Let’s say for a moment that the US implements EMV and goes the way of on-line PIN verification only.[From Why US travellers’ EMV cards may not work in Europe]
This would be crazy. At the recent Smart Card Alliance conference in Chicago, my colleague Stuart Fiske from Consult Hyperion had a (moderately intemperate) go at a couple of speakers who were saying chip and online PIN was a good idea. He made the point that offline PIN was the only globally interoperable solution and that the US should go with it and he got a big round of applause for doing saying so. I don’t see the point of issuing EMV cards and then using them with an online PIN: if the merchant has a PIN pad then why wouldn’t you use chip and offline PIN? And I can see a practical problem here: if customers are encouraged to continue to use cards that are chip and online PIN only, then when they get off the plane at Heathrow and try and buy a train ticket in a machine, they won’t be able to buy anything because the online PIN won’t work (it will only work in ATMs).
Having just got back from a few days in the US, I decided to dust off this piece about the EMV options and tidy it up, because Visa has announced its EMV migration plan for the USA. In our little corner of the payments world, this is officially a big deal.
But in a departure from nearly every other global market that has switched to EMV cards, which are commonly called chip-and-PIN for their most prominent security feature, Visa’s plan excludes PINs.[From Visa s Plan to Drop PINs Leaves Some Concerned About Security – American Banker Article]
It would be interesting to understand the reason for this, so I went over to Visa’s site to see and I found a rather odd statement.
And we continue to believe that long-term static data elements, including PIN, can create an increased risk for fraud. An increase in ATM fraud could occur in cases in which the PIN is stolen along with cardholder account information.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
This is what used to happen in the UK. People would steal card details along with the PIN and then use those details to create counterfeit magnetic stripe cards to use at US ATMs. But they can’t do that anymore because the UK issuers have moved to ICVV (which means that the card details on the chip are different from the card details on the stripe, so you can’t make a bogus stripe card with chip details). And in any case this only worked because you could copy magnetic stripe cards: you can’t use the cardholder data to make chip cards. So once the US ATMs turn off the magnetic stripe fallback for Visa card, counterfeiting isn’t a threat at ATMs and it doesn’t matter if someone gets hold of the card details and the PIN. There must be another dynamic.
In the US market there are about six million POS terminals in use and about a quarter of them already have PIN pads. These PIN pads, which are used for online PINs, are already secure enough to use for offline PINs. Hence Visa’s point…
Visa will continue to support online PIN as a cardholder verification method for debit transactions, and at the same time encourages the move toward future adoption of dynamic cardholder verification methods.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
A digression. If you’re getting confused about what’s going on here, you need to take a break and go back to EMV basics. The EMV specification allows for a number of different Cardholder Verification Methods (CVMs) and any particular card will have the acceptable CVMs stored on it, in order, by its issuer. These could be (in no particular order):
- Plain-text offline PIN, the default in the UK;
- Enciphered offline PIN—which should be the only option in the UK, but isn’t because we started by issuing Static Data Authentication (SDA) cards that couldn’t support it. Now we are issuing Dynamic Data Authentication (DDA) cards we really should be moving over to this option to stop PINs from being harvested from terminals that have been tampered with;
- Encrypted online PIN—where there is an offline PIN as well (e.g., my Barclays debit card) then the online and offline PINs are synchronised in the back end.
You can also have combinations of these, with the most obvious example being signature plus enciphered offline PIN for the paranoid. To illustrate the point with a real case study: one of the UK cards that is in my pocket right now has the following actual CVM list in priority order:
- encrypted online PIN for cash at ATMs;
- plain text offline PIN for purchases;
- enciphered offline PIN for purchases;
- signature for purchases.
This means that if I go into a shop and their PIN pad is broken or my chip is damaged, I can still buy something and sign for it. I could imagine a typical Visa US debit card having a different CVM list:
- encrypted online PIN for cash at ATMs;
- encrypted online PIN for purchases.
Please note: this is speculation based on public documentation only. Why does this approach make sense when online PIN only doesn’t? Well, the US is never going to get rid of signatures in the timeframe under discussion for EMV this makes for an easy transition. The signature is decoupled from the chip infrastructure as it as anyway so, basically, whatever the chip says the merchant terminal can just ask for a signature anyway and most Americans won’t notice any difference.
that there are more EMV markets that have implemented chip and signature than chip and PIN.[From PIN largely unaffected in U.S. migration to EMV chip « Visa’s Blog – Visa Viewpoints]
There may be another factor here, though. The US is a special case because the interchange on signature transactions is higher than the interchange on PIN transactions (or at least it was: who knows where Durbin will take it) and therefore issuers want to keep signature going for a long as possible despite the large retailers having PIN pads in place.
If Wal-Mart had its way, mag-stripe cards would disappear immediately, to be replaced with cards running chip and PIN.[From Untitled]
As I said. So why bother with chip and signature? I think the explanation might be that Visa USA, in common with many industry observers, just don’t see the current cards and terminals as a long-term technology worth investing in. Hence the reasonable, from their point of view, compromise. You issue chip and signature cards for credit and debit. The debit cards have encrypted online PIN as well for use at POS with the current pin pads. This works fine in the US and at international ATMs. The only place where it causes problems is international unattended terminals that accept offline PIN only (such as Belgian petrol stations) and for international travellers the US banks can issue cards with offline PIN anyway. All sensible from the US perspective. While I was googling for something else on this topic, as an aside, I came across this voice of the customer that confirms this analysis.
I have a Citibank Singapore chip-and-signature EMV card. It caused a lot of confusion in Europe when it was a chip card that wanted a signature, and again in New Zealand as they started their EMV rollout. Only time I recall it failing in Europe was trying to buy rail tickets at AMS, where my mag-only cards also didn’t work[From USA issuers announce EMV cards (Chip & PIN -or- Chip & Signature). – Page 3 – FlyerTalk Forums]
When I last used my chip and PIN card in Singapore, I was asked for PIN and signature, because of the decoupling mentioned earlier, but that’s a digression. At some point in the future, we’re going to stop entering PINs in POS terminals. I’ve said before that in the next generation of consumer payments, we must make a fundamental change in the point-of-sale (POS) user interface by ending the practice of having customer enter a PIN into something that isn’t theirs. The cost of providing certified PIN pads is high: making customers buy their own non-certified PIN pad seems like a much better solution all round. Since most customers have already bought a non-certified PIN pad (their mobile phone) that has other security features associated with it, we (the industry) may as well use them. This means using the “PIN” to unlock a handset-based wallet, not to authenticate card transactions.
To see the more interesting future context Visa USA’s announcement, then, you have to stop thinking about cards and terminals and start thing about virtual cards and phones. Post 2015 people will be using their chip and signature cards, it’s just that those cards will be inside mobile phones and will have all sorts of other security that cards don’t so the offline PIN is less relevant. This way, the readers (POS terminals, television, Squares, iPhones and goodness knows what else) will be spared the expense of a certified PIN entry devices and innovative new solutions can come to market exploiting chip-based dynamic authentication. These are, I stress, merely my reflections on the topic based on public statement, but I think they’re a reasonable summary of the current situation.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Dave, very elaborate remarks on the PIN side of the story (unattended POS terminals are still off limits for US chip cards with signature or online PIN, mmh?). I think it is worth pointing out a couple of other aspects that need attention and clarification:
Neither ATMs nor CNP transactions are covered by Visa’s announcement, kind of ignoring the fact that these channels become the weakest links in the fraud chain once you have taken care of the POS (see the CNP fraud in the UK and ATM fraud outside of Europe).
As far as I can see the liability shift only covers counterfeit fraud at POS, not lost and stolen fraud (since PIN is not required).
There are no explicit incentives for issuers. If they stick with magstripe, they have the POS transaction liability today as much as tomorrow.
The waiver for PCI DSS annual audit cost is supposed to be the carrot for the merchants. Well, per the small print, they still need to be compliant with PCI DSS and using magnetc stripe cards at chip card terminals does not make the transaction more secure per se.
Finally, as everybody in the industry acknowledges and as the UK and some other markets have so impressively demonstrated, you only reap the benefits of EMV if a market moves as a whole, i.e. you execute a nationwide migration project embraced by all major stakeholders. My guess is that we are still far away from such a project plan.
I documented a series of additional inhibitors in my recent paper titled ‘Chip in the U.S.- The Facts, Debunking the myths concerning EMV advancement in the United States’ published at the SCA website http://www.smartcardalliance.org/resources/pdf/Chip_in_the_US_The_Facts_090611.pdf
Would appreciate everybody’s comments.
Thanks for these thoughtful points Toni. I think the point about PCI DSS as an incentive is that the merchant gets the reduce PCI-DSS requirements (and therefore costs) only if more than three-quarters of their transactions are chip but they will still be able to process magnetic stripe transactions. I know it isn’t logical if you think about it (because the magnetic stripe liabilities are still there) but, as they say, I wouldn’t get there from here.
Dave, it’s really worth-while to read the Visa announcement by the letter. Visa ‘will
eliminate the requirement for eligible merchants to annually validate their compliance with the PCI Data
Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from
chip-enabled terminals. To qualify, terminals must be enabled to support both contact and contactless chip
acceptance, including mobile contactless payments based on NFC technology’. So, the transaction does not have to be a full chip transaction, it only has to originate from a chip terminal. And the merchant ‘must continue to protect
sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that
they continue to adhere to the PCI DSS standards as applicable’. So, it’s not PCI DSS compliance per se that is waived but the annual aufit to prove compliance. two different things.
Thanks for the clarification Toni.
I agree with Stuart that the offline PIN must be the only interoperable standard, there appear to be some European countries that are (actively) issuing cards with the CVM list setup without Offline PIN (they use Online PIN locally falling back to MSR in the UK).
However the merchants will do nothing until the other schemes offer a similar PCI-DSS incentive, at the moment merchants will still have to do full compliance audits for MasterCard or Amex.
Still its a big big step in the right direction.
Magnificent analysis Dave, and very useful additions Toni.
For what it’s worth, I think the debate around US migration to EMV is getting over-complicated, and while Visa are to be congratulated for taking a lead, in some ways they have added to the confusion.
Call me naive, but I don’t understand why the US cannot simply migrate to EMV chip with offline PIN as the default but with other CVMs as options, as in the rest of the world. I believe the obsession with mobile payments is a red herring and a distraction. And sorry Dave, but I think your idea of generating PINs on our own mobile phones sounds gruesome, for all sorts of reasons.
By the way, I still think the prediction you forced me to blurt out on our podcast a year ago – that we’d see serious movement on EMV chip in the US by the end of 2011 – was only slightly optimistic
We – @ http://iPayYouNow.com – have a full EMV Chip&Pin; certified Mobile Payment solution. This could be the perfect solution for the US to go to EMV.
Follow us http://twitter.com/CONSELOdotcom