It’s EMV day in the USA! So what?

It’s fair to say that Jeremy King of the PCI Security Standards Council and I do not always see eye to eye on things. In fact we’ve disagreed more than once (in public) about the usefulness of PCI-DSS. But I have to say that Jeremy is absolutely spot on here:

King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, “we will see a move of the fraud to card-not-present,” he says

[From How EMV Could Affect Role of PCI-DSS – BankInfoSecurity]

I think that when you look at the big picture you can see that there is a problem brewing. It is taken so long to get to the position where the US is finally on-board with the general concept of a shift to chip and PIN, even though most US consumers still do not have chip cards, that you can’t help but wonder whether the effort is going to be worth it. As Jeremy says, the shift to card-not-present fraud is about to accelerate and there’s not much that EMV can do about it.  I saw the same point being made in another article a few days ago:

For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States.

[From EMV s the 15% Solution for Card Fraud | PaymentsSource]

As it happens, that’s not true, at least according to Aite Group, who put counterfeit and lost/stolen fraud, the frauds that should be tackled by EMV (or at least if EMV cards are issued with correct ICVV, correct service codes and no fallback at ATMs) at around half of all fraud.

In the United States, card-not-present fraud is already a big problem. In fact, it accounted for 45 percent of credit card fraud in 2014, followed by counterfeit card fraud (37 percent) and lost/stolen cards (14 percent).

[From Credit card fraud and ID theft statistics – NASDAQ.com]

Well whichever fraction it is you can see the issue. If the British patterns are anything to go by then the growth in card-not-present fraud will exceed the drop in card-present fraud and so the overall fraud rate will continue to rise. This is why I’ve said at a couple of recent events that I think that tokenisation is going to be more important than chip and PIN and I’d be curious as to your feedback on my three central arguments on this front!

 Tokenisation Triptych

First, tokenisation helps to reduce fraud in the fastest-growing areas, online and mobile. You can’t use a token outside of its defined domain and if you were able to steal a token out of my iPhone, you wouldn’t be able to use it in your iPhone.

Second, tokenisation could help to reduce fraud in card present environments if, as I anticipate, there is a shift towards in-app purchasing even in store. I can easily imagine standing in Tesco and paying using a Tesco app on my phone (using tokenisation) rather than by taking out a card and using it in the POS terminal in front of me.

Third, there are new things that we can do with tokenisation that we simply can’t do with the existing infrastructure. In addition to the “plain” token that the bank puts into my handset, it could load other tokens for a variety of useful purposes: I wrote before about the idea of issuing a stealth token for use in online dating, adult services and other privacy sensitive environments but you can also imagine tokens that are issued for specific purposes such as a campus, or just for a day, or just for a particular website. Given the significant investments that most of our clients have made in tokenisation infrastructure, the need to develop additional services on top of the infrastructure is pressing, so I expect to see innovation in that field.

In the long term, the ability to deliver and maintain consumer security and privacy through tokenisation will be a crucial function of banks. This is why I think my apparently outrageous claim that it is more important than chip and PIN is justified, but if you don’t agree I’d still love to hear from you. 

Trusted tryst tokens

Well. I can’t not write something about the Ashley Madison hack. Massive data breaches that spew people’s credit card information all over the Internet are one thing and I’d sort of given up paying any attention to them. After all, if someone gets hold of my credit card information and uses it to make unauthorised charges against my account, then it’s the bank’s problem and not mine so I don’t really care. That’s the whole point of using credit cards, that it’s not your problem.

But this is different. We’ve all had fun with the story on Twitter, but it’s really no laughing matter. Some people’s lives are going to be made a misery because of this. It’s all very well to take the moral high ground and say that people shouldn’t have registered for the site in the first place but that misses the point. The 28 million men and five million women who registered their sensitive personal details at the site were acting legally and I imagine that they thought they had a reasonable expectation of privacy. It doesn’t seem to be hyperbole to say that someone might well die because of this personal data Chernobyl.

So what should be done? There are really two quite distinct problems here. There is the problem of online payment and then there is the problem of online identity. I haven’t actually registered for Ashley Madison (although somebody else did, using my email address, which is why I periodically get emails asking me if I’m interested in women in Birmingham – see below) but I imagine that they use the credit card information for two purposes: one of which is to establish who you are and that you are over 18, and the other of which is to collect money from you. Note the pernicious interrelationship between the two use cases: using the credit card information to prove who you are means that you are giving Ashley Madison your name and address, which is really none of their business, and that if anything happens to breach their undoubtedly impressive security procedures, your real name and address could be disclosed.

ashleymadison

Is there some insurmountable technological barrier to delivering security and privacy to people? I don’t think so. Emma Lindley, who knows what she is talking about (you can hear my podcast with her here) says that we know what the solution to this problem is, and she is right.

We’re finding that cryptography enabled personal digital identities will increasingly become the answer to this endemic data breach problem

[From Hacked Off? | Emma Lindley | LinkedIn]

You can do things with digital identities that you can’t do with physical identities. One such thing is to partially-disclose: you can prove that you are over 18, for example, without disclosing your age. There are well-known and well-understood techniques that mean that I can prove to Ashley Madison that I am male, resident in the UK, over 18, solvent and known to the authorities without having to give Ashley Madison my name and address. So why don’t we use them? This is a really interesting case of a problem that we know how to fix but don’t because the co-ordination problems are too great. Other than the Apple sheepdog coming along to corrall the stakeholders, I’m out of ideas.

I did see a tweet from Marc Andressen, who you have to take pretty seriously on this stuff, saying that the Ashley Madison hack would stimulate the use of Bitcoin in order to reduce the privacy consequences of such a hack, but I disagree. You could pay Ashley Madison using Bitcoin but you would still have to give them your credit card details in order to prove that you are a real person and over 18. Or give them a photo of your driver’s license or whatever. Solving the payment problem doesn’t solve the identity problem.

Wait. Maybe the Apple sheepdog is going to fix it.

Now, think what will happen at Ashley Madison in an Apple Pay world. You pay online at Ashley Madison using Apple Pay on the web. So you enter your pseudonymous Apple e-mail address and your Apple Wallet pops up on the phone and you put your thumb on the scanner and… done. Instead of getting your real credit card number, Ashley Madison get a token. The bank has implicitly tokenised certain of your personal details in the same way that they tokenised your credit card details. So, Barclaycard can give me a token that says I have a Barclaycard in the UK, and therefore must be over 18, and therefore Barclaycard know who I am, and therefore Ashley Madison don’t need to know who I am, and therefore provided that I can strongly authenticate to prove ownership of the token, there is no need for any of my personal details to be stored at Ashley Madison. All they need is pseudonymous email address and that’s that.

 

Well, sort of. I happened to be leafing through the new MasterCard “Card on File Tokenisation Specification Enhancement” details and I was reminded that the EMV tokenisation standard is being amended to include a unique ID that will be the same for all of the tokens relating to a particular account. So I may not know who you are from your token details saved at Ashley Madison, but if I can see that same Payment Account Reference (PAR) is used at another retailer where it is matched against your name (or something that could lead to your name) then you could still be compromised.

 

A clever solution (and value-added service) for banks to offer would be a Stealth Token as an Apple Pay option so that I can load a token that only the bank can connect to my actual credit card. A Stealth Token could be issued for debit cards too, but only for over-18s. The Stealth Token would zero out the last four digits of the actual PAN and also zero out the PAR. With a Stealth Token, consumers could use Apple Pay or Samsung Pay or Google Pay to purchase adult services (or any other services that they would not want to be linked with – a subscription to the Daily Mail, for example, or online Bingo) safely and securely, in the knowledge that even the merchant would have no idea of their “real” identity (i.e., the account behind the Stealth Token).

 

Most importantly, the legal liability for non-disclosure of the the account behind the Stealth Token (except under presentation of a valid warrant) would rest fairly and squarely with the regulated entity actually able to actually protect the data: the bank. Would I pay a little extra for a Stealth Token? I certainly would, and I bet a lot of other people would too.
The Ashley Madison example shows how interrelated innovation in money and identity could be (but currently isn’t) used to deliver both more security and more privacy online.

App and pay is where it’s at

A few weeks ago, I said that Apple Pay isn’t disruptive (for retail payments) and I made the point that its real impact will be “in-app”. I want to explore and emphasis this point in the light of more recent developments. Specifically…

The big news is that it will expand to the UK market next month

[From Apple Pay to be available in UK – Business Insider]

Apple Pay is coming to the UK. Now, when Apple Pay was first announced in the USA, our basic analysis of it for our clients was that it was an incredibly important development in the payment world, but not because of the use of the NFC. The fact that Apple had decided to use tokenisation, we told people, makes tokenisation as big a deal as chip and PIN. It will change the way business gets done, because it brings chip and PIN security to online and mobile transactions. In fact, I bored a number of people on this topic, to the point where it became part of my spoof write-up of Money2020 in Las Vegas last year

“Well, for the big merchants it’s not about tap-and-pay it’s about app-and-pay” he told Osama Bedier from Poynt.

[From Casino Royale-with-Cheese, Part 7]

At the end of the year, we made “in-app” one of our “live five” areas for our clients to explore in 2015 (along with the blockchain, as it happens) and started trying to persuade people to pay attention to it as area of massive opportunity.

Much of the discussion around ApplePay, tokenisation, NFC and retail has naturally focused on the “tap and pay” simplicity of the proposition. However, there are lots of reasons for thinking that this will be a sideshow rather than the main event.

[From Live Five for Fifteen]

The good people of the GSMA invited me to Mobile World Congress in Barcelona earlier in the year to explain this point to a general audience, where I predicted that tokenisation would accelerate a shift away from the check out and the conventional POS terminal as the nexus between the consumer and the merchant drifts away from physical space and into the mobile phone.

while much of the talk at the Congress was about what I’ve previously called the “last millimetre” using NFC, RFID (and now Loop) to link the phone to the point of sale (POS) in the store, the really disruptive impact of the Apple Pay, tokenisation and strong authentication via mobile would be away from the “traditional” POS because bringing chip-and-PIN levels of security and convenience to in-app transactions will change the way that we pay pretty quickly.

[From In-app and on-message in Barcelona]

I made exactly this point again a couple of weeks ago, when I was interviewed by the BBC in connection with the UK Apple Pay launch [audio, starts at 30 minutes in]. On the whole, I think. Consult Hyperion got a consistent message out to our clients and then to the wider marketplace. But is it the right message?

It is. I was interested to note some comments by people far more important and influential than I, comments that might be taken to mean that I may have perhaps been too conservative in my proclamations, around the announcement of Apple coming to the UK.

John Collison, one of the cofounders of $3.5 billion (£2.25 billion) payment processing startup Stripe, says this feature, not the contactless mobile payments, is getting businesses most excited… John Lunn, senior global director for the mobile-payment company Braintree, which was bought by Paypal for $800 million (£512.18 million) in 2013, also thinks Apple Pay’s in-app element is the most exciting thing about it.

[From Apple Pay in-app purchase power could be its most important feature, say Stripe, Braintree – Business Insider]

Well when people like John Lunn, who I can personally testify is a very smart guy, go on to say that “everybody’s talking about the in-store stuff, but actually when you look at the presentation when they launched it, the merchants that were sitting behind Tim Cook were online” I think that tell us the direction of travel pretty accurately.

As my colleague Tim Richards pointed out earlier in the week, tokenisation is a really big deal. App-and-pay changes industry dynamics in a way that tap-and-pay does not.

Thinking the unthinkable about EMV in the USA

The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud. But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.

But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.

[From Chip-and-PIN Security for Payment Cards Won’t Happen Until 2020: Forrester – The CIO Report – WSJ]

Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.

It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.

[From Search Results CNP EMV]

Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.

As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.

[From Card fraud in the UK]

I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.

Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.

[From Search Results CNP EMV]

Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.

Speaking the CNP Expo [2013] in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.

[From Maybe it’s time for son of EMV]

Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:

Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.

[From Window pain]

In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:

“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

[From US EMV migration: Chip and signature is a joke! – Payments Cards & Mobile]

I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.

I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).

[From Payments – June 2015 Current State/Updates – Starpoint Blog – Finventures]

So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?

The “hot five” retail transaction technologies for our clients in 2014

Dgwb blog white border

It’s traditional in blogs of this kind to have a go at a “top N” set of predictions for the coming year, so I’ll give it a bash and have a go at what I think will be the “hot five” secure electronic transaction technologies that will have our clients updating their roadmaps in 2014.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.