One of the key reasons for this is that Visa have just announced that they will require acquirers to support chip and PIN by 1st April 2013 and that they will implement the “liability shift” on 1st October 2015. This means, essentially, that the merchants who don’t take chip and PIN transactions will be liable for fraud on magnetic stripe signature transactions.[From At last! Now we can start building the legacy system]
EMV was the successful attempt to define a practical chip card-based standard with offline authentication, but with hindsight we can see that it was delivered at the precise moment in history when the entire world went online.
In our world, “since time immemorial” means “since before the Netscape IPO”. The Netscape IPO took place on 9th August 1995. EMV comes from time immemorial.[From Digital Money: He’s losing touch, surely?]
The business case for EMV in the USA (at retail POS) was always weak because US terminals have been online for years but now Ii’s reasonable to ask (without being considered a traitor by any of our clients!) whether EMV is really the best way to deal with the payments problems of the future. Or, to put it more bluntly, is it worth the US migrating to EMV? It’s not as if the US card industry doesn’t have security problems. It does.
EMV does not address the root causes or key factors associated with these massive breaches, which have been of greater concern to the US payments industry.[From Commentary – Credit Card Security Breach: Is the Industry Focused on the Right Security Issues? | PYMNTS.com]
You can see their point. US merchants will be asked to spend something like $5 billion on POS equipment (at a time when many of them want the POS to vanish altogether instead) to implement a solution that does little to help with card-on-file, web purchases and other sources of fraud. And the issuers don’t seem enthusiastic about PIN anyway.
JPMorgan Chase and U.S. BancCorp, the parent company of Elan Financial Services, have both announced that transactions on their new embedded-chip cards will be validated by signatures only and not carry PIN capability. This has drawn wide attention from within the industry because this will make those cards effectively useless in other countries, notably those in Europe and Asia. It would also appear to make the cards useless in unattended transactions where a vender has established PIN-only machines.[From Cards: PINs vs. Signatures Sparks Industry Debate]
This seems odd to me, because the CVM list could contain both signature and PIN and the US terminals could request signature while terminals everywhere else request PIN and everyone would be happy. But, anyway, that’s not the point. The point is that just as Europe went to offline authentication when the world was going online, the US will be going to chip and signature when the world is going to PIN and, frankly, at a time when world maybe about to move away from chip and PIN to phone and PIN. Does it really make sense to mandate migration to the nearly-completed legacy infrastructure of EMV, or does it make more sense to mandate for the outcome (reduce fraud, increased consumer convenience, cash replacement etc etc)? If, as I’m beginning to suspect as time goes by, it is the latter then the time wasted on getting EMV into the US mass market might be better spent on organising and deploying the son-of-EMV instead. I think we can already see a window opening up.
At the Future of Money and Technology conference in San Francisco this year, Vince Kadar from Telepin in Canada was succinct. On the mobile payments panel, he said that the solution for the US wasn’t to deploy EMV but to get rid of the PAN-based infrastructure altogether. I’m starting to wonder if he isn’t right. It’s going to cost an awful lot of money to bring it up to scratch and it’s not entirely obvious that there aren’t better alternatives.
The reason my opinion has changed is because the existing payment rails are overly complex, built on archaic structures and is dominated by a duopoly that want to stifle true innovation.[From The Payment Rails Are Broken – My musings]
So let’s for a moment doodle an alternative strategy, where the US becomes not the last place in the world to implement legacy EMV but the first place in the world to implement new improved EMV. The US isn’t the only market to look at a non-EMV way forward, incidentally. China uses a different standard. The People’s Bank of China and UnionPay worked together on the PBOC 2.0 standard (aka “Chinese EMV” which is similar to, but not the same as, EMV).
Due to an increasing number of transaction fraud worldwide, more and more countries are shifting from the stripe card standard to the EMV standard, which substantially enhances transaction security and operation efficiency. Now some major Chinese commercial banks are to join the trend, planning to issue their chip cards by the middle of the year.[From Banks in China to Launch Chip Cards]
We will soon be in a situation where EMV cards will work in Chinese terminals but PBOC cards won’t work in the existing EMV terminals. Does this really matter? Most card-present transactions are local. I wish my bank would take the embossing and stripe off of my debit card and I wish that John Lewis would take the embossing and stripe off of my credit card. I don’t care about carrying a Travelex Stripe US$ card when I got to the US and I wouldn’t care about carrying a Travelex PBOC Yuan card to China. We can survive multiple standards. But I digress.
What should the next generation EMV look like then? Were anyone to ask me, I would say, as I’ve bored on about before, that we should design it by building on standards from the world of identity, not the world of banks. This means taking the emerging frameworks in the identity space (e.g., NSTIC) and using them for payments through the identity provider and attribute provider roles, not by designing special protocols. So I tell the merchant my identity is Ziggy Startup and present a cert. The merchant resolves the cert to Barclays and requests an attribute cert attesting to my credit rating to the value presented. Barclays return an attribute cert saying I’m good for the money. The merchant signs the cert and presents it for payment.
One outcome of this rethinking might be to swap the payment process around, so that the merchant never sees any payment details. As we used to discuss many years ago, it would be better if the merchant gave the bill to the consumer, the consumer gave it to their bank and OK’d payment and the merchant got back a receipt from the bank saying that it had been paid. The would require some kind of XML standard for the bill and the receipt (the receipt being the bill, but digitally-signed by the bank).
As it happens, there already is one: the Internet Open Trading Protcol, IOTP, that consumed a substantial fraction of my life a decade ago and may be better known to you as RFC 2801.[From Digital Money: Changes to the card payments landscape in Europe]
So there we go: NSTIC plus something like IOTP plus some form of mobile authentication. Sorted.
P.S. If the JAMV crowd don’t get their act together on this, then the next payment standard will of course be the GAF one: Google, Apple, Facebook.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers