[Dave Birch] A couple of people have asked me what on Earth I meant when I said that contactless might lead to the extinction of chip and PIN, a quote that saw me feature in this weekend’s “Rapture Ready News“. Well, I did say that, but I said it as part of a long and rambling discourse which didn’t survive the exigencies of the press.

Birch cites the flexibility of contactless payment, which can be incorporated into watches, phones, and even hats, makes it more appropriate for the “connected world of the future.”

[From ContactlessNews | Report: Contactless payment could wipe out chip and PIN]

I stand by this analysis. As we move to contactless interfaces, we are freed from the tyranny of form fsctor. There’s no need to have cards anymore. But why does this, in the long run, move us away from chip and PIN? Surely, you might reason, it doesn’t matter whether the chip is in a card or a watch or a phone. That’s true, of course, but when I refer to chip and PIN, what I mean is the EMV standard.

Someone (I can’t remember who) once told me that in the English legal system, the phrase “since time immemorial” actually means “since the death of Henry II”. Henry II, who died in 1189, reformed and unified the English legal system. In our world, “since time immemorial” means “since before the Netscape IPO”. The Netscape IPO took place on 9th August 1995. EMV comes from time immemorial.

In the not-too-distant future, the idea of being off line will seem perverse, so I just can’t see how chip and PIN can gain traction in the U.S. in time before cards vanish into mobile phones and other devices. Given the years it would take to migrate the U.S. POS infrastructure, I’m sure that what will actually happen is that terminal replacement because of contactless and mobile will be the key factor. Then, in time, the U.S. will have a chip-based infrastructure (since contactless card and mobile phones both have chips in them). But will it be an EMV infrastructure? That’s not obvious.

[From Digital Money Forum: Remember “off line”?]

In a longer timeframe, that holds true elsewhere. Come 2015-2016, when retailers are replacing their POS terminals in the next cycle, when phones have contactless interfaces, we’ll be making a transition to paying by waving our phones, ID cards, watches and goodness knows what else. If these devices deal with identification and authentication (in other words, the identity problem is “solved”) then what is the point of EMV? It makes more sense to move to a different model, where the payment institution confirms payment to retailer and the retailer never deals with payment data at all. It’s not their business. EMV takes the physical model of a card (you give the card to the retailer, the retailer gives the card data to the payment system) and electronifies it, which was fine at the time. In another decade, we’ll surely want something different? And if the US heads off in a different direction, will the rest of us have to follow anyway? The US perspective on EMV is very different to the European one.

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together… Old technology (will not last the 10yrs it will take to roll out in US)… Expensive (POS, Card). Costs are not borne equally in network

[From EMV in US? No Way « FinVentures]

With respect to the US, there is another path for EMV that bypasses the POS rollout barrier, which is to use EMV for online card-present transactions, but that’s another issue.

Talking about the US, it’s interesting to note the the focus of excitement there right now is not smart cards but smart phones. Look at the attention that Twitter founder Jack Dorsey is attracting with his iPhone-based “Square” proposition, including VeriFone’s announcement of an iPhone-based POS solution a week later! All of the intellectual energy is being focused in this direction, and it’s leading to some decidedly non-traditional thinking about payment cards.

Why not just keep my card at the Apple app store? or at PayPal? What is the incremental value that this provides me? Why not just key in my card data.. why add a reader to my sexy iPhone

[From FinVentures]

Indeed. I can the see the benefit of taking the data directly from the magnetic stripe via some gizmo connected to your iPhone instead of having to key the data in, but it’s not that much of a big deal. (If it was a chip reader, so that “full” EMV transactions could take place over the iPhone then that would add a great deal of security.) Automatically recording the location of the transaction and perhaps even adding a picture of the person swiping the card might result in some new services — and I would imagine some unexpected consequences as well!

On the other hand, if we’re going to think about that kind of innovation, what’s the point of the card at all? if you’re going to store the payment card data in the cloud, then any strong authentication to that data will do (authentication that might be provided not by my bank but by my mobile phone operators, for example) so the tamper-resistant chip in my phone will do just as well and and the need for yet-another-chip and PIN falls away. Instead of messing about with a card in Square, why don’t I just give the merchant my e-mail address? Apple already have a payment card corresponding to that e-mail address on file and they know my iPhone number so they can push a message to me asking me to confirm.

In the NFC-enabled future, I will just touch my iPhone to your Blackberry, or my watch to your hat, and away we go: the merchant’s bank will ask me for the money and I will confirm the FPS or credit transfer on the spot and (once again) we have an architecture where the payment data never touches the merchant at all. So yes, I do think that in time the development of convenient contactless interfaces to add to ubiquitous secure mobile devices will result in EMV being abandoned as Visa, MasterCard and the others bring new and better payment solutions to the market.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

4 comments

  1. One proposal I’ve heard for EMV to be deployed in the US is to strip out all the bits that they don’t need, basically only leaving the GENERATE AC command. Offline card authentication would be dropped (because offline transactions would be forbidden). For the same reason, performing cardholder authentication using offline-PIN would be not be supported.
    The PIN would be verified online, just as they are at the moment. Risk management would be performed by the issuer’s systems, rather than putting any logic on the card. All the card would do is to provide assurance that it possesses a symmetric key (all public key operations would be dropped). All it would need to MAC is the unpredictable number.
    This sounds like a reasonable approach*, because offline transactions almost never occur in the US. However, given my views on the complexity of EMV, I would prefer if it were replaced with something that could be specified in 20 pages rather than the 800 needed for EMV 4.2: http://www.lightbluetouchpaper.org/2010/01/19/encoding-integers-in-the-emv-protocol/
    * I am not so sure about doing online PIN verification using the current scheme of having clear-text PINs at intermediate switches. However, if the card contained the bank’s public key, to which the PIN would be encrypted, this problem would be resolved. I’ve heard “end-to-end encryption” being proposed in the US, so maybe something along these lines is in the works.

  2. Great post, completely agree. Full disclosure, I am the co-founder of a contactless payments company so I am biased. I think one of the interesting things to watch will be how do the carriers and banks come to agreement on how to whack up the fee’s generated so that NFC can proliferate. Until that time bridge technology will rule the day, phone cases, bracelets, etc with contactless built in. david waxman, co-founder, VITA products, inc. http://www.vitaband.net

  3. Right now in the United States, banks are pretty busy just trying to make a profit. So, there would need to be a compelling business need to introduce new technology. That being said, a case could be made for the security aspects of adopting new technology with respect to credit and debit cards. Right now in the U.S. if your credit card is stolen, the maximum liability you would incur is 50 dollars. However, due to the economy, there has been a massive movement towards using debit cards. Debit cards users do not enjoy the same protections that they had with their credit cards. In fact, if they don’t report their debit card stolen within a given period of time, they could stand to loose up to 100% of their bank account balance. So, the additional security that accompanies new technology would most likely be welcomed.
    — Chet Scott
    http://www.leaptocheap.com

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: