Next month, Citibank will begin testing a card that has two buttons and tiny lights that allow users to choose at the register whether they want to pay with rewards points or credit, at most any merchant they please.[From The Mundane Credit Card Gets a Modern Makeover – NYTimes.com]
These are the "dynamic stripe" cards from Dynamics. The idea of them is that since US retailers are not going to replace magnetic stripe readers with chip readers, the way to deliver new services to customers is by emulating the magnetic stripe.
Called “Redemption,” the cards will work at any merchant where mag stripe readers are used. The new cards include programmable and electronic components such as a battery, an embedded chip, buttons and a card-programmable magnetic stripe.[From Citi’s Pushes Buttons With 2G – Bank Technology News]
You can see how this kind of thing might have a window in the US where the retailers don't have chip terminals. It would make no sense anywhere else: in the UK, for example, Barclaycard's new Freedom rewards programme works at the POS so when you put your card in it asks you if you want to pay with Pounds or Points, which seems much easier than press a button the card, but anyway. And if you try to use a magnetic stripe card in a UK terminal, whether it's dynamic or not, they'll assume you're a fraudster and call the police.
So why do I say that using this kind of technology in the US may have a window?
Well, consider the example of the Cutty Sark. The Cutty Sark was a tea clipper, built for speed, and at one time was the fastest ship of its size afloat, famously beating the fastest steamship afloat and doing the Australia to UK run in 67 days. At the time, get tea from Asia to Europe at high speed was economically important and so there was pressure from the tea companies to get the fastest ships (so they weren't built just for the fun of it, or to show off the technology, but because of the economic imperative.
What's the point of brining this up? Well, it makes the point that the fastest sailing ship was built after the steamships arrived. In Christopher Freeman and Francisco Louca's "As Time Goes By: From the industrial revolutions to the information revolution" they note that
However, it had taken a fairly long time for the steamship to defeat competition from sailing ships, which also began to use iron hulls. The competitive innovations in sailing ships are sometimes described to this day as the 'sailing ship effect', to indicate this possibility in technological competition for a threatened industry.
In the long run, the sailing ships vanished, except for leisure, and the steamships took over. But when the steamships first came on to the scene they stimulated a final burst of innovation from the sailing ship world, which was then stimulated into building some great ships as a kind of "last hurrah".
Source: Historic Naval Ships Assocation (2004).
Perhaps we should look at the Citi initiative as the "last hurrah" of the magnetic stripe. I bumped into our good friend Adrian Cannon from Edgar Dunn while I was writing this, and he summed it up as "a very complicated way to achieve a partial answer" to the problem of card security, which strikes me as an accurate description.
The dynamic stripe isn't the only alternative to EMV that is developing in the US. There are many companies working in this field, some of them focusing on the (Incorrect) business model that targets fraud reduction.
Diebold recently launched its out-of-band authentication that uses a mobile device to authorize a withdrawal at the ATM. When the withdrawal transaction is initiated by a card holder, the system sends an authorization code to a mobile device. This code needs to be entered on the ATM in order to complete a withdrawal transaction.[From Emerging alternatives to chip and PIN to tackle card fraud in the US]
These sorts of solutions are already implemented in various places. There are also other strands of thinking around improving magnetic stripe security.
MagTek, meanwhile, has developed MagnePrint technology. It examines the unique traits of the iron particles in a card's magnetic stripe, based on the fact that the low-level magnetic noise emitted by individual magnetic stripes is as unique as a fingerprint (according to the vendor). The system is therefore able to detect whether the card used at the ATM is indeed the original or simply a fake with stolen card data.[From Emerging alternatives to chip and PIN to tackle card fraud in the US]
Many people, however, see moving away from the stripe interface as the best path and this has already started in the US (albeit on a smaller scale than had been hoped) with the shift to contactless interfaces: Blink, ExpressPay and all the rest.
Gemalto is betting on contactless payments technology, as a first step toward possible future chip and PIN implementation. The technical specifications of contactless and chip and PIN standards are closely aligned, and both formats define the way a smart card communicates with a card reader. However, the contactless approach still requires significant investment into card exchanges and infrastructure.[From Emerging alternatives to chip and PIN to tackle card fraud in the US]
Indeed it does, and yet some people are making that investment outside the EMV framework. Look at what is going on with Bling and RFinity, for example. When I was last down at PayPal in San Jose, everyone had "Bling powered by PayPal" stickers on their phones and seemed very happy using them: merchants accepting Bling have to have entirely new terminals to do so. The point is that there are paths opening up in many directions: so which should the US choose (and should it have national strategy to do so, or should it leave it to the market to choose?)
what exactly should policy makers at the Fed do with respect to card payment fraud in the US? Is Fed intervention required to impose new requirements that wouldn’t otherwise be adopted by individual stakeholders acting alone[From Card Payments Fraud and the Fed — Payments Views from Glenbrook Partners]
There is another EMV way forward, and that's to go for a kind of "EMV Lite" that keeps the chip and PIN but ditches offline working and all of the risk management and complexity that goes with it. That would simplify the implementation and reduce the cost considerably. Since almost all EMV transactions in UK are authorised online (less than half were when the first — here's one for the teenagers — UKIS cards were introduced), the cards would work here to. In Spain, all transactions are online, as they are in other countries too. Bizarrely, one of the key benefits of EMV, offline authorisation, has not only not grown, it has all but vanished.
Perhaps the solution is more radical, though. In a twitter conversation with Scott Lofteness of Glenbrook I mentioned a strand of thinking that I think is more than idle speculation, and that is that the alternative to chip and PIN in the US will be chip and PIN, except that the chip will be the SIM in the mobile phone and not the chip on a card (whether an EMV chip or a Dynamics chip). In other words, "chip and PIN" will be overtaken by "SIM and PIN", just as it already has been in some other markets around the world.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
“SIM and PIN” seems exactly the right train of thought. Beyond responding to the tidal shift toward mobile lifestyles, it would seem to have significant efficiency benefits that might just make the migration away from mag stripe economically justifiable in the US. As you point out, it could be done without bringing along the needless infrastructure of offline authentication, and in addition:
— Presumably, the SIM chip could house multiple card accounts (securely provisioned over the wireless network), reducing the cost of mag stripe card re-issuance. In fact, any mobile payment system will need to work this way to gain consumer acceptance, and with perhaps 6 cards in the average American wallet, the savings could be significant.
— I wonder what your thoughts are on the location of PIN entry. If PIN authentication could be accomplished on the consumer’s phone rather than the merchant’s terminal, the cost of POS upgrade should be greatly reduced. There might be additional benefits from eliminating the compromises that can arise from PIN entry on public devices.
We would, of course, be left with the issue of incompatibility between the US and the rest of the world. Over time, one has to has to believe that mobile payment solutions will be demanded by consumers in Europe and elsewhere, and perhaps this approach points the way to a global mobile standard. In the meantime, issuers in the US and elsewhere could make special arrangements for foreign travelers, whose high spend levels and cross-border/foreign exchange fees would probably justify the additional cost.