Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.
Saint Valentine, as I am sure you all know, is the patron saint of customer verification methods (CVMs). We celebrate St. Valentine’s Day on 14th February every year to commemorate the introduction of chip and UK In the UK on 14th February 2006. I am a payments romantic, so this is very special day.
Ah, St. Valentine’s Day. Very romantic. I woke up smelling the roses and wrote a poem from the heart, a caption for my Valentine’s Day card to Brian Rommele…
“Roses are red, violets are blue / chips are nice / and PINs are too”
Yes, lovely St. Valentine’s Day. Was it really a decade ago? That lovely day when we stopped pretending that anyone was looking at cardholders’ signatures on the backs of cards and instead mechanised the “computer says no” alternative. It really was! Ten whole years!
After what has been dubbed “chip and pin day”, consumers using chip and pin enabled cards will no longer be able to sign for their purchases.
We like heritage here in England. We still write our laws on vellum, we still say “what an interesting idea” when somebody says something that is transparently insane and we still use cards to buy things in shops. We cling to tradition. And chip and PIN is a tradition.
Tamper-resistant hardware (chips) are a good idea, but in terms of reducing fraud it is better authentication (PINs) that seems to make the difference (at US retailer told me that the fraud on swipe and sign cards is two orders of magnitude higher than on swipe and PIN cards). Now, in that bygone age when European retailers could not go online to verify PINs due to the anticompetitive pricing of the monopoly public telephone providers, we decided to put chips on the cards and verify the PIN locally. But this is 2016. We have smart phones and laser beams and space probes on a comet. If we want to spend a ton of money on introducing a new payment system today, would we really start with smart cards? Smart cards were invented a long time ago. So long ago, in fact, that I had hair.
And if that isn’t shocking enough, remember that this picture was taken years after the first smart card was patented. As Brian Rommele pointed out on this anniversary, EMV was out of date when it was introduced in the UK a decade ago, and not only because of the technology: but because it was a payment system optimised for face-to-face, offline transactions in a world that was moving to remote and online transactions.
By the time the UK implemented Chip & Pin, the base concept and much of the technology was already almost 40 years old.
Well, Brian is right about this, of course. But my brand spanking new chip card from a UK issuer not only arrived with a 2000s app of a 1990s implementation of a 1980s product (debit) on 1970s chip, it also came with a 1960s magnetic stripe on it and a 1950s PAN with a 1940s signature panel on the back. It’s no wonder it seems a little out of place in the modern world.
Early chip and PIN focus group.
The US will discover, as the UK did, that while EMV will put a temporary dent in card fraud, what it will really do is to displace card fraud from card-present to card-not-present channels and fraud will continue to rise. In order to put a lid on fraud, we have to implement two-factor authentication which, in the modern world, generally means the smart phone. So… why not just use the smart phone?
Well, this is what is going to happen and it is why I insist that tokenisation is, in the great scheme of things, more important than EMV cards. We are helping clients to put together their tokenisation infrastructure right now so we understand both the challenges and the opportunities. And if that’s true, and tokenisation is the way forward, then we might as well use EMV tokenisation (since it exists) and so EMV remains important, as does EMV Next Generation. But it is important to understand how the dynamic of competition will change as payments shift in-app. Introducing a new payment mechanism faces the well-known “two-sided market” problem: retailers won’t implement the new payment mechanism until lots of consumers use it, consumers won’t use it until they see lots of retailers accepting it. This gives EMV a huge lock-in, since the cost of adding new terminals is too great to justify speculative investment.
When you go in-app, however, the economics change vastly. For Tesco to accept Bitcoin in store is a big investment in terminals, staff training, management and so on. But for the Tesco app to accept Bitcoin is… nothing, really. Just a bit of software. However traditional we might be, the marginal cost of adding new payment mechanisms is falling and our industry needs to think about what that means. All I’m saying to the EMV industry (i.e., our customers) is that it’s time to start thinking about what might come next.
By the way, between us we came up with plenty more captions for our Valentine’s card to Brian. If you’ve got a better one, post it! I will think of a suitable prize for the winner…
Roses are light / violets dark / yes the card’s smart / it came with the Ark
Roses are red / violets are blue / chips are nice / and PINs are too
Roses are thick / violets are thin / stop your moaning / enter the PIN
Roses are nice / violets yuck / PIN always works / signatures suck
Roses grow high / violets stay low / chip and PIN rocks / signatures blow
Roses are lovely / so is wine / EMV won’t help / the fraud’s online
Roses are red / violets are blue / chip and PIN / won’t get us through
Roses are red / violets are not / chip and PIN snooze / tokens are hot
Roses are red / violets are blue / we’ve had it for years / now the Yanks have too
Roses are tall / violets are short / I remembered my PIN / here’s what I bought
Roses are out / violets are in / signing can’t fix it / for that you need PIN