitely very expensive to implement, especially on the acquirer side, it is not perfect, but it is the only international standard and it has been very widely deployed with success and with great reduction (exportation) of fraud for the regions adopting it.
- PCI-DSS: Supposedly the solution to protect cardholder data from being stolen. This new certification imposed by Visa and MasterCard to merchants world wide, will cost billions! Remove the magnetic stripe of the cards or migrate to EMV and PCI-DSS certification becomes useless!
Posted by: Emmanuel Haydont | 27 September 2008 at 10:50 PM
The EMV specification does not require off-line. Once you decide to go on-line, and not to require PINs when not justified, costs go tumbling down.
Using PINs for low value transactions is a waste of time and money. There is no need to use PINs or less than, say, 100 dollars. Actually, using PINs for low value transactions has negative implications for security.
If we implement EMV but without these features, i.e. on-line only cards and card readers without PIN capability for low value transactions, the cost of the cards and of the readers will fall dramatically without adversely affecting security.
Posted by: Jony Rosenne | 26 September 2008 at 02:50 PM
Dave - Another excellent post, as usual. I agree that chasing fraud is not really top of mind for Issuers, given how small it is compared to the rest of the expense line items. The bigger challenge is expanding access to payments cards across broader spend categories and penetrating new consumer spend segments as well as providing inovative services/options to cardholders and merchants to ensure continued engagement/satisfaction with cards as a payment mechanism. Obviously right now the challenge is to ensure continued profitability of their portfolios and manage risk closely, given the precipitous decline in the consumer behavior and sentiment. And the $5-10 Bn bill needed to migrate to EMV will not be palatable. Even in the long run, EMV does not pose a positive business case for US Issuers.
Posted by: VP | 25 September 2008 at 09:41 PM
Hi,
I agree with this blog. I suspect that the US could continue with magstripe and tumbling CVVs over contactless. Consequently, the last couple of inches gets upgraded to contactless (over the natural course of card/POS upgrade cycle) while the rest of the infrastructure stays magstripe.
May not be such a bad idea.
This brings up some interesting issues of using payments cards across the pond.
Manju
Posted by: Manju Murthy | 25 September 2008 at 06:25 PM