Ten more years! Ten more years!

Saint Valentine, as I am sure you all know, is the patron saint of customer verification methods (CVMs). We celebrate St. Valentine’s Day on 14th February every year to commemorate the introduction of chip and UK In the UK on 14th February 2006. I am a payments romantic, so this is very special day.

Ah, St. Valentine’s Day. Very romantic. I woke up smelling the roses and wrote a poem from the heart, a caption for my Valentine’s Day card to Brian Rommele

“Roses are red, violets are blue / chips are nice / and PINs are too”

Yes, lovely St. Valentine’s Day. Was it really a decade ago? That lovely day when we stopped pretending that anyone was looking at cardholders’ signatures on the backs of cards and instead mechanised the “computer says no” alternative. It really was! Ten whole years!

After what has been dubbed “chip and pin day”, consumers using chip and pin enabled cards will no longer be able to sign for their purchases.

From BBC NEWS | Business | Valentine’s day chip and pin deadline

We like heritage here in England. We still write our laws on vellum, we still say “what an interesting idea” when somebody says something that is transparently insane and we still use cards to buy things in shops. We cling to tradition. And chip and PIN is a tradition.

Tamper-resistant hardware (chips) are a good idea, but in terms of reducing fraud it is better authentication (PINs) that seems to make the difference (at  US retailer told me that the fraud on swipe and sign cards is two orders of magnitude higher than on swipe and PIN cards). Now, in that bygone age when European retailers could not go online to verify PINs due to the anticompetitive pricing of the monopoly public telephone providers, we decided to put chips on the cards and verify the PIN locally. But this is 2016. We have smart phones and laser beams and space probes on a comet. If we want to spend a ton of money on introducing a new payment system today, would we really start with smart cards? Smart cards were invented a long time ago. So long ago, in fact, that I had hair.

My Hovel 1980

 

And if that isn’t shocking enough, remember that this picture was taken years after the first smart card was patented. As Brian Rommele pointed out on this anniversary, EMV was out of date when it was introduced in the UK a decade ago, and not only because of the technology: but because it was a payment system optimised for face-to-face, offline transactions in a world that was moving to remote and online transactions. 

By the time the UK implemented Chip & Pin, the base concept and much of the technology was already almost 40 years old.

From The entire retail payment system is moving to t… – Accepting Payments – Quora

Well, Brian is right about this, of course. But my brand spanking new chip card from a UK issuer not only arrived with a 2000s app of a 1990s implementation of a 1980s product (debit) on 1970s chip, it also came with a 1960s magnetic stripe on it and a 1950s PAN with a 1940s signature panel on the back. It’s no wonder it seems a little out of place in the modern world. 

 

Early chip and PIN focus group.

The US will discover, as the UK did, that while EMV will put a temporary dent in card fraud, what it will really do is to displace card fraud from card-present to card-not-present channels and fraud will continue to rise. In order to put a lid on fraud, we have to implement two-factor authentication which, in the modern world, generally means the smart phone. So… why not just use the smart phone?

Well, this is what is going to happen and it is why I insist that tokenisation is, in the great scheme of things, more important than EMV cards. We are helping clients to put together their tokenisation infrastructure right now so we understand both the challenges and the opportunities. And if that’s true, and tokenisation is the way forward, then we might as well use EMV tokenisation (since it exists) and so EMV remains important, as does EMV Next Generation. But it is important to understand how the dynamic of competition will change as payments shift in-app. Introducing a new payment mechanism faces the well-known “two-sided market” problem: retailers won’t implement the new payment mechanism until lots of consumers use it, consumers won’t use it until they see lots of retailers accepting it. This gives EMV a huge lock-in, since the cost of adding new terminals is too great to justify speculative investment.

When you go in-app, however, the economics change vastly. For Tesco to accept Bitcoin in store is a big investment in terminals, staff training, management and so on. But for the Tesco app to accept Bitcoin is… nothing, really. Just a bit of software. However traditional we might be, the marginal cost of adding new payment mechanisms is falling and our industry needs to think about what that means. All I’m saying to the EMV industry (i.e., our customers) is that it’s time to start thinking about what might come next.

Caption Competition

By the way, between us we came up with plenty more captions for our Valentine’s card to Brian. If you’ve got a better one, post it! I will think of a suitable prize for the winner…

Roses are light / violets dark / yes the card’s smart / it came with the Ark

Roses are red / violets are blue / chips are nice / and PINs are too

Roses are thick / violets are thin / stop your moaning / enter the PIN

Roses are nice / violets yuck / PIN always works / signatures suck

Roses grow high / violets stay low / chip and PIN rocks / signatures blow 

Roses are lovely / so is wine / EMV won’t help / the fraud’s online

Roses are red / violets are blue / chip and PIN / won’t get us through

Roses are red / violets are not / chip and PIN snooze / tokens are hot

Roses are red / violets are blue / we’ve had it for years / now the Yanks have too

Roses are tall / violets are short / I remembered my PIN / here’s what I bought

Roses are out / violets are in / signing can’t fix it / for that you need PIN

Toodle pip!

Who is in charge of chip and PIN in the US?

Life must be very confusing for our American cousins at the moment. Well, confusing for our American cousins who pay any attention to the cards that show up in their mail, that is. My colleague Howard Hall just showed me the three most recent credit cards that US banks have sent to him in the quarter. They are all completely, and inexplicably, different.

IMG_5034

I don’t know if you can see from the picture but the three cards are

  • A chip and pin card that arrived as a replacement for the existing stripe card, but as yet no PIN seems to have arrived, so my colleague continues to use it as a signature card.
  • A contactless card that doesn’t have a contact interface but does have a stripe and signature panel on the back.
  • A signature card with no chip or contactless interface.

I don’t know, and I’d be curious to hear your opinions, but I would think that the average American consumer would be utterly confused by all of this and rather than read any of the paper that the bank sends in the mailers (which I’m sure they just toss straight in the bin) they will simply carry on using the cards as stripe and signature cards. Now, on the one hand this is a good thing because it means that they will carry on spending money and merchants will carry on selling things to them and life will continue much the same. But on the other hand, it doesn’t suggest that the use of chip and PIN in the American market will be on a hockey stick curve any time soon.

According to our survey:

  • As of April 2015, only 18 percent of retailers in the U.S. have already implemented EMV payment technology
  • 45 percent are poised to miss the October 2015 deadline
[From Independent Retailers Bet Big on Big Data In 2015

The survey reports in more detail on the retailers who are not doing anything about the deadline. There seems to be something of a lack of understanding about the liability shift and the technology.

  • 25 percent do not understand the new rules
  • 17 percent have never even heard (my italics) of EMV or chip-and-PIN
  • 18 percent do not want to deal with the hassle or cost of switching payments hardware
[From Independent Retailers Bet Big on Big Data In 2015

Actually, I bet that plenty of the retailers who have already implemented EMV don’t understand the new rules either. Interestingly, the report on this survey goes on to say that:

As regulations shift toward a new kind of credit card, payment technology that gets rid of cards all together (Apple Pay, Samsung Pay and Android Pay) is also taking hold of the industry.

[From Independent Retailers Bet Big on Big Data In 2015,]

This rather reinforces my train of thought and idle speculation which, as I mentioned last week, forces me to at least question the long-term role of EMV in the US. It also leads me, in turn, to wonder if this confusion might actually stimulate the transition to mobile since consumers will find the proposition from Apple, Google, Samsung and others far simpler: use your phone and your data will be secure, use your card in one of a number of mysterious and baffling ways and your data may or may not be at risk.

Maybe I’m not seeing things accurately as an occasional visitor, but there does seem to be a lack of co-ordination around migration in the USA. Perhaps someone could come into the comment section and let me know who is in charge of the chip and PIN migration there so that I can drop them an email with a few questions.

Thinking the unthinkable about EMV in the USA

The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud. But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.

But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.

[From Chip-and-PIN Security for Payment Cards Won’t Happen Until 2020: Forrester – The CIO Report – WSJ]

Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.

It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.

[From Search Results CNP EMV]

Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.

As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.

[From Card fraud in the UK]

I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.

Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.

[From Search Results CNP EMV]

Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.

Speaking the CNP Expo [2013] in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.

[From Maybe it’s time for son of EMV]

Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:

Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.

[From Window pain]

In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:

“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

[From US EMV migration: Chip and signature is a joke! – Payments Cards & Mobile]

I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.

I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).

[From Payments – June 2015 Current State/Updates – Starpoint Blog – Finventures]

So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?

On-ramps for the banking superhighway

Dgwb blog white border

In her 2012 book Bankrupt, Carol Realini put forward the idea of a “banking superhighway” for the US. This sort of thinking has been gaining ground although not, unfortunately, with everyone. The Federal Reserve is having a consultation about it at the moment (it’s just about to close in fact), following on from NACHA’s decision not to move forward in this area.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.