EMV is at the heart of global payment card processing. As a specification it governs the processing of billions of transactions globally, with the vast majority of those flowing through the international payment schemes. As a technology it has been incredibly successful, reducing fraud levels everywhere it’s been introduced and its extension into contactless payments is now the fastest growing area of face-to-face payments. The idea that EMV might soon be obsolescent seems far-fetched, to put it mildly, but there are reasons to believe that its hegemony is under threat.
Card issuing seems to be hot right now. Despite the rise of alternatives to card payments, many Fintech’s appear intent on adding payment cards to their product portfolios. And it is not just the “me too” start-up banks.
For example, some international remittance services are adding payment cards to their offerings. This allows customers to spend the money they receive directly but also means that customers do not withdraw funds immediately upon receipt. This extends the customer relationship adding value to both the customer and the Fintech.
I love J.J. Cale. His 2001 live album is one of the most-played on my iPhone. Sadly, it’s doesn’t have a live version of one of my all-time favourite J.J. Cale tracks on it: I got the same old blues. In case you don’t remember…
Have you heard that rumour / that’s a going round
You got it made / way across town
It’s the same old story / tell me where does it end
Yes I heard the news / it’s the same ol’ blues again
I think of this every time I read a story about how EMV chips are trivial to clone and how the banking system is about to collapse because of multi-billion pound frauds. So when someone sent me a link to this… same ol’ blues again:
As it turns out, the cards are just as easy to clone as their magnetic stripe predecessors.
No, they’re not. If they were, then the “black hats” would be living in the lap of luxury on the proceeds of their undetectable crime and the world’s biggest issuing banks (who bear the cost of fraudulent EMV transactions) would be bankrupt. They’re not (or at least, not because of card fraud, which was a piffling half-a-billion quid or so in the UK last year) so perhaps the claim might be ever-so-slightly exaggerated. What this story is actually about is tampering with terminals in order to steal PINs, which is a flaw with EMV deployment because enciphered PIN is not implemented as the standard cardholder verification method (CVM), but it’s not a flaw with cards and it doesn’t help you to clone the chips. In EMVCo’s official response to this story they say that
The attack described in the Breaking the Payment Points of Interaction (POI) presentation captures static card transaction data in order to attempt fraudulent magstripe or e- commerce transactions, where EMV is not used. This type of attack relies on magstripe information and not the EMV chip. It is EMVCo’s view that when the full payment process is taken into account, suitable protection exists to mitigate against this type of attack, such as ensuring that information read from a chip card is not sufficient to create a valid magstripe card.
I bolded the EMV point, by the way. What EMVCo mean by that last sentence is that issuers should ensure that the ICVV in the chip is not the same as the CVV on the stripe. I wrote about this nearly ten years ago when ICVV was introduced in the UK so if there are any issuers out there who are still setting the chip ICVV to be the same as the stripe CVV then, well, they deserve everything they get.
In a similar vein, I was sent a few links to a story about another new “new security flaw” in EMV. I won’t give you the link here because there’s no point following it. I can give you the skinny in half a line: if you rewrite the service code on the stripe to indicate no chip present, then the CVV, which is calculated using the service code, will no longer be valid. If any issuer authorises that transaction then they are either somewhat cavalier in their risk profiles and find it sexually thrilling to put shareholders’ money on the line or they had the wrong consultants advising them on their card issuing and authorisation strategies. In other words, they deserve everything they get. But it’s not a “security flaw” in EMV it is a “moron flaw” in the authorisation system.
Incidentally, on a related topic, my good friend Stephen Murdoch wrote an interesting piece about what are called “relay attacks” (or “ghost and leech attacks) on contactless cards. I remember that a fair few years ago one of our clients had us build a ghost and leech system just to see if it would work. It did. But then everyone knew this. Here I am talking about it ten years ago:
David reinforced the feasibility of relay attacks against contactless systems and in the subsequent discussion, it seemed to me that me people felt that serious fraudsters would begin investing in this soon, so the industry needs to take it seriously.
As it happens, fraudsters never did invest in it (because the contactless no-CVM limit of thirty quid makes it a very time-consuming and expensive way to steal not very much). Our clients did their risk analysis and decided that there was no need to fix it right away but maybe think about it longer term. One potential defence against this attack is based on timing and such a defence has now been defined by the EMV chaps. This is what is called (by MasterCard, since no-one else implements it yet) the “MasterCard Relay Resistance Protocol”. So, as Stephen says, as part of the transaction, the terminal sends a command to the card and measures how long it takes to respond. The response contains timing limits indicating how long it should take.
When the EMV cryptogram is generated by using Combined Dynamic Data Authentication-Application Cryptogram Generation (CDA), the response also contains the same timing limits, but these are digitally signed. If they don’t match the limits received earlier, or if the timed command exceeds the limits, then the transaction has failed and the terminal needs to decline the transaction. To be honest, a fair few observers have pointed out that because these are hard-coded limits, any variance in genuine devices may create more false negatives (genuine transactions incorrectly declined) that positives (actual attacks). Plus it needs all terminals to be modified and all cards to be replaced or renewed, and as I noted earlier it’s MasterCard only, so it may not be widespread any time soon, and it’s at least worth wondering whether it will be universal before #cardmaggedon (the day when non-card electronic transactions exceed card transactions at retail point-of-sale).
By the way, #cardmaggedon will be one of the topics covered in the discussions at this year’s Tomorrow’s Transactions Toronto Unconference to be held in the MaRS Discovery District on 29th September 2016. The post-card payments future will be the kick-off topic to get everyone thinking about where the world of retail payments might be going next. I look forward to seeing you all there.
Well, I’m back in America again and I can’t help but notice that the retail point-of-sale (POS) experience is getting weirder week by week. I’ll show you why in a moment, but first of all, just to remind you about the baseline, I should explain to foreigners that people here do have cards that have chips on. Lots of people do. They seem to hate them, but they have them.
The percent of cards with EMV chips grew by 10% from October 2015 to February 2016
So 56% of cards presented to merchants in the US now have a chip on them. That’s good news, but on a personal level I continue to find the payment environment utterly baffling. For example, here is me trying to use Apple Pay. I tapped my phone on the contactless reader and was told to insert my chip card (which, of course, I did not have – it was back at the hotel).
Later I happened to pop into Whole Foods, where my Apple Pay Amex worked absolutely fine, but I couldn’t help noticing the logos lined up along the bottom of the screen, showing Apple Pay, Android Pay and Samsung Pay as the equivalents (in acceptance terms) of Visa, MasterCard, Discover and Amex. I’m really curious to know what all this means to the average, normal shopper who doesn’t spend their whole life thinking about payments.
At home, paying is boring. You know exactly what to do. If the terminal is contactless, you tap and go. If it’s not contactless, you insert and enter your PIN. That’s it. In America, it’s a completely different experience.
Look at the terminal above, at a Starbucks. The clerk rang up my latte on the register, so I tapped my phone on the terminal (the screen was blank, but I assumed it was contactless). Nothing happened. The clerk told me that I have to use a card. So I took out my Simple chip and PIN debit card and inserted it in the reader (see picture). Nothing happened. The clerk tells me that the chip readers don’t work so I have to swipe it. So I take it out and swipe it, and it processes as a Visa signature debit transaction (which wastes Starbucks money and my time). It would have been quicker to go to the ATM in the lobby and draw out $20 (which would have cost me a $3 fee).
When you walk up to a POS here, there’s just no telling what might happen. It might be contactless with the contactless turned off, it might be chip with the chip turned off, it might be stripe only. You can’t tell by looking at the POS, so some of the merchants (like Barnes & Noble above) have started using post-its or duct tape to create artisan POS signage. And when you do tap, insert or swipe there’s no telling what might happen. Sometimes you have to sign, sometimes you enter a PIN, sometimes you are asked for a zip code (I used 90210, and it didn’t work). Sometimes you don’t have to do anything. It’s utterly confusing to me and I’m supposed to know about this stuff.
In the taxi, I paid with Apple Pay (after authorising with my fingerprint) and I still had to wait for piece of paper to sign. I didn’t sign my real name, naturally. How is this all going to pan out (pun intended) ??? We went along to the NYPAY event “EMV 8 Months On” to find out. It turned out to be an absolutely super event, by the way. I thought quality of the discussion and the debate was absolutely excellent. Without caricaturing, I would say that the retailers were pissed about the whole thing, and with some good reason. They are faced with the cost of upgrades (some of which are still useless because of lack of certification) and a massive increase in chargebacks (with “no redress” or whatever the networks call it – i.e., the merchant can’t dispute) because of non-compliance. Consumers and retailers are also annoyed by how long EMV transactions take and they are confused (as I am) by the terminal designs.
Our very own Simon Laker was on the panel as an EMV expert. He pointed out that his US chip and signature card worked faster in a terminal in Bogota than it did in a terminal in New York, so it doesn’t seem to be EMV itself that is responsible for annoying US consumer and merchants, but something in the way it has been implemented. I suppose this is the sort of thing that can happen to issuers, processors and acquirers who chose the wrong consultants to advise them on important investments, but that’s by the by. The evening involved an odd coincidence that bears reporting. Part of the panel discussion was about restaurants and the essence was that restaurants haven’t bothered to upgrade to chip and PIN because in America people are used to giving their cards to staff. The cards are whisked away and then returned some time later with a receipt to sign. So… later that evening a group of us were having dinner nearby and when it came time to pay I handed my (UK Amex) card to the waitress and she disappeared off . She came back a couple of minutes later and politely asked me to follow her…
She lured me into a gloomy recess and asked me to enter my PIN. The restaurant had just upgraded their POS to chip and PIN, but it was in a fixed position and the payment process had not changed. Everywhere else in the world, the waitress would have brought a terminal with a Bluetooth, wifi or mobile connection to the table for me to enter my PIN and my card would not have left my sight. America has a way to go it seems to me. The next day, we went to another restaurant for breakfast and I spotted a new POS terminal by the door on the way. I assumed that this was their new upgraded EMV Bluetooth mobile-ready quantum blockchain super POS, but I couldn’t figure out where to insert the card. I did like the large, clear PIN Entry Device (PED) though and I enjoyed the satisfying clunking noise that it made when you entered each digit of the PIN.
So great to see continuing innovation at POS in the Home of the Fee and the Land of the Brave. Meanwhile, I’m off down under to see what it’s like paying in a country where everyone uses contactless, never mind chip and PIN. The Land of the Wave, if you will.
American retailers have been lobbying the great and good to implement PIN for card transactions. We have chip and PIN, so we think this is nothing new. But note this is not what they are asking for. When it comes to chip and PIN, they are not that bothered about chip (after all, all transactions are online).
PIN is the most secure authentication technology currently available, and retailers should have the option to require PIN on credit and debit card transactions—the same protection provided at ATMs.
So, given a choice between chip and PIN, they choose PIN. And a lot of them already have PIN pads because of PIN debit. So: merchants want PIN, and they have PIN pads, so no problem and everyone’s happy. Well… not quite. Many of the America card issuers have decided to issue chip and signature cards. From the retailers’ perspective, this looks like the worst of both worlds. They have to buy a chip card reader but they still don’t get PINs. And, so far as the retailers are concerned, it is because banks want to maximise revenue.
A 2012 Food Marketing Institute report mapped out the revenue losses for signature-based transactions versus PIN-based transactions and found significant differences in profit. Per $1,000 in transactions, banks receive $14.20 in revenue from signatures, versus $6.70 from PINs—a difference of $7.50.
The upshot of all of this is that as of today the US banks are (bizarrely, to foreign viewers) issuing chip and signature cards, US customers are continuing to swipe (they don’t care about the liability shift) and US retailers are getting annoyed. Apart from anything else, their costs for chargebacks and for managing chargebacks are climbing.
Chargebacks for card-present transactions increased 50% following the Oct. 1 EMV liability shift,
You understand why this, I assume. It’s because before 1st October, if you spotted a $3.95 charge at Starbucks on your statement and you knew that you couldn’t possibly have made that transaction, then you would call up your issuer and complain and they would just eat the charge because it would have been more trouble than it’s worth to go back to Starbucks, pull the receipt, check the signature if there was one etc etc. However, after 1st October, if you spot a bogus $3.95 charge on your account and call up, the issuer will check the transaction codes and, if you had a chip card but it was swiped by a merchant who didn’t have (or didn’t use) a chip reader, then the $3.95 is charged back to the merchant. The net result is — entirely as expected and as it should be — that merchants see big increases in card-present chargebacks as previously hidden magnetic stripe fraud is revealed and transferred to them.
A US colleague’s new credit cards. Not one is chip and PIN.
The retailers think, therefore, that chip and PIN has turned out to be a bit of scam for transferring liability away from banks and on to them. A group of retailers have, in fact, just filed a law suit along these lines,
The 47-page complaint, filed Tuesday in U.S. District Court for the Northern District of California, comes just over five months after the liability shift took effect Oct. 1… The merchants, which are not yet ready for EMV, seek treble damages for what they claim are chargebacks and chargeback fees that have totalled more than $10,000 stemming from 88 chargebacks from Oct. 1 through Feb. 15. In the same period a year earlier, the merchants incurred only four chargebacks, the complaint says. The entire class of such merchants total hundreds of thousands of members that have incurred “billions of dollars” in chargebacks and fees since the shift took effect, according to the suit.
This might indicate that US merchants have completely missed the lessons from the EMV migrations that have occurred in every other region in the world over the last decade, but more than that the muddle suggests to me that the card networks hold over the retail point-of-sale may not be a firm as it seems. If you look at what’s going on with ApplePay and ChasePay, WalmartPay and wallets, it’s clear that not only are there competitors closing in on them, but that there are stakeholders who are heavily motivated to find customer-friendly alternatives. Bitcoin isn’t one, but there are plenty of other candidates, especially in Europe where the regulation is about to change, to favour push payments and in-app payments (because they will have API access to payment accounts).
It’s clear that the pressure is building on what previously seemed to be the unshakeable redoubt of the four party payment model. If the networks’ grip on the retail point-of-sale is loosening then there really is a payments revolution underway. Right now the increase in EMV chargebacks is simply revealing fraud costs that were previously hidden. As EMV does what it says it does and blocks face to face fraud then the fraudsters will move elsewhere: and that’s when we will see whether the nascent competition to card networks have properly thought through their own risk models!
Saint Valentine, as I am sure you all know, is the patron saint of customer verification methods (CVMs). We celebrate St. Valentine’s Day on 14th February every year to commemorate the introduction of chip and UK In the UK on 14th February 2006. I am a payments romantic, so this is very special day.
Ah, St. Valentine’s Day. Very romantic. I woke up smelling the roses and wrote a poem from the heart, a caption for my Valentine’s Day card to Brian Rommele…
“Roses are red, violets are blue / chips are nice / and PINs are too”
Yes, lovely St. Valentine’s Day. Was it really a decade ago? That lovely day when we stopped pretending that anyone was looking at cardholders’ signatures on the backs of cards and instead mechanised the “computer says no” alternative. It really was! Ten whole years!
After what has been dubbed “chip and pin day”, consumers using chip and pin enabled cards will no longer be able to sign for their purchases.
We like heritage here in England. We still write our laws on vellum, we still say “what an interesting idea” when somebody says something that is transparently insane and we still use cards to buy things in shops. We cling to tradition. And chip and PIN is a tradition.
Tamper-resistant hardware (chips) are a good idea, but in terms of reducing fraud it is better authentication (PINs) that seems to make the difference (at US retailer told me that the fraud on swipe and sign cards is two orders of magnitude higher than on swipe and PIN cards). Now, in that bygone age when European retailers could not go online to verify PINs due to the anticompetitive pricing of the monopoly public telephone providers, we decided to put chips on the cards and verify the PIN locally. But this is 2016. We have smart phones and laser beams and space probes on a comet. If we want to spend a ton of money on introducing a new payment system today, would we really start with smart cards? Smart cards were invented a long time ago. So long ago, in fact, that I had hair.
And if that isn’t shocking enough, remember that this picture was taken years after the first smart card was patented. As Brian Rommele pointed out on this anniversary, EMV was out of date when it was introduced in the UK a decade ago, and not only because of the technology: but because it was a payment system optimised for face-to-face, offline transactions in a world that was moving to remote and online transactions.
By the time the UK implemented Chip & Pin, the base concept and much of the technology was already almost 40 years old.
Well, Brian is right about this, of course. But my brand spanking new chip card from a UK issuer not only arrived with a 2000s app of a 1990s implementation of a 1980s product (debit) on 1970s chip, it also came with a 1960s magnetic stripe on it and a 1950s PAN with a 1940s signature panel on the back. It’s no wonder it seems a little out of place in the modern world.
Early chip and PIN focus group.
The US will discover, as the UK did, that while EMV will put a temporary dent in card fraud, what it will really do is to displace card fraud from card-present to card-not-present channels and fraud will continue to rise. In order to put a lid on fraud, we have to implement two-factor authentication which, in the modern world, generally means the smart phone. So… why not just use the smart phone?
Well, this is what is going to happen and it is why I insist that tokenisation is, in the great scheme of things, more important than EMV cards. We are helping clients to put together their tokenisation infrastructure right now so we understand both the challenges and the opportunities. And if that’s true, and tokenisation is the way forward, then we might as well use EMV tokenisation (since it exists) and so EMV remains important, as does EMV Next Generation. But it is important to understand how the dynamic of competition will change as payments shift in-app. Introducing a new payment mechanism faces the well-known “two-sided market” problem: retailers won’t implement the new payment mechanism until lots of consumers use it, consumers won’t use it until they see lots of retailers accepting it. This gives EMV a huge lock-in, since the cost of adding new terminals is too great to justify speculative investment.
When you go in-app, however, the economics change vastly. For Tesco to accept Bitcoin in store is a big investment in terminals, staff training, management and so on. But for the Tesco app to accept Bitcoin is… nothing, really. Just a bit of software. However traditional we might be, the marginal cost of adding new payment mechanisms is falling and our industry needs to think about what that means. All I’m saying to the EMV industry (i.e., our customers) is that it’s time to start thinking about what might come next.
By the way, between us we came up with plenty more captions for our Valentine’s card to Brian. If you’ve got a better one, post it! I will think of a suitable prize for the winner…
Roses are light / violets dark / yes the card’s smart / it came with the Ark
Roses are red / violets are blue / chips are nice / and PINs are too
Roses are thick / violets are thin / stop your moaning / enter the PIN
Roses are nice / violets yuck / PIN always works / signatures suck
Roses grow high / violets stay low / chip and PIN rocks / signatures blow
Roses are lovely / so is wine / EMV won’t help / the fraud’s online
Roses are red / violets are blue / chip and PIN / won’t get us through
Roses are red / violets are not / chip and PIN snooze / tokens are hot
Roses are red / violets are blue / we’ve had it for years / now the Yanks have too
Roses are tall / violets are short / I remembered my PIN / here’s what I bought
Roses are out / violets are in / signing can’t fix it / for that you need PIN
It’s fair to say that Jeremy King of the PCI Security Standards Council and I do not always see eye to eye on things. In fact we’ve disagreed more than once (in public) about the usefulness of PCI-DSS. But I have to say that Jeremy is absolutely spot on here:
King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, “we will see a move of the fraud to card-not-present,” he says
I think that when you look at the big picture you can see that there is a problem brewing. It is taken so long to get to the position where the US is finally on-board with the general concept of a shift to chip and PIN, even though most US consumers still do not have chip cards, that you can’t help but wonder whether the effort is going to be worth it. As Jeremy says, the shift to card-not-present fraud is about to accelerate and there’s not much that EMV can do about it. I saw the same point being made in another article a few days ago:
For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States.
As it happens, that’s not true, at least according to Aite Group, who put counterfeit and lost/stolen fraud, the frauds that should be tackled by EMV (or at least if EMV cards are issued with correct ICVV, correct service codes and no fallback at ATMs) at around half of all fraud.
In the United States, card-not-present fraud is already a big problem. In fact, it accounted for 45 percent of credit card fraud in 2014, followed by counterfeit card fraud (37 percent) and lost/stolen cards (14 percent).
Well whichever fraction it is you can see the issue. If the British patterns are anything to go by then the growth in card-not-present fraud will exceed the drop in card-present fraud and so the overall fraud rate will continue to rise. This is why I’ve said at a couple of recent events that I think that tokenisation is going to be more important than chip and PIN and I’d be curious as to your feedback on my three central arguments on this front!
First, tokenisation helps to reduce fraud in the fastest-growing areas, online and mobile. You can’t use a token outside of its defined domain and if you were able to steal a token out of my iPhone, you wouldn’t be able to use it in your iPhone.
Second, tokenisation could help to reduce fraud in card present environments if, as I anticipate, there is a shift towards in-app purchasing even in store. I can easily imagine standing in Tesco and paying using a Tesco app on my phone (using tokenisation) rather than by taking out a card and using it in the POS terminal in front of me.
Third, there are new things that we can do with tokenisation that we simply can’t do with the existing infrastructure. In addition to the “plain” token that the bank puts into my handset, it could load other tokens for a variety of useful purposes: I wrote before about the idea of issuing a stealth token for use in online dating, adult services and other privacy sensitive environments but you can also imagine tokens that are issued for specific purposes such as a campus, or just for a day, or just for a particular website. Given the significant investments that most of our clients have made in tokenisation infrastructure, the need to develop additional services on top of the infrastructure is pressing, so I expect to see innovation in that field.
In the long term, the ability to deliver and maintain consumer security and privacy through tokenisation will be a crucial function of banks. This is why I think my apparently outrageous claim that it is more important than chip and PIN is justified, but if you don’t agree I’d still love to hear from you.
Life must be very confusing for our American cousins at the moment. Well, confusing for our American cousins who pay any attention to the cards that show up in their mail, that is. My colleague Howard Hall just showed me the three most recent credit cards that US banks have sent to him in the quarter. They are all completely, and inexplicably, different.
I don’t know if you can see from the picture but the three cards are
- A chip and pin card that arrived as a replacement for the existing stripe card, but as yet no PIN seems to have arrived, so my colleague continues to use it as a signature card.
- A contactless card that doesn’t have a contact interface but does have a stripe and signature panel on the back.
- A signature card with no chip or contactless interface.
I don’t know, and I’d be curious to hear your opinions, but I would think that the average American consumer would be utterly confused by all of this and rather than read any of the paper that the bank sends in the mailers (which I’m sure they just toss straight in the bin) they will simply carry on using the cards as stripe and signature cards. Now, on the one hand this is a good thing because it means that they will carry on spending money and merchants will carry on selling things to them and life will continue much the same. But on the other hand, it doesn’t suggest that the use of chip and PIN in the American market will be on a hockey stick curve any time soon.
According to our survey:
- As of April 2015, only 18 percent of retailers in the U.S. have already implemented EMV payment technology
- 45 percent are poised to miss the October 2015 deadline
The survey reports in more detail on the retailers who are not doing anything about the deadline. There seems to be something of a lack of understanding about the liability shift and the technology.
- 25 percent do not understand the new rules
- 17 percent have never even heard (my italics) of EMV or chip-and-PIN
- 18 percent do not want to deal with the hassle or cost of switching payments hardware
Actually, I bet that plenty of the retailers who have already implemented EMV don’t understand the new rules either. Interestingly, the report on this survey goes on to say that:
As regulations shift toward a new kind of credit card, payment technology that gets rid of cards all together (Apple Pay, Samsung Pay and Android Pay) is also taking hold of the industry.
This rather reinforces my train of thought and idle speculation which, as I mentioned last week, forces me to at least question the long-term role of EMV in the US. It also leads me, in turn, to wonder if this confusion might actually stimulate the transition to mobile since consumers will find the proposition from Apple, Google, Samsung and others far simpler: use your phone and your data will be secure, use your card in one of a number of mysterious and baffling ways and your data may or may not be at risk.
Maybe I’m not seeing things accurately as an occasional visitor, but there does seem to be a lack of co-ordination around migration in the USA. Perhaps someone could come into the comment section and let me know who is in charge of the chip and PIN migration there so that I can drop them an email with a few questions.