EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 5 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US, swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process, but that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from 12 (mine) – 33 (the press) billion USD, and the lion’s share of this will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

It follows therefore that while organisations scramble to comply with the letter of EMV, there already exists in almost everyone’s pocket the capability to provide not just a PIN, but multiple forms of authentication and value-add services that far exceed the benefits of the chip; the mobile phone.

Even the loss of the Primary Account Number (PAN), which is the largest cause of card related fraud, is meaningless if the thief can’t complete the transaction. Add to this the numerous benefits of instant coupons, loyalty programs and even ratings & reviews, and the retailer now has the capability to enhance the customer journey while meeting the intent of EMV.

Neither the card issuers or even the card schemes themselves are fixated on EMV itself, they are only truly interested in reducing fraud. Retailers share this goal, even if they do not entirely agree with the way to get there.

It is up to authentication vendors to provide alternatives, and get those alternatives tested, real-world proven, and on the table. This will not be authentication vendors alone, or mobile device manufacturers alone, and the result will not be a decision made by card schemes alone. This will be a collaboration between ALL players, and will only work if everyone comes away a winner.

Especially the consumer.

[Ed. Written in collaboration with www.myPINpad.com]

EMV in the US, a 12 BILLION Dollar Mistake

In continuation of my crusade against EMV in general, the card schemes have announced an end to issuer-only fraud liability for non-chip transaction starting in October 2015. The so called ‘liability shift’.

For those who don’t know, it’s the issuers of the credit card that accept the liability for fraud during a branded credit card transaction, which is why they receive the lion’s share of the fees associated with the transaction (interchange fees). But now, if the merchant does not upgrade their point-of-sale terminals to those capable of accepting chip cards, it’s the merchant who suffers the fraud loss. Same thing goes for a consumer who wants to continue using swipe  & signature cards.

While I assume that those with disabilities, and / or the elderly will be given the option to not change to chip & PIN, the fact remains that the enormous cost of the transition to this ‘new’ technology will not be born by those who have basically created the problem over the course of over 60 years; the card brands. It will be the consumer …eventually, because the merchants / retailers will have to re-coup their up front costs.

And all this just to keep taking credit cards!

Why do retailers and banks STILL see credit cards as the only form of non-cash payment? Why DO the card brands have so much power over end-user payments technology when there are ‘only’ ~6 billion credit cards in the world and >7 billion mobile phones? On top of that, mobile phones have a far wider distribution than an EMV infrastructure can EVER hope to duplicate, and you have what I would see as a very simple choice in how to transition away from plastic.

I’ve said it repeatedly; payments is NOT about the FORM of payment, it’s about authentication of the individual to the organisation holding the funds (usually a bank), and NO form of account-detail-up-front (read credit card number, even a token of one) can ever be as secure as one protected by proper identity management. Yes, even on a mobile device.

What the US retailers are going to do is spend an absolute fortune on a payment acceptance technology that will be impossible to upgrade to anything else, nor will it be anywhere near as flexible for those retailers wishing to innovate in new forms of value-add services and marketing drives.

I have no problem with the card brands making a ton of money, that’s business and they do have a lot to add in the payment arena, but to continue the push for EMV is as horrendously self-serving as it is pointless. If it’s not them pushing for it, and it’s actually the Fed, then THEY should do their homework and talk to the retailers.

However, if the retailers aren’t going to do anything about this, then it pretty much serves them right.

For example; What card brand or issuer is going to tell Walmart that they can’t use an EMV alternative that has been shown to have a similar security profile AND infinitely greater business benefits? Can you really see them giving up a multi-million dollar revenue stream just to enforce a patch on a 60+ year old technology?

No, neither can I.

Target: Yep, They Made The Worst Decision Imaginable

In the most ridiculous decision possible, Target have agree to ACCELERATE their ‘smart card rollout’ to the tune of about $100M;

Target to accelerate $100 million chip-enabled smart card program: CFO, Reuters, Feb 03, 2014

Let me say that again; ONE HUNDRED MILLION DOLLARS!

How exactly are these new smart cards (which is EMV / Chip & PIN obviously)  going to reduce “cyber theft” when they do absolutely nothing except prevent card present fraud? It’s not as though this amazing chip-enabled technology actually encrypts the cardholder data point-to-point (that’s a terminal function, if available), so it doesn’t stop Target saving the data post-auth. And because not ALL US retailers and merchants are going to accelerate THEIR programs, Target have done nothing to prevent the real menace; card NOT present fraud.

What are they going to do when their customers start demanding other forms of payment, like mobile? Or when they start losing market share because value-add services won’t integrate with their shiny new static-function payment terminals? Spend ANOTHER $100M?

I’ve said it a hundred times, payments is NOT about the payment functionality itself, it’s about the AUTHENTICATION of the individual trying to MAKE the payment. In that, Target are completely missing the point.

If this is pressure from the card brands shame on them, if it’s pressure from ‘Government regulators’, shame on THEM, but if this is just Target being short-sighted and throwing good money after bad, then I hope their share-holders wake up before it’s too late.

I for one would be really pissed if had a vested interest in this.

Why The Card Brands Secretly Hate Chip & PIN

My penchant for dramatic titles aside, perhaps a more accurate – and less controversial – title would be; “Why The Card Brands SHOULD Secretly Hate Chip & PIN“, and the reason is simple; it’s in the way of their business.

The only reason chip and PIN (or EMV) is championed publicly by the brands is that it works, and has significantly reduced card present fraud (or face-to-face payments) in those areas that have mandated it, which is basically almost all the world’s industrialised nations except the US. If you want to know why I think the US will never adopt EMV, my thoughts are here; Why the US Will Not Adopt EMV (Chip & PIN)

The most basic and fundamental misunderstanding about EMV is that it’s a payment technology, it’s not, it’s an authentication technology.  And a very inefficient one at that.  The reason it reduces fraud is that anyone can swipe a credit card to buy something, but not everyone has the PIN number associated with that card to complete the transaction.

So the concept is sound, but the implementation is fatally flawed:

  1. It’s not a real-time authorisation, it’s performed offline by the PIN Entry Device (PED) – a.k.a. payment terminal – itself, therefore the PED must have a significant capability that is no longer required given recent innovations in authentication technologies
  2. The PEDs that are EMV capable are incredibly expensive as a result of 1. above (between £400 – $2,000 each), and are therefore out of the reach of the largest retail segment globally; the micro-merchant (e.g. corner store, street market vendor and the like)
  3. It has already been shown as vulnerable to attack. Yes, it was a VERY specific circumstance in which it was broken, and it’s still very difficult to do so, but the only reason it’s not further exploited is because thieves are lazy and there are still so many easier targets out there
  4. The PIN authorisation is only for card payments, it is not extensible to any other scenario where a similar mechanism would be desirable (logging into your bank online, Doctors access medical records etc.)
  5. You still have to carry a piece of plastic around with you, and credit cards are a dying non-cash payment technology

If you accept the above as true, then it’s relatively trivial to determine why the card brands must hate EMV:

  1. It will be very difficult to expand credit cards to regions that are either resisting EMV due to replacement costs (i.e. the US), or initial implementation costs (non-industrialised countries). They simply cannot introduce any card-dependent technology other than one that provides authentication capability
  2. Try telling a merchant in sub-Saharan Africa bringing home less than $1,000 a year that they need to spend a year’s salary to do business with European tourists and you’re not going to get much adoption. A non-EMV PED can be had for less than $100, which is far more palatable. I’m sure some enterprising service provider would be happy to rent them out too
  3. Why roll-out a technology that will eventually be relatively easy to break? Security is not about being totally secure, it’s about being secure enough. Build a secure device and a bad guy will work out how to break it, and this will never change. EMV capable devices are, but their very nature, incapable of adapting to a newer, more secure technology
  4. Authentication needs to be ubiquitous, people simply don’t want lots of different passwords to remember. Authentication as a Service (AaaS) will expand to include payments, and the best way of delivering this service is over a mobile device, not a credit card
  5. In order to continue their reign for a few more years, the card brands must rapidly expand their influence in regions that simply cannot support EMV

In the end you have to realise what the card brands are; they are a mechanism to get access to your money without the use of cash. This was great while they were the only game in town, but they are not anymore, and unless they can justify their interchange fees by  providing secure payments to EVERYONE’S convenience they will be the next victim of disruptive innovation.

EMV has run its course, and I would be VERY surprised if the card brands continue to support it given that fact that it actually hastens their demise, not prolongs it.

Why the US Will Not Adopt EMV (Chip & PIN)

Let’s just start with the basics, money;

There are ~1.5 BILLION credit cards in the US, and a replacement card is between $3 – $5.  So you’re looking at an expense between $4.5 and $7.5 billion for that alone.  Now add into that the cost of replacing ~10 million payment terminals to ACCEPT the new cards, at a cost of ~$50 – $100 each, and that price-tag goes up by another $0.5 – $1 billion.  Finally, every bank must replace / upgrade their back-end systems to PROCESS these new transactions, and I’m not even going to try to guess the cost (it’s a lot).

Yes this will be spread out of a number of years, but that’s like saying you’d like to get punched in the mouth a little bit at a time.  No alternative is pleasant.

Cost aside, why would the banks make this expense when the main driving factor behind EMV is being negated on a daily basis by innovations in payment technology?  Innovations such as mobile payment applications, and far more secure alternatives to the Chip & PIN itself, will drive the US to abandon their plans for EMV in favour of solutions that have a far longer shelf-life, are more secure, include Card-Not-Present (CNP) transactions (e.g. e-commerce), AND are not just a patch/fix to a 60+ year old technology.

The EMV concept itself was first put into real-world practice in France in 1992 – yes, 21 YEARS ago – and is now the de facto standard in over 100 countries globally.  Except the US of course, who still rely on the magnetic strip first introduced by IBM in the 1960s.

This mag stripe method is the major cause of card-present (CP) fraud globally, which is why the US has been under increasing pressure to make the change.  The issuing banks in the US, however, are very powerful in their own right, and have managed to delay things long enough to now have a valid reason to stop the plans altogether.

Good for them.

The need for PIN authentication will not go away any time soon, but the need for any payment terminal or payment application to ever SEE that number will.  This is an enormous game-changer for both the banks, and the end users.

Chip & PIN transactions are cheaper than magnetic strip transactions for one reason; less fraud.  However, you can’t use chip & PIN for e-commerce, where things like the CVV code, Verified by Visa, or 3-D Secure are used to similar, though limited, effect.

This restricts their usage to specific card brands, but this brave new world of innovation where the card brands are no longer the only game in town, a more ubiquitous PIN method is required that’s not only secure, but seamless, portable to legacy technologies, and affordable. Something like this; www.mypinpad.co.uk.

Suddenly:

  1. Expensive card-not-present transactions become cheaper card-present transactions saving millions for e-commerce
  2. Legacy payment terminals that are not yet End of Life (EoL) can be kept, saving brick & mortar merchants millions
  3. ATM payment become far less prone to fraud (under certain circumstances)
  4. Mobile payments become far more secure
  5. Liability shift is now firmly with the issuing banks

All of this is great stuff, and makes me wonder what’s next!

Anyone see any similar technologies out there in the wild?