EMV is at the heart of global payment card processing. As a specification it governs the processing of billions of transactions globally, with the vast majority of those flowing through the international payment schemes. As a technology it has been incredibly successful, reducing fraud levels everywhere it’s been introduced and its extension into contactless payments is now the fastest growing area of face-to-face payments. The idea that EMV might soon be obsolescent seems far-fetched, to put it mildly, but there are reasons to believe that its hegemony is under threat.
Card issuing seems to be hot right now. Despite the rise of alternatives to card payments, many Fintech’s appear intent on adding payment cards to their product portfolios. And it is not just the “me too” start-up banks.
For example, some international remittance services are adding payment cards to their offerings. This allows customers to spend the money they receive directly but also means that customers do not withdraw funds immediately upon receipt. This extends the customer relationship adding value to both the customer and the Fintech.
As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.
Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.
Another article, this time in American Banker, questioning the rather odd trajectory of EMV in the USA. You’ll recall, I’m sure, that a number of international observers expressed surprise when (some time back) the banks over there decided to roll out chip and signature rather than chip and PIN or, indeed, chip and anything else (fingerprints, body odour or voice recognition). No-one seems to know why.
One reason banks offer for this choice is the presumed difficulty of remembering another PIN. Are we to think that Americans are not quite as capable as the British, Dutch or Canadians — all of whom managed to figure out a way to make the more secure Chip and PIN work?
Is that really it? That American card issuers think that Americans are too stupid to remember a four digit PIN? The seems somewhat patronising to me. I wonder what the American government thinks about it? The FBI thinks that Americans can use a PIN. Or at least they did, before their CVM recommendation was mysteriously taken down.
The alert, which was removed from the FBI’s Internet Crime Complaint Center site on Oct. 9, noted: “When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card”… That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction.
So. Checkpoint. What do we know. Well, we know that PIN is far more secure than signature (I remember being told by Walmart that fraud on PIN debit cards was 250 times less than fraud on signature debit cards). The US banks are going to the expense of issuing chip cards that will defend only against the particular fraud of card counterfeiting — although to be fair according to the Nilson report, counterfeit card fraud losses to US issuers were something like a quarter of total world card fraud losses last year. But why not defend against other kinds of fraud (e.g., lost and stolen cards) by adding the PIN? Old chum David Poole says that the US is “stark raving mad” not to adopt PIN, on the basis of the latest fraud figures.
I was fascinated to read the latest fraud figures as reported in The Nilson Report this week. Worldwide card fraud is up 15% to $16b in 2014. Read that again – $16b that could potentially solve some austerity problems not to mention some poverty. I dare say many organisations would love to be reporting >15% top line revenue growth.
Let’s just put those figures in context. One of my favourite statistics last year, one that I often dropped into presentations, was that the US is a quarter of the world’s card volume but half of the world’s card fraud. Well, I’m afraid that statistic in no longer valid. On the basis of the latest figures, the US is now a fifth of the world’s card volume and half of the world’s card fraud. And remember, this the cost to issuers. It does not take into account the costs to merchants or the police.
The USA accounted for 48% of these losses. But a very important detail should not be omitted; this figure is over only 21% of the purchase volume. While this globally represents 5.65 cents in every $100 spent, the USA has more than doubled that at 12.75c per $100, and over the last five years the figure has increased each year.
The US has a problem. Yet, to be frank, if you were inventing EMV today, in a world of smartphones and online and biometrics, then you almost certainly wouldn’t come up with chip and PIN. You’d probably use a combination of convenient authentication and back-office analysis. It would not be surprising to me if the US banks have thought about this and have no intention of going to chip and PIN for their domestic market because chip solves their biggest card present fraud category (counterfeit, which is about half of their losses in the US) and tokenisation is a better solution to the card not present fraud category (and pretty much everything else). The evidence for this is that they’ve gone to chip, but rather than spend hundreds of millions on upgrading ATM networks for PIN management, waiting for merchants to add PINpads and educating customers about looking after their PINs, they’ve instead spent the money on tokenisation infrastructure, assuming that the growth of mobile, especially in-app, will be a more effective means to tackle overall fraud.
So, what does this mean? Well, that’s what I’m hoping to find out at Money2020 in Las Vegas next week, where I am chairing the session on authentication. For most of our clients, where to invest next is a crucial strategic question. Do they assume that US consumers and merchants will get fed up with “chip and wait” pretty quickly and so develop an appetite for contactless that they lack in a “swipe and go” world? Do they assume that none of this matters because in-store, online and mobile will all converge on in-app solutions? Do they assume that clever use of tokenisation platforms will deliver new services over and above fraud reduction? Well, it’s probably all three, but I will be fascinated to discover the sentiment in the corridors of the Venetian and will, of course, report back.
The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud. But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.
But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.
Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.
It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.
[From Search Results CNP EMV]
Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.
As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.
[From Card fraud in the UK]
I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.
Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.
[From Search Results CNP EMV]
Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.
Speaking the CNP Expo  in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.
Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:
Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.
[From Window pain]
In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:
“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”
I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.
I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).
So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?
Technologically speaking, the credit card as we know it should have vanished long ago. It’s surely not got much longer .
It’s not often that someone telling me about an EMV fraud exploit makes me laugh out loud, so I got permission to share the story with you.
As we head back to Barcelona for Mobile World Congress again, there’s more talk about NFC and this time it’s not only coming from the operators.
In her state of the industry address at the GSMA NFC & Mobile Money Summit last fall in New York, GSMA Director General Anne Bouverot said that NFC is gaining traction globally, and it is certainly true the the number of handsets sold with NFC capabilities is steadily rising, even if most consumers neither know nor care that they have NFC. But it’s not just in phones: NFC is springing up in TVs, printers, cameras and all sorts of other consumer electronics. In our corner of the transaction treehouse, however, NFC means making contactless payments in retail environments. This hasn’t been going so well. As I said at the time, consumers can’t use NFC to ride the bus, which was my throwaway and prosaic benchmark of mass-market acceptability. But they might soon.
Madrid-based non-public bus operator Jiménez constellation is to introduce a brand new cloud-based NFC ticketing resolution that allows Nexus five NFC phones to be used as contactless ticketing readers at a “fraction of the value of ancient contactless reader infrastructures”. Ticktrack, developed by Spanish startup Aditium, uses host card emulation (HCE)…
Interesting. Something has changed. There were handsets out there. There were announcements all the time about pilots, trials and even live services. But somehow the technology was (and is, to be honest) struggling to gain traction, and every time that Apple announce a new phone without NFC there are a plethora of articles about the death of NFC. If you do have a handset with NFC in it, let’s say one of the super new Samsung S4s, you can’t use it for much interesting. I can’t log in to my bank and load my credit card onto it, for example. All I can do with the NFC on my Android phone is use it as a slightly more convenient version of a QR code. Except in Canada, where I could download my Tim Horton app and buy coffee with a tap.
Something has definitely changed. What? Well, here’s a framing of problem that I often hear. The GSMA (and others) opted for an architecture that put the mobile operators in control. And there’s nothing wrong with that. The GSMA is the mobile operators. But — and let’s be frank, to move the sector forward — the banks and operators have found it difficult to work together. I don’t want to cause trouble, especially since Consult Hyperion advises both banks and operators, but I think we have to be honest and open up the discussions that everyone knows are going on behind closed doors.
These MNOs operate a TSM service and establish the trust. Technically perfect, but this is also the problem that get things stuck. It has no technical issues, it is political. The banks just do not want the MNOs in their food chain.
Maybe. And there is certainly evidence from the marketplace that banks will go to some lengths in order to avoid having to deal with the MNOs. This is despite countless attempts to work together. Personally, I suspect that some of this is down to the sheer hassle of it as much as it is to deep-seated strategic aversion to the Single-Wire Protocol (SWP), but it is nonetheless an observable phenomenon.
Bank of China (Hong Kong) is to introduce a microSD card based NFC payments service before the end of the year… BOC e-Wallet will initially be available for the Samsung Galaxy S4 LTE, Galaxy S III LTE, Galaxy Note II LTE, Galaxy S4, Galaxy Note II, Galaxy S III and LG Optimus G Pro smartphones.
Phones such as the S4, as noted, already have NFC. So, you might wonder, why bother putting a microSD NFC card into a phone that already has it if not to go around the MNO? This is the nub of the problem. In the complicated (but, let’s be clear, very secure) SIM-based SE model, the MNO calls the shots. And that has turned out to be a significant barrier to progress. It’s not impermeable: in some places (Canada and Australia spring to mind) where there are highly concentrated industries (ie, a small number of big banks and a couple of dominant MNOs) and a determination to work together despite thin margins there are now multiple handsets and multiple banks with functioning implementations in the market.
So what has changed? Why are the Canadian coffee chain and the Spanish bus company investing in NFC ? Well, the most interesting case study from Mobile World Congress last year was, as I have said before, BankInter in Spain. They launched what we called at the time a “NOSE” (NO Secure Element) payment service that uses tokenization to shift the risk analysis balance away from SE levels of security. The reason why this was such an interesting case study was that Bank Inter own an MNO. When you own an MNO, and still find it too much hassle to launch a SIM-based NFC payment service, that has to tell you something about the chosen model. Last year I called it an earthquake, and I stand by that.
Technically, what they did was to use a version of Android that had Host Card Emulation (HCE). At high level, this means that handset can pretend to be a payment card rather than having to have the SIM involved. When last year Google announced that HCE would become part of Android and that there would be no need to patch any more, a lot of people suddenly regained interested in the technology. The responses to this technology change have been very interesting indeed, as they seem to indicate considerable latent demand for a technology that we were being told was finished.
“With the entry of HCE we are free”
It wasn’t the technology that was the problem, it was the business model. Having previously criticised the SIM-centric model (with genuine integrity and, I think experience has shown, real cause), I stand in testament to the GSMA’s commitment to explore different views on this important topic and I am delighted to be able confirm that I will be giving part of the breakfast briefing on “HCE: NFC Threat or Opportunity” at the Mobile World Congress in Barcleona on Wednesday 26th February at 8.30am. I am genuinely looking forward to this as I personally think that there is an opportunity for mobile operators to use HCE to revitalise NFC in the mass market and, along with BLE, find new and more flexible business models that will make sense to financial services and other sectors. I expect to learn a lot from my fellow panelists and I look forward to seeing you all there.
How exactly does switching to the “chip and PIN” system used everywhere else in the world (except North Korea, I’m told) stop the kind of thing that’s been going on at Target?
The Target breach will encourage the US to adopt EMV, but it’s not a magic bullet. However, the breach may have wider implications for the future of retail transactions than EMV adoption.