WTF USA EMV CVM POS PIN SNAFU

I’ve been reading a lot of comment about the US EMV migration recently and there seems to be pretty universal condemnation of the process (some of it from me). In the UK, we had chip and PIN day (St.Valentine’s Day 2006) and that, pretty much, was that. But in the US, the migration has been piecemeal, confusing and fraught with problems. But why?

Critics have told me that banks opted for a signature versus a PIN code because it saves them large amounts of money by not having to store PIN codes for everyone. Banks, on the other hand, say they feared that their customers would have a difficult time remembering a four digit code.

From The EMV chip credit card transition in the US has been a disaster — Quartz

As far as I know, neither of these is true. Some issuers preferred chip and signature because it has higher interchange, not because US consumers are morons who uniquely amongst the nations of the Earth cannot remember a four digit personal identification number (PIN) that they use several times every day. Merchants wanted PIN because the fraud rate on PIN is two orders of magnitude less than with signature. Consumers wanted speed and, since they were given that by the no-signature online-authorised stripe transactions that they were familiar with, there was no traction for contactless (which delivers speed and convenience in an EMV environment and provides fertile ground for mobile payments).

The typical US consumer approaches a POS with some trepidation, I imagine, since it is completely opaque as to the experience that awaits them. Tap, swipe, dip, PIN or sign, hand over the card or keep it… every transaction is an adventure. I suppose many stakeholders take the position that it doesn’t really matter because mobile and in-app are going to steadily erode card transactions (Jupiter is reporting that almost half of US consumers already use some form of contactless payment, and a fifth already use it every day – mostly Starbucks I’d imagine). At some point in the imaginable future, “tap and pay” and “app and pay” will together exceed both EMV and magnetic stripe transactions at retail point of sale (POS) and at this point (the plastic singularity or, as I prefer it, #cardmaggedon or the #cardocalypse) signature versus PIN will seem to our children something of a medieval argument along the lines of angels on the head of a PIN. Right now, though, it is still a live debate.

My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

From The Great EMV Fake-Out: No Chip For You! — Krebs on Security

However, until such time, we should probably make an effort to improve the user experience (UX) for the typical consumer and make cards work better for the merchants. As I recall from the excellent NYPAY discussion on the topic, US merchants are particularly aggrieved by the rise in chargebacks that they have seen over the past few months.

Chargebacks for card-present transactions increased 50% following the Oct. 1 EMV liability shift,

From EMV Chargebacks Proving To Be a Card-Present Merchant Problem

You understand why this, I’m sure. It’s because before 1st October, if you spotted a $3.95 charge at Starbucks on your statement and you knew that you couldn’t possibly have made that transaction, then you would call up your issuer and complain and they would just eat the charge because it would have been more trouble than it’s worth to go back to Starbucks, pull the receipt, check the signature if there was one etc etc. However, after 1st October, if you spot a bogus $3.95 charge on your account and call up, the issuer will check the transaction codes and, if you had a chip card but it was swiped by a merchant who didn’t have (or didn’t use) a chip reader, then the $3.95 is charged back to the merchant. The net result is — entirely as expected and as it should be — that merchants see big increases in card-present chargebacks as previously hidden magnetic stripe fraud is revealed.

A good way to reduce that previously hidden fraud would be to simply give customers the option to block magnetic stripe transactions from cards with a chip on them. Why are the banks not giving consumers the option to disable stripe transactions? My debit card has embossing and a magnetic stripe on it for absolutely no reason that I can fathom since I never use it a non-chip ATM and in practice I don’t need it when abroad. I’ve just returned from trips to Rome and Munich where I never once used cash and never needed an ATM (I used my Caxton FX pre-paid card in shops and ticket machines and I used Uber for transport).

Brit abroad

Proof that I was in Rome and that it’s not empty blog rhetoric.

I want my bank to auto-decline any magnetic stripe transaction made using my chip-enabled contactless debit card and I want the ability to set that parameter from my excellent mobile banking app. Why is this so difficult? Meanwhile, back in the US, the mounting annoyance with chip and PIN continues. Perhaps it’s time for the networks to announce the sunset date for magnetic stripes: perhaps 1st January 2019, after which time no new cards will be issued with magnetic stripes or embossing?

Yes I heard the news, it’s the same old blues again

I love J.J. Cale. His 2001 live album is one of the most-played on my iPhone. Sadly, it’s doesn’t have a live version of one of my all-time favourite J.J. Cale tracks on it: I got the same old blues. In case you don’t remember…

Have you heard that rumour / that’s a going round

You got it made / way across town

It’s the same old story / tell me where does it end

Yes I heard the news / it’s the same ol’ blues again

I think of this every time I read a story about how EMV chips are trivial to clone and how the banking system is about to collapse because of multi-billion pound frauds. So when someone sent me a link to this… same ol’ blues again:

As it turns out, the cards are just as easy to clone as their magnetic stripe predecessors.

From Forget card skimmers, chip-card shimmers will be your next nightmare • The Register

No, they’re not. If they were, then the “black hats” would be living in the lap of luxury on the proceeds of their undetectable crime and the world’s biggest issuing banks (who bear the cost of fraudulent EMV transactions) would be bankrupt. They’re not (or at least, not because of card fraud, which was a piffling half-a-billion quid or so in the UK last year) so perhaps the claim might be ever-so-slightly exaggerated. What this story is actually about is tampering with terminals in order to steal PINs, which is a flaw with EMV deployment because enciphered PIN is not implemented as the standard cardholder verification method (CVM), but it’s not a flaw with cards and it doesn’t help you to clone the chips. In EMVCo’s official response to this story they say that 

The attack described in the Breaking the Payment Points of Interaction (POI) presentation captures static card transaction data in order to attempt fraudulent magstripe or e- commerce transactions, where EMV is not used. This type of attack relies on magstripe information and not the EMV chip. It is EMVCo’s view that when the full payment process is taken into account, suitable protection exists to mitigate against this type of attack, such as ensuring that information read from a chip card is not sufficient to create a valid magstripe card. 

I bolded the EMV point, by the way. What EMVCo mean by that last sentence is that issuers should ensure that the ICVV in the chip is not the same as the CVV on the stripe. I wrote about this nearly ten years ago when ICVV was introduced in the UK so if there are any issuers out there who are still setting the chip ICVV to be the same as the stripe CVV then, well, they deserve everything they get.

In a similar vein, I was sent a few links to a story about another new “new security flaw” in EMV. I won’t give you the link here because there’s no point following it. I can give you the skinny in half a line: if you rewrite the service code on the stripe to indicate no chip present, then the CVV, which is calculated using the service code, will no longer be valid. If any issuer authorises that transaction then they are either somewhat cavalier in their risk profiles and find it sexually thrilling to put shareholders’ money on the line or they had the wrong consultants advising them on their card issuing and authorisation strategies. In other words, they deserve everything they get. But it’s not a “security flaw” in EMV it is a “moron flaw” in the authorisation system.

Incidentally, on a related topic, my good friend Stephen Murdoch wrote an interesting piece about what are called “relay attacks” (or “ghost and leech attacks) on contactless cards. I remember that a fair few years ago one of our clients had us build a ghost and leech system just to see if it would work. It did. But then everyone knew this. Here I am talking about it ten years ago:

David reinforced the feasibility of relay attacks against contactless systems and in the subsequent discussion, it seemed to me that me people felt that serious fraudsters would begin investing in this soon, so the industry needs to take it seriously.

From Taking a punt | Consult Hyperion

As it happens, fraudsters never did invest in it (because the contactless no-CVM limit of thirty quid makes it a very time-consuming and expensive way to steal not very much). Our clients did their risk analysis and decided that there was no need to fix it right away but maybe think about it longer term. One potential defence against this attack is based on timing and such a defence has now been defined by the EMV chaps. This is what is called (by MasterCard, since no-one else implements it yet) the “MasterCard Relay Resistance Protocol”. So, as Stephen says, as part of the transaction, the terminal sends a command to the card and measures how long it takes to respond. The response contains timing limits indicating how long it should take.

When the EMV cryptogram is generated by using Combined Dynamic Data Authentication-Application Cryptogram Generation (CDA), the response also contains the same timing limits, but these are digitally signed. If they don’t match the limits received earlier, or if the timed command exceeds the limits, then the transaction has failed and the terminal needs to decline the transaction. To be honest, a fair few observers have pointed out that because these are hard-coded limits, any variance in genuine devices may create more false negatives (genuine transactions incorrectly declined) that positives (actual attacks). Plus it needs all terminals to be modified and all cards to be replaced or renewed, and as I noted earlier it’s MasterCard only, so it may not be widespread any time soon, and it’s at least worth wondering whether it will be universal before #cardmaggedon (the day when non-card electronic transactions exceed card transactions at retail point-of-sale).

By the way, #cardmaggedon will be one of the topics covered in the discussions at this year’s Tomorrow’s Transactions Toronto Unconference to be held in the MaRS Discovery District on 29th September 2016. The post-card payments future will be the kick-off topic to get everyone thinking about where the world of retail payments might be going next. I look forward to seeing you all there.

Should customers be charged more to use chip and PIN? Yes!

Now that more than one in ten retail card transactions is in the UK is contactless, I think we’re beginning to approach a tipping point around the technology. This is important, because I think it’s a tipping beyond contactless cards and towards mobile and then in-app. I make it my business to collect and collate the weak signals for change around POS, so with that in mind, here’s a recent story from the UK newspapers. A customer was outraged to be surcharged for making a low-value payment with chip and PIN in a fast food outlet.

Bill was faced with this charge at Subway in Brislington, Bristol, where customers were being asked to pay 10p more for using a debit card that wasn’t contactless.

[From No contactless card? That’ll be 10p extra – the Subway charging people MORE to use Chip and PIN – Mirror Online]

I don’t have a problem with this at all and I don’t understand why the readers comments were negative. For one thing, I love Subway sandwiches and for another thing it makes complete sense from any informed perspective for both retailers and customers (almost all of whom have contactless cards anyway and those who don’t can always use Apple Pay, Samsung Pay, Android Pay, a sticker, a watch, a wristband or whatever else). Contactless debit card payments cost the retailers less (and since most low value card payments are debit, that means most low value card payments cost the retailer less) and putting your chip card into a reader and then punching in a PIN wastes time your time and everybody else’s too. I wouldn’t be at all surprised to see more retailers surcharging people who do not pay contactlessly or, any day now, who do not pay in-app.

Overall, 83% of consumers use less cash than they did a year ago with 19% saying they are annoyed if they cannot pay using contactless cards or devices.

[From Bar news | Contactless payments at bars and pubs nearly double]

I wrote about this couple of years ago when I pointed out how illogical it was for retailers to have signs that said they would accept card payments only for transactions above a certain level when it would have been more logical to have signs that said that below a certain level they would accept only contactless card payments. 

It baffles me that some retailers ban you from paying with cards for transactions below £10 when it would be more logical for them to say that transactions below £10 must be contactless

[From Retailers could take more advantage of contactless | Consult Hyperion]

Now, since the acquirers have to price contactless debit payments below their price for contact payments (otherwise they are not a viable cash replacement product) retailers are therefore incentivised to steer to contactless. If you are buying a £5 sandwich, the contactless interchange is only 2p and there’s a limit to how much the acquirers can add on top in a competitive market, hence Subway’s entirely logical structure. Incidentally, this is nothing new. Subway in the UK have always been at the forefront of payment technology. Here’s Forum Friend Julian Niblet writing about them back in 2013:

At least Subway (I really do eat better than this) have a sign which allows you to pay by contactless for any value but has a minimum spend for credit and debit. Somebody there has at least done some maths and realised that they ought to use the nice new kit they have installed.

[From A fresher way to pay? | Consult Hyperion]

Personally (as some of my Twitter correspondents observed) I think Subway should charge 10p more for cash as well, since when customers pay by cash they rarely have the correct change. This means that the person serving has to open up the register and count out the change. But the main issue is how the retailers choose to configure the POS and set the floor limits. Here’s what someone who says they were a Subway employee had to say about the matter.

Standing at the till with a que of 30-40 people you would long for them to pay in cash as subway do not have their card machines connected to the tills. Therefore you have to input the cost, wait for the customer to insert their card,( only after you imputed the price or the machine would crash) and then wait painful minutes on occasion for the machine to contact the bank and have a reply sent. When it comes to contactless it does it immediately.

[From No contactless card? That’ll be 10p extra – the Subway charging people MORE to use Chip and PIN – Mirror Online]

Now you can see why the retailer has the surcharge in place. And, as an aside, cash also also means that at the end of the day the manager has to cash up, reconcile the register and then deposit the cash, wasting even more time and money. Good on you, Subway.

It’s EMV day in the USA! So what?

It’s fair to say that Jeremy King of the PCI Security Standards Council and I do not always see eye to eye on things. In fact we’ve disagreed more than once (in public) about the usefulness of PCI-DSS. But I have to say that Jeremy is absolutely spot on here:

King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, “we will see a move of the fraud to card-not-present,” he says

[From How EMV Could Affect Role of PCI-DSS – BankInfoSecurity]

I think that when you look at the big picture you can see that there is a problem brewing. It is taken so long to get to the position where the US is finally on-board with the general concept of a shift to chip and PIN, even though most US consumers still do not have chip cards, that you can’t help but wonder whether the effort is going to be worth it. As Jeremy says, the shift to card-not-present fraud is about to accelerate and there’s not much that EMV can do about it.  I saw the same point being made in another article a few days ago:

For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States.

[From EMV s the 15% Solution for Card Fraud | PaymentsSource]

As it happens, that’s not true, at least according to Aite Group, who put counterfeit and lost/stolen fraud, the frauds that should be tackled by EMV (or at least if EMV cards are issued with correct ICVV, correct service codes and no fallback at ATMs) at around half of all fraud.

In the United States, card-not-present fraud is already a big problem. In fact, it accounted for 45 percent of credit card fraud in 2014, followed by counterfeit card fraud (37 percent) and lost/stolen cards (14 percent).

[From Credit card fraud and ID theft statistics – NASDAQ.com]

Well whichever fraction it is you can see the issue. If the British patterns are anything to go by then the growth in card-not-present fraud will exceed the drop in card-present fraud and so the overall fraud rate will continue to rise. This is why I’ve said at a couple of recent events that I think that tokenisation is going to be more important than chip and PIN and I’d be curious as to your feedback on my three central arguments on this front!

 Tokenisation Triptych

First, tokenisation helps to reduce fraud in the fastest-growing areas, online and mobile. You can’t use a token outside of its defined domain and if you were able to steal a token out of my iPhone, you wouldn’t be able to use it in your iPhone.

Second, tokenisation could help to reduce fraud in card present environments if, as I anticipate, there is a shift towards in-app purchasing even in store. I can easily imagine standing in Tesco and paying using a Tesco app on my phone (using tokenisation) rather than by taking out a card and using it in the POS terminal in front of me.

Third, there are new things that we can do with tokenisation that we simply can’t do with the existing infrastructure. In addition to the “plain” token that the bank puts into my handset, it could load other tokens for a variety of useful purposes: I wrote before about the idea of issuing a stealth token for use in online dating, adult services and other privacy sensitive environments but you can also imagine tokens that are issued for specific purposes such as a campus, or just for a day, or just for a particular website. Given the significant investments that most of our clients have made in tokenisation infrastructure, the need to develop additional services on top of the infrastructure is pressing, so I expect to see innovation in that field.

In the long term, the ability to deliver and maintain consumer security and privacy through tokenisation will be a crucial function of banks. This is why I think my apparently outrageous claim that it is more important than chip and PIN is justified, but if you don’t agree I’d still love to hear from you. 

The dawn of the cardholder-present transaction (Salford edition)

Well, today was the big day. Yes, a cusp in the annals of payment history. The day that mobile payments became real etc etc. Apple Pay in dear old Blighty! And a surprising amount of media attention.

It is the first time the “tap-and-pay” system — which allows users to pay for goods and services by touching their smartphones on contactless payment points — will be available outside the US.

[From Apple Pay taps UK to shake up consumer spending – FT.com]

Hurrah! Now, I’ve been tapping and paying with my iPhone for ages using my splendid Barclaycard sticker. But now the rest of you can join in the fun. Well, at least those of you with some of the latest Apple gear, that is.

Owners of an Apple Watch synced to an iPhone 5, iPhone 5c, and iPhone 5s will also be able to use Apple Pay, albeit without the extra security of Touch ID available only on the latest iPhone 6/6S model. Those with the latest iPad Air 2 or iPad mini 3 will also be able to use Apple Pay within apps to make purchases online.

[From Apple Pay readied for UK live debut – E & T Magazine]

The launch of Apple Pay meant that I had a pleasantly busy media day, starting of in Salford with BBC TV’s national “Breakfast” show.  This was really fun but it’s quite difficult because you have to boil down what you want to say to the bare essentials and talk in a language that a normal person (i.e., not someone obsessed with the future of electronic transactions) can connect to. The main point that I wanted to get over was that this really does mean a payments revolution, but because it brings security and convenience in-app and online, not because you can tap to buy cups off coffee, no matter how cool.

Good Morning Britain

One question that I was asked more than once during the day was “is it secure?”. I sometimes find this a little odd, because it suggests that Apple, the international card schemes, Britain’s leading retail banks and top consultants were thick as planks and hadn’t thought about it. My consistent response was that not only is it secure (or, at least secure within the bounds of the economic parameters appropriate to the business model, which is what I always mean by “secure”) but it is very secure indeed. The truth is though that none of this actually matters when it comes to adoption.

according to our Technographics data from Q1 2015, 27% of UK online consumers owning an iPhone would trust Apple to provide a mobile digital wallet but they are still more likely to trust PayPal (43%), a bank (41%), a credit card network (40%), and Amazon (32%).

[From Expect Faster Adoption Of Apple Pay In The UK | Forrester Blogs]

Now, it’s very important not to listen to consumers at all about this sort of thing. How secure a transaction mechanism is or is not has almost no bearing on whether people think it is or is not secure and no bearing at all on whether they actually use it or not. If you look at what people say and do, it’s clear that they are unconnected and surveys are a bit of a waste of time.

So, broadly speaking, people think that mobile payments are not secure, but since they don’t care about security and value convenience more highly, they will use mobile anyway.

[From I don’t trust public opinion on trust (or anything else) | Consult Hyperion]

The fact is that whatever people think, mobile payments are more secure than card payments. They might even, as it happens, lead to their demise. Anthony Jenkins, when head of Barclaycard, rather famously (to me) said that mobile phones would get rid of cards before they got rid of cash. I hate to say it, but it looks like he was right. Look at the trajectory. A decade ago, Bank Technology said that:

In the US, bank-issued contact smart cards are already in decline. In March of this year, Target said that it would discontinue its smart card programme because so few of the cards were ever used to download coupons as intended. Financial Insights reckon that the numbers in circulation will continue to fall from the peak of 21 million in 2002. Unless there is a dramatic increase in card fraud in the US, the business case for investing in anything other conventional magnetic stripe cards remains non-existent.

Well, there was a dramatic increase in fraud, yet the business case remains uncertain. US issuers are hardly racing to implement EMV. The costs of card-not-present (CNP) fraud and PCI-DSS all fall on the merchants, not the issuers, so their incentive to change is limited. But — and this is a perspective we need to explore — EMV has not been a magic bullet against fraud elsewhere in the world. The UK has had EMV for years, yet card fraud is still a major, major problem.

Damning research shows up to 3.8million bank and credit card frauds are left out of the Crime Survey for England and Wales, distorting the true scale of offending. If they were included, the number of annual offences would rise by 50 per cent, from the record low of 7.3million to 11million a year. It means seven people are defrauded every minute.

[From Why crime is really UP 50%: Upbeat official figures ignore slew of offences, from card fraud to murder | Mail Online]

The reason is two-fold. First, over time, criminals have become more inventive and have found many scams to obtain cards and PINs. Second, and most importantly, EMV did nothing about CNP. This is what Apple Pay is about to change, followed by bank schemes, Google Pay, retailers own schemes, Samsung pay and what ever else.

UK Card Fraud 2003-2014E

According to a variety of figures I’ve looked at, retail e-commerce is growing at around 10% per annum whereas card fraud in retail e-commerce is growing at double that rate. It’s time for a step change in the fight against card fraud. But what? Well, back in January 2014, I said in passing that “until we get a more secure mobile phone-based card infrastructure in place with working tokenisation” we would be stuck with these high levels of card fraud. Of course, I’m not quite the guru you might imagine for saying this, because I knew that my colleagues at Consult Hyperion were already working on tokenisation, but you can see what I was getting at.

I made this point again when I got caught up in an interesting discussion about card fraud a couple of days ago. The circumstances aren’t germane and I wouldn’t want to mention any of the organisations involved, and I hope none of them will mind if I mention that one of the main points of discussion was the relative security of mobile transactions over conventional card transactions. I think is fair to say that, broadly speaking, the discussion subgroup who came from banks agreed with me that mobile would in time be more secure than cards while the subgroup who came from merchants wanted to know if this meant changes to rules and rights. (I think it will.)

So why did the bank group think that mobile holds so much promise in security terms? As you’d expect, device fingerprinting and location-based services were seen as transforming the security around the payment transaction, and I couldn’t agree more. They also thought that this would mean that, in time, card-present (CP) rules and rights could be extended to mobile transactions. Personally, I am more bullish than that and would push further. I think that in time “cardholder present” transactions will actually be cheaper for the merchants than CP transactions and will be more desirable for the merchants because they allow for the sophisticated handling of payments related data within a transaction.

This must mean that in the longer term merchants will incentivise the use of mobile payments (e.g., Apple Pay) over the use of plastic cards and this will further support the evolution of in-app payments. As I said to a journalist this morning, Apple Pay is huge, but not because you can tap your phone to buy a coffee. Apple Pay is huge because it is the mass-market dawn of the change from card-present and card-not-present to cardholder-is-present and cardholder-was-present transactions.

But back to breakfast television. In the “green room” I ran into Mark Thompson, the astronomy chap, who was in to talk about the Pluto mission. As an experiment we decided to try out Apple Pay on his iPhone, which all went swimmingly. He opened up “add a card”, scanned his credit card and then… “sorry, your card is not supported”. He was using a Barclaycard.

Good Morning Britain

I showed him my sticker.

App and pay is where it’s at

A few weeks ago, I said that Apple Pay isn’t disruptive (for retail payments) and I made the point that its real impact will be “in-app”. I want to explore and emphasis this point in the light of more recent developments. Specifically…

The big news is that it will expand to the UK market next month

[From Apple Pay to be available in UK – Business Insider]

Apple Pay is coming to the UK. Now, when Apple Pay was first announced in the USA, our basic analysis of it for our clients was that it was an incredibly important development in the payment world, but not because of the use of the NFC. The fact that Apple had decided to use tokenisation, we told people, makes tokenisation as big a deal as chip and PIN. It will change the way business gets done, because it brings chip and PIN security to online and mobile transactions. In fact, I bored a number of people on this topic, to the point where it became part of my spoof write-up of Money2020 in Las Vegas last year

“Well, for the big merchants it’s not about tap-and-pay it’s about app-and-pay” he told Osama Bedier from Poynt.

[From Casino Royale-with-Cheese, Part 7]

At the end of the year, we made “in-app” one of our “live five” areas for our clients to explore in 2015 (along with the blockchain, as it happens) and started trying to persuade people to pay attention to it as area of massive opportunity.

Much of the discussion around ApplePay, tokenisation, NFC and retail has naturally focused on the “tap and pay” simplicity of the proposition. However, there are lots of reasons for thinking that this will be a sideshow rather than the main event.

[From Live Five for Fifteen]

The good people of the GSMA invited me to Mobile World Congress in Barcelona earlier in the year to explain this point to a general audience, where I predicted that tokenisation would accelerate a shift away from the check out and the conventional POS terminal as the nexus between the consumer and the merchant drifts away from physical space and into the mobile phone.

while much of the talk at the Congress was about what I’ve previously called the “last millimetre” using NFC, RFID (and now Loop) to link the phone to the point of sale (POS) in the store, the really disruptive impact of the Apple Pay, tokenisation and strong authentication via mobile would be away from the “traditional” POS because bringing chip-and-PIN levels of security and convenience to in-app transactions will change the way that we pay pretty quickly.

[From In-app and on-message in Barcelona]

I made exactly this point again a couple of weeks ago, when I was interviewed by the BBC in connection with the UK Apple Pay launch [audio, starts at 30 minutes in]. On the whole, I think. Consult Hyperion got a consistent message out to our clients and then to the wider marketplace. But is it the right message?

It is. I was interested to note some comments by people far more important and influential than I, comments that might be taken to mean that I may have perhaps been too conservative in my proclamations, around the announcement of Apple coming to the UK.

John Collison, one of the cofounders of $3.5 billion (£2.25 billion) payment processing startup Stripe, says this feature, not the contactless mobile payments, is getting businesses most excited… John Lunn, senior global director for the mobile-payment company Braintree, which was bought by Paypal for $800 million (£512.18 million) in 2013, also thinks Apple Pay’s in-app element is the most exciting thing about it.

[From Apple Pay in-app purchase power could be its most important feature, say Stripe, Braintree – Business Insider]

Well when people like John Lunn, who I can personally testify is a very smart guy, go on to say that “everybody’s talking about the in-store stuff, but actually when you look at the presentation when they launched it, the merchants that were sitting behind Tim Cook were online” I think that tell us the direction of travel pretty accurately.

As my colleague Tim Richards pointed out earlier in the week, tokenisation is a really big deal. App-and-pay changes industry dynamics in a way that tap-and-pay does not.

Thinking the unthinkable about EMV in the USA

The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud. But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.

But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.

[From Chip-and-PIN Security for Payment Cards Won’t Happen Until 2020: Forrester – The CIO Report – WSJ]

Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.

It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.

[From Search Results CNP EMV]

Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.

As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.

[From Card fraud in the UK]

I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.

Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.

[From Search Results CNP EMV]

Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.

Speaking the CNP Expo [2013] in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.

[From Maybe it’s time for son of EMV]

Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:

Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.

[From Window pain]

In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:

“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

[From US EMV migration: Chip and signature is a joke! – Payments Cards & Mobile]

I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.

I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).

[From Payments – June 2015 Current State/Updates – Starpoint Blog – Finventures]

So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.