My penchant for dramatic titles aside, perhaps a more accurate – and less controversial – title would be; “Why The Card Brands SHOULD Secretly Hate Chip & PIN“, and the reason is simple; it’s in the way of their business.
The only reason chip and PIN (or EMV) is championed publicly by the brands is that it works, and has significantly reduced card present fraud (or face-to-face payments) in those areas that have mandated it, which is basically almost all the world’s industrialised nations except the US. If you want to know why I think the US will never adopt EMV, my thoughts are here; Why the US Will Not Adopt EMV (Chip & PIN)
The most basic and fundamental misunderstanding about EMV is that it’s a payment technology, it’s not, it’s an authentication technology. And a very inefficient one at that. The reason it reduces fraud is that anyone can swipe a credit card to buy something, but not everyone has the PIN number associated with that card to complete the transaction.
So the concept is sound, but the implementation is fatally flawed:
- It’s not a real-time authorisation, it’s performed offline by the PIN Entry Device (PED) – a.k.a. payment terminal – itself, therefore the PED must have a significant capability that is no longer required given recent innovations in authentication technologies
- The PEDs that are EMV capable are incredibly expensive as a result of 1. above (between £400 – $2,000 each), and are therefore out of the reach of the largest retail segment globally; the micro-merchant (e.g. corner store, street market vendor and the like)
- It has already been shown as vulnerable to attack. Yes, it was a VERY specific circumstance in which it was broken, and it’s still very difficult to do so, but the only reason it’s not further exploited is because thieves are lazy and there are still so many easier targets out there
- The PIN authorisation is only for card payments, it is not extensible to any other scenario where a similar mechanism would be desirable (logging into your bank online, Doctors access medical records etc.)
- You still have to carry a piece of plastic around with you, and credit cards are a dying non-cash payment technology
If you accept the above as true, then it’s relatively trivial to determine why the card brands must hate EMV:
- It will be very difficult to expand credit cards to regions that are either resisting EMV due to replacement costs (i.e. the US), or initial implementation costs (non-industrialised countries). They simply cannot introduce any card-dependent technology other than one that provides authentication capability
- Try telling a merchant in sub-Saharan Africa bringing home less than $1,000 a year that they need to spend a year’s salary to do business with European tourists and you’re not going to get much adoption. A non-EMV PED can be had for less than $100, which is far more palatable. I’m sure some enterprising service provider would be happy to rent them out too
- Why roll-out a technology that will eventually be relatively easy to break? Security is not about being totally secure, it’s about being secure enough. Build a secure device and a bad guy will work out how to break it, and this will never change. EMV capable devices are, but their very nature, incapable of adapting to a newer, more secure technology
- Authentication needs to be ubiquitous, people simply don’t want lots of different passwords to remember. Authentication as a Service (AaaS) will expand to include payments, and the best way of delivering this service is over a mobile device, not a credit card
- In order to continue their reign for a few more years, the card brands must rapidly expand their influence in regions that simply cannot support EMV
In the end you have to realise what the card brands are; they are a mechanism to get access to your money without the use of cash. This was great while they were the only game in town, but they are not anymore, and unless they can justify their interchange fees by providing secure payments to EVERYONE’S convenience they will be the next victim of disruptive innovation.
EMV has run its course, and I would be VERY surprised if the card brands continue to support it given that fact that it actually hastens their demise, not prolongs it.