Why The Card Brands Secretly Hate Chip & PIN

My penchant for dramatic titles aside, perhaps a more accurate – and less controversial – title would be; “Why The Card Brands SHOULD Secretly Hate Chip & PIN“, and the reason is simple; it’s in the way of their business.

The only reason chip and PIN (or EMV) is championed publicly by the brands is that it works, and has significantly reduced card present fraud (or face-to-face payments) in those areas that have mandated it, which is basically almost all the world’s industrialised nations except the US. If you want to know why I think the US will never adopt EMV, my thoughts are here; Why the US Will Not Adopt EMV (Chip & PIN)

The most basic and fundamental misunderstanding about EMV is that it’s a payment technology, it’s not, it’s an authentication technology.  And a very inefficient one at that.  The reason it reduces fraud is that anyone can swipe a credit card to buy something, but not everyone has the PIN number associated with that card to complete the transaction.

So the concept is sound, but the implementation is fatally flawed:

  1. It’s not a real-time authorisation, it’s performed offline by the PIN Entry Device (PED) – a.k.a. payment terminal – itself, therefore the PED must have a significant capability that is no longer required given recent innovations in authentication technologies
  2. The PEDs that are EMV capable are incredibly expensive as a result of 1. above (between £400 – $2,000 each), and are therefore out of the reach of the largest retail segment globally; the micro-merchant (e.g. corner store, street market vendor and the like)
  3. It has already been shown as vulnerable to attack. Yes, it was a VERY specific circumstance in which it was broken, and it’s still very difficult to do so, but the only reason it’s not further exploited is because thieves are lazy and there are still so many easier targets out there
  4. The PIN authorisation is only for card payments, it is not extensible to any other scenario where a similar mechanism would be desirable (logging into your bank online, Doctors access medical records etc.)
  5. You still have to carry a piece of plastic around with you, and credit cards are a dying non-cash payment technology

If you accept the above as true, then it’s relatively trivial to determine why the card brands must hate EMV:

  1. It will be very difficult to expand credit cards to regions that are either resisting EMV due to replacement costs (i.e. the US), or initial implementation costs (non-industrialised countries). They simply cannot introduce any card-dependent technology other than one that provides authentication capability
  2. Try telling a merchant in sub-Saharan Africa bringing home less than $1,000 a year that they need to spend a year’s salary to do business with European tourists and you’re not going to get much adoption. A non-EMV PED can be had for less than $100, which is far more palatable. I’m sure some enterprising service provider would be happy to rent them out too
  3. Why roll-out a technology that will eventually be relatively easy to break? Security is not about being totally secure, it’s about being secure enough. Build a secure device and a bad guy will work out how to break it, and this will never change. EMV capable devices are, but their very nature, incapable of adapting to a newer, more secure technology
  4. Authentication needs to be ubiquitous, people simply don’t want lots of different passwords to remember. Authentication as a Service (AaaS) will expand to include payments, and the best way of delivering this service is over a mobile device, not a credit card
  5. In order to continue their reign for a few more years, the card brands must rapidly expand their influence in regions that simply cannot support EMV

In the end you have to realise what the card brands are; they are a mechanism to get access to your money without the use of cash. This was great while they were the only game in town, but they are not anymore, and unless they can justify their interchange fees by  providing secure payments to EVERYONE’S convenience they will be the next victim of disruptive innovation.

EMV has run its course, and I would be VERY surprised if the card brands continue to support it given that fact that it actually hastens their demise, not prolongs it.

Why the US Will Not Adopt EMV (Chip & PIN)

Let’s just start with the basics, money;

There are ~1.5 BILLION credit cards in the US, and a replacement card is between $3 – $5.  So you’re looking at an expense between $4.5 and $7.5 billion for that alone.  Now add into that the cost of replacing ~10 million payment terminals to ACCEPT the new cards, at a cost of ~$50 – $100 each, and that price-tag goes up by another $0.5 – $1 billion.  Finally, every bank must replace / upgrade their back-end systems to PROCESS these new transactions, and I’m not even going to try to guess the cost (it’s a lot).

Yes this will be spread out of a number of years, but that’s like saying you’d like to get punched in the mouth a little bit at a time.  No alternative is pleasant.

Cost aside, why would the banks make this expense when the main driving factor behind EMV is being negated on a daily basis by innovations in payment technology?  Innovations such as mobile payment applications, and far more secure alternatives to the Chip & PIN itself, will drive the US to abandon their plans for EMV in favour of solutions that have a far longer shelf-life, are more secure, include Card-Not-Present (CNP) transactions (e.g. e-commerce), AND are not just a patch/fix to a 60+ year old technology.

The EMV concept itself was first put into real-world practice in France in 1992 – yes, 21 YEARS ago – and is now the de facto standard in over 100 countries globally.  Except the US of course, who still rely on the magnetic strip first introduced by IBM in the 1960s.

This mag stripe method is the major cause of card-present (CP) fraud globally, which is why the US has been under increasing pressure to make the change.  The issuing banks in the US, however, are very powerful in their own right, and have managed to delay things long enough to now have a valid reason to stop the plans altogether.

Good for them.

The need for PIN authentication will not go away any time soon, but the need for any payment terminal or payment application to ever SEE that number will.  This is an enormous game-changer for both the banks, and the end users.

Chip & PIN transactions are cheaper than magnetic strip transactions for one reason; less fraud.  However, you can’t use chip & PIN for e-commerce, where things like the CVV code, Verified by Visa, or 3-D Secure are used to similar, though limited, effect.

This restricts their usage to specific card brands, but this brave new world of innovation where the card brands are no longer the only game in town, a more ubiquitous PIN method is required that’s not only secure, but seamless, portable to legacy technologies, and affordable. Something like this; www.mypinpad.co.uk.

Suddenly:

  1. Expensive card-not-present transactions become cheaper card-present transactions saving millions for e-commerce
  2. Legacy payment terminals that are not yet End of Life (EoL) can be kept, saving brick & mortar merchants millions
  3. ATM payment become far less prone to fraud (under certain circumstances)
  4. Mobile payments become far more secure
  5. Liability shift is now firmly with the issuing banks

All of this is great stuff, and makes me wonder what’s next!

Anyone see any similar technologies out there in the wild?